Why Apple's new security features set high bar for tech industry

Apple doubles down on security in iOS 9. The upgrades comes as the company has publicly challenged federal law enforcement efforts to weaken encryption on consumer devices.

Apple senior vice president for software engineering Craig Federighi spoke at the Worldwide Developers Conference in San Francisco on June 8.

Robert Galbraith/Reuters

June 10, 2015

It might just be two numbers, but it's a big leap forward when it comes to security.

Among the new features that Apple revealed Monday at its Worldwide Developers Conference was the addition of two digits to its four-digit passcode for iPhones and iPads.

 “Four digit pins were not particularly secure," says Matthew Green, a cryptography expert at Johns Hopkins University. "Going from four to six digit pins is a big deal."

 What might seem like a simple update to the new mobile operating system, iOS 9, comes along with a string of other features that together set Apple apart from most competitors when it comes privacy and security safeguards. iOS 9 will be released in September.

 "We don't mine your e-mail, your photos, or your contacts in the cloud to learn things about you,” said Craig Federighi, Apple’s senior vice president of software engineering, at the Developer’s Conference. “We honestly just don't want to know."

Apple’s security update also comes amid the growing debate about encryption between Washington and Silicon Valley. Last week, the FBI urged technology companies to “prevent encryption above all else,” underscoring the government’s desire for back doors to be built in encryption, or no encryption at all. Last week, however, Mr. Cook reinforced Apple's commitment to strong encryption in a speech during an event with the Electronic Privacy Information Center, an advocacy group. 

“Now, we have a deep respect for law enforcement, and we work together with them in many areas, but on this issue we disagree,” he said. “So let me be crystal clear — weakening encryption, or taking it away, harms good people that are using it for the right reasons. And ultimately, I believe it has a chilling effect on our first amendment rights and undermines our country’s founding principles."

To be sure, the upgrades to security – and Apple's more overt stance on the encryption debate – are also being done with business in mind, says Rich Mogull, a security analyst at Securosis. He says the new security updates serves two purposes: Genuinely increasing users’ security and protecting their business prospects abroad. “From a business standpoint,” he said, “if Apple has a backdoor for the FBI, can Apple still sell iPhones in China?”

Can Syria heal? For many, Step 1 is learning the difficult truth.

Strengthening Apple security begins for iOS 9 with the longer pin code. A four-digit code means there are only about 10,000 possibilities an attacker has to go through to crack the screen lock, which amounts to only 111 hours with brute-force technologies such as MDSec’s IP Box. A six-digit code has one million possibilities, increasing that time to just over 462 days with the same technology. 

Despite some user concerns that six digits will be difficult to remember, most consumers should quickly become accustomed to the extra digits, says Lorrie Cranor, director of the CyLab Usable Privacy and Security Lab at Carnegie Mellon University. Beyond the new length of the passcode, however, she says the effectiveness of the code will ultimately depend on whether or not the user recycles a familiar password.

“I expect that many people will add two digits to the four digit code they’ve already remembered,” says Ms. Cranor. “That’s not great, but it will make it useable for them.”

Apple also hopes to make useable two-factor verification for certain services that will help prevent unauthorized users from accessing an account with a stolen password. 

“In this case I think that Google is a little bit ahead already,” says Mr. Green, the cryptographer. “Google has a pretty good two-factor authentication system and application-specific passwords.”

Apple’s two-factor authentication requires a user to enter a password sent to one of their devices if they want to manage their Apple ID account or use other Apple services and products. This will help prevent hacks such as last year's iCloud breach that exposed personal pictures of celebrities.

“We’ve pretty much given up on using passwords as a sole method for authenticating people,” Green says. “Having a second factor right now seems to be the only thing that’s really reliably keeping systems secure.”

What remains to be seen with this feature is how problems such as lost or stolen devices are handled by Apple and usability.

“If they implement it in a way that all iPhone and iPad and Macbook users say, ‘Wow this is easy, I’m going to use it,’ it’s a big deal because it’ll get people in the habit of using two-factor [verification] and will make them more willing to use it for their other accounts,” Cranor said.

One of the most significant changes to iOS 9 is its new “App Transport Security,” which encourages developers to build apps using HTTPS, a security protocol that encrypts Internet traffic. HTTPS is typically used on sites when making financial transactions or providing other sensitive information. Apple has not yet made it a requirement, but encourages developers to move to HTTPS “as soon as possible.”

Without a protocol such as App Transport Security, otherwise called “HTTP Strict Transport Security,” to ensure users visit the secure version of the page, they remain susceptible to attacks that can steal personal information.