Archive for December 15, 2023

Friday, December 15, 2023

Stolen Device Protection in iOS 17.3

Joe Rossignol:

The first iOS 17.3 beta rolling out to developers today includes a new “Stolen Device Protection” feature that is designed to add an additional layer of security in the event someone has stolen your iPhone and also obtained the device’s passcode.

Joanna Stern and Nicole Nguyen:

With Stolen Device Protection: If you want to change an Apple ID password when away from a familiar location, the device will require your Face ID or Touch ID. It will then implement an hour-long delay before you can perform the action. After that hour has passed, you will have to reconfirm with another Face ID or Touch ID scan. Only then can the password be changed.


As with changing the Apple ID password, enabling or changing the recovery key or trusted phone number will require two biometric scans an hour apart. (Needless to say, thieves couldn’t use the passcode to immediately turn off Stolen Device Protection itself—that, too, will require the same biometric scans and security delay.)


The device requires your Face ID or Touch ID to access those passwords [in the keychain]. The passcode will no longer serve as a backup for failed biometrics.


A thief with your iPhone and its passcode can still unlock your phone, even when Stolen Device Protection is on. Any app that isn’t protected by an additional password or PIN is vulnerable. So are accounts that can be reset by text or email.

Adam Engst:

Requiring just one biometric authentication blocks the snatch-and-grab approach because the passcode won’t be sufficient on its own to do anything. Requiring the second scan an hour later ensures that even a forced scan during a mugging or drugging won’t be sufficient unless you’ve been held hostage for that time.

One concern is that viewing Settings > Privacy & Security > Location Services > System Services > Significant Locations must also require biometric authentication, or else the thief could go to one of those locations to complete the takeover. In iOS 17.2, viewing that screen requires Face ID or Touch ID, but failures can be overridden with the passcode.


Apple won’t turn Stolen Device Mode on for you, but iOS 17.3 will alert users to the feature when they update. That seems reasonable for the first release, and I plan to turn it on.

Michael Potuck:

  1. Make sure you’re running the iOS 17.3 beta on your iPhone.
  2. Open the Settings app.
  3. Swipe down and tap Face ID & Passcode (or Touch ID & Passcode).
  4. Now choose Stolen Device Protection.

John Gruber:

After Stern and Nguyen broke this story, a lot of people reasonably wondered why Apple allows you to reset your iCloud account password using only your device passcode. The reason is customer support: every single day, hundreds — maybe thousands? — of people are locked out of their iCloud account because they can’t remember the password. Android phones work the same way: you can reset your Google account password knowing only your device passcode. However many people are falling victim to thieves taking advantage of this, there are orders of magnitude more innocent users who do know their phone passcode, but have forgotten their iCloud/Google account password.

Stolen Device Protection addresses the problem well, with balance between security and convenience. No existing workaround is a true defense against a thief who knows your device passcode. (Locking your iPhone with Screen Time protections was suggested by many as a mitigation, but you can completely override Screen Time protections with the device passcode — it just adds a few extra steps.)


My only doubts about the feature are the “home” and “work” safe locations, where the hour-long delay is overridden. (You still need to authenticate with Face ID or Touch ID, though.) How are these locations determined?


Update (2023-12-21): John Gruber:

One aspect that struck me from Johnson’s description of his modus operandi is that it relied little on observing people surreptitiously to glean their device passcodes. Instead it was mostly pure social engineering. He’d make fast friends with a target in a bar and just talk his way into the target telling him their passcode, so he could show them his Snapchat account or whatever. He’d talk people into giving him what he needed. Never underestimate how much digital crime revolves around person-to-person social engineering.

I’m glad Apple is adding the new Stolen Device Protection feature in iOS 17.3 (currently in beta), but my main takeaway from this entire saga is that everyone, including Apple, needs to spread awareness that device passcodes need to be treated as holiest-of-holy secrets.

Update (2023-12-28): See also: Bruce Schneier.

Threads in EU and on ActivityPub

Jon Porter (via John Gruber):

Meta’s Twitter competitor, Threads, is now available in the European Union, CEO Mark Zuckerberg has announced. “Today we’re opening Threads to more countries in Europe,” Zuckerberg wrote in a post on Threads. The launch follows the service’s debut in the US and over 100 other countries across the world, including the UK, in July 2023. But until now, Threads hasn’t been available to the 448 million people living in the EU, and the company has even blocked EU-based users from accessing the service via VPN.

To coincide with today’s launch, Meta is giving users in the region the ability to browse Threads without needing a profile. Actually posting or interacting with content will still require an Instagram account, however.

Adam Mosseri:

Second, threads posted by me and a few members of the Threads team will be available on other fediverse platforms like Mastodon starting this week. This test is a small but meaningful step towards making Threads interoperable with other apps using ActivityPub[…]

Via John Gruber:

When Threads launched this summer, with the stated intention of federating via ActivityPub, there were a lot of naysayers who thought it would never happen. But here we are.

John Gruber:

It brings me no joy to report this, but unless I scrolled past one, there are no Mastodon clients in the top 200 free apps, even looking specifically within the “social networking” category, on either the App Store or Play Store. (Twitter/X categorizes itself as “News”, not “Social”, as a sad crutch to place higher in a category with less competition.) Even Bluesky makes these lists (#80 on the App Store; #49 on Play Store).


Regular people do not want to use social networks without algorithmic feeds, and do not want to use social networks whose basic premise they do not understand.


