There is always fanfare and criticism with the September Apple Event where new devices are announced. Typically, a new release of their flagship operating system, iOS, comes shortly after the event. The wait is over, iOS 13 is here. The features of the new update have been addressed, now let's look at what some of these new features mean for your privacy and security.
Answer to Robocalls
A new feature in iOS will enable you to send unknown callers straight to voicemail. This is an excellent new feature that will help cut down on vishing and scammers. As I stated in a previous article, if it is an important call, they will certainly leave a voicemail, send a text message, send an email or call back. This can be coupled with solutions like RoboKiller, Hiya or similar services offered by the cellular providers. Note: This feature is disabled by default and will require the user to enable it under Settings > Phone.
Temporary Location Services
Don't you just hate those apps that beg for location data and will not let you use them without it? There is an answer for that in iOS 13 as well. You can now grant permission temporarily. This will allow another option beyond the "Always Share," "Share when using the App" and "Do not share" options. This is a sound solution for those seeking the balance between privacy and usability. In fact, even if you grant an app permanent permission to your location data, the "Always Share" feature will tell you after a certain amount of time if the app has requested your location and provide an option to continue to allow or revoke the permission.
Sign in with Apple
Sign in with Apple is an answer to other platforms' ability to help you authenticate or sign in to websites. Facebook, Twitter and Google notably do this. Why is this different with Apple? Apple has less interest in your browsing habits and online behavior. They are not selling advertisements like Google and Facebook, so they have less incentive to collect that information about users. Per the Apple support site, this leverages their Hide My Email private relay service to create a unique, randomly generated email address for use in the login transaction. Per the Sign in with Apple support site, it is worth noting that two things are required to use this:
- An Apple ID with two-factor authentication
- To be signed into iCloud with that Apple ID on the Apple device
This can be used on non-Apple products if the developers enable the feature on their platforms. Users will have to have access to their Apple device to use this feature.
Application Permissions for Bluetooth
A sneaky way that some applications have been gathering location information is via Bluetooth. If Bluetooth is enabled, sensors around the facility or store can briefly connect with a phone and determine who is where. With iOS 13, developers of applications must be explicit in what the application requires and why. The same will go for Wi-Fi. This is a great step in consumer privacy. Unfortunately, this will remove the capability of using it to identify perpetrators of crimes, like the teenagers who vandalized a school in Maryland.
Location Data in Photos
When I am doing an open-source intelligence (OSINT) investigation, one of my favorite things to look at is photos. I look for four things: what the picture is meant to tell me, what is noticeably missing, what the background is telling me and metadata. The metadata is from a standard called EXIF (Exchangeable Image File Format). This data is powerful. This data can be turned off for a single photo via the options link on the screen or for all photos under Privacy > Location Services > Camera.
If not removed, it can include the version of the phone, which camera (front or back), whether the phone was held vertically or horizontally, time taken and geographic location (by latitude and longitude). For the magnitude of how important this feature is, below are screenshots of analysis of a picture taken on an iPhone and emailed.
Seeing that this is native to iOS 12 and earlier (as well as other mobile operating systems), this is a measure that can protect people when sending pictures via email and text message. Most social media platforms remove most of the data shown above by default.
Conclusion
In conclusion, the ability to collect the data previous able to have been collected is not the main problem. The lack of transparency and inability to opt-out are. While these settings may cause issues and applications to not work, it is a measured risk that people need to be informed of with all data to make an informed decision.
