It used to be Apple rarely highlighted security and privacy in its developer-focused WWDC keynote presentation. But over the past few years Apple has consistently highlighted new options to keep users safe from attackers and snooping eyes alike. Still, with a mere two hours to cover a wealth of advances in multiple operating systems and the corresponding developer tools, the security details in Monday's keynote were sparse.
Still, if you're a bit of (OK, a lot of) familiarity with Apple's platforms, the future of Mac and iOS security becomes a little clearer. And it's clear that for the next generation of products, "extension" is the name of the (security) game.
iOS 8: Prying open Touch ID and the sandbox
The inclusion of the Touch ID fingerprint reader in the iPhone 5s enabled users to have strong passwords with the convenience of nearly no password at all. According to Apple, less than half of iPhone users enabled a passcode before Touch ID. On the iPhone 5s, fully 83% now use this crucial safety belt.
Touch ID uses an interesting architecture. Currently, when you first turn on your iPhone, or after rebooting it, you enter your password, which is then stored in the special Secure Enclave portion of the A7 processor. Your fingerprint then unlocks and releases this password to the rest of the operating system. It doesn't remove the need for a password, but makes using one nearly effortless.
In iOS 8, Apple is extending this model to cover third-party application credentials. Apps that store their credentials in the iOS keychain will be able to use Touch ID to authenticate the user. This will likely be widely misunderstood as allowing banks and retailers to use your password for authentication instead of a password. Instead, Touch ID allows an application to keep your password locked away in the keychain until you release it with a fingerprint registered with the device.
The difference is subtle. You still need a password, you just won't have to enter it all the time. I also suspect the API will allow app developers to set certain restrictions on when Touch ID will be acceptable, and when it might require the user to re-enter the password. This improves application security by improving usability--Touch ID-enabled apps effectively ask users to authenticate (with a fingerprint) every time, without requiring them to always enter a password.
This won't improve the security of apps that currently require passwords every time you use them (such as my bank apps), aside from potentially inspiring users to enable better passwords if they know they won't have to constantly type them in. It could be a real boon for other apps that currently cache your password since they won't be afraid to authenticate users every time, since a fingerprint is so convenient.
Sign up for Computerworld eNewsletters.