Update (2023-12-22): Erin Kissane (via Jesper):

For people with those concerns, Threads federation is a pretty big step toward being able to maintain an account on Mastodon (or another fediverse service) and still find the people they want to interact with—assuming some of those people are on Threads and not only on Bluesky, Twitter/X, Instagram, and all the other non-ActivityPub-powered systems.

On the flipside, Threads federation gives people on Threads the chance to reconnect with people who left commercial social media for the fediverse—and, if they get disgusted with Meta, to migrate much more easily to a noncommercial, non-surveillance-based network.


The Threads federation conversations that I’ve seen so far mostly focus on:

  • Meta’s likelihood of destroying the fediverse via“embrace-extend-extinguish”
  • Meta’s ability to get hold of pre-Threads fediverse (I’ll call it Small Fedi for convenience) users’ data,
  • Threads’ likelihood of fumbling content moderation, and
  • the correct weighting of Meta being terrible vs. connecting with people who use Threads.

Update (2024-02-01): Tom Coates:

Now, I mentioned above that the people we met at Meta seemed like decent, well-intentioned people attempting to do the right thing. However, this may not be enough to be a ‘good citizen’. And to understand why I think it’s worth talking briefly about the scale of the various parties.


Meta can currently claim around 160 million total users and about 100 million MAUs for Threads alone. So, again, maybe we shouldn’t be thinking about Threads ‘integrating’ with the fediverse and instead think about Threads attempting to engage with the Fediverse without entirely crushing it in the process.

Via Nick Heer:

I found myself nodding along with Coates’ description of the challenges of trying to fit the Meta model into the fediverse, and vice versa. It is not impossible, it is going to require a lot of work, and it sounds like Meta wants to make a good faith effort. I do not much like Threads as an application, but I know many people are now active there and I would like to see their posts on my own terms.

Update (2024-04-03): Dare Obasanjo:

I remember all of the skepticism about how Threads was not really going to integrate with fediverse. And now it’s here and actually quite mundane.

Apple and Corellium Settlement

Thomas Brewster (MacRumors):

After four years of court hearings and plenty of controversy, Apple and cyber startup Corellium are settling a copyright lawsuit. Terms have not been disclosed.

The suit was filed in 2019, with Apple claiming that Corellium had illegally replicated iOS by creating software that created virtual versions of iPhones so they could be probed by security researchers and app developers. Apple alleged Corellium had breached the Digital Millennium Copyright Act (DMCA) too by breaking the law’s “anti-circumvention” provision that makes it “unlawful to circumvent technological measures used to prevent unauthorized access to copyrighted works.”


The case had a number of surprises, with Corellium’s lawyers revealing that Apple had attempted to buy the startup for $23 million in 2018. In an unusual move, the tech giant also subpoenaed defense giant L3Harris so it could demonstrate how it was using Corellium’s technology.

I had thought this was already over.


Apple Expands Self Service Repair


Apple is expanding Self Service Repair, and launching a new diagnostic tool that gives users more transparency and autonomy to troubleshoot issues. Self Service Repair is now available for the iPhone 15 lineup and Mac models powered by the M2 lineup, including the 14- and 16-inch MacBook Pro, the 15-inch MacBook Air, Mac mini, Mac Pro, and Mac Studio. Self Service Repair is also now available for Apple users in 24 additional European countries[…]

Adam Engst:

However, I’m intrigued by what the Apple Diagnostics for Self Service Repair brings to the table for helping users identify hardware problems, even if they still plan to have Apple perform the repair. Although it’s available only in the United States for now, Apple says this remote tool “will give customers the same ability as Apple Authorized Service Providers and Independent Repair Providers to test devices for optimal part functionality and performance, as well as identify which parts may need repair.”


To get started, you put the device to be tested into diagnostic mode (which loads over the Internet) and enter that device’s serial number (clearly displayed in diagnostic mode) into a secondary device.


Google’s Confusing New Location Data Settings

Ron Amadeo:

Google’s misleading Location History descriptions in Google Maps have earned it several lawsuits in the US and worldwide. A quick count involves individual lawsuits in California, Arizona, Washington, a joint lawsuit in Texas, Indiana, and the District of Columbia, and another joint lawsuit across 40 additional US states. Internationally, Google has also been sued in Australia over its location settings.


Google’s big new location data change is a new, duplicate data store that will live exclusively on your device. Google’s new blog post says data for the long-running Google Maps Timeline feature will now “be saved right on your device—giving you even more control over your data.”


Cloud-based Location History will still exist and still be collected. Instead of the additional security of encrypted on-device storage, this is less secure since your data will now be in two places, or maybe multiple places, if you have multiple devices.


Update (2023-12-21): Ron Amadeo:

Google seems to be saying that Location History and Google Maps Timeline are always the same dataset and are never different. One is in the cloud, and one is going to be stored on your phone. It says that Google Maps timeline is “a visualization of your Location History data,” and that deletes in the Maps Timeline will delete data in Location History. The key thing this post got wrong is assuming that two location features—“Maps Timeline” and “Location History”—with different names and different controls in different locations, are different. Google says they are not.


The other issue I didn’t catch is that “Maps Activity” can be a pinpoint location, but it’s not necessarily a visit to that location. Instead, it could be something like a search for that location, so it’s not technically “location” data since it’s not positional.

John Gruber:

The reason these overly broad geofence warrants “almost always” were specific to Google is that Apple never collected location data that could be collected in the aggregate like this.

See also: Hacker News.

Update (2024-01-03): See also: Bruce Schneier.