Apple recently unveiled its latest generation of smartphone, the iPhone X, but does it also come with a whole new generation of security?
Its new mobile operating system, iOS 11, and a biometric recognition system called Face ID, were promoted at the same time.
While security researchers outside Apple are yet to perform a thorough analysis of iOS 11 and Face ID, past issues with the hardware and software of the iPhone point to areas of potential concern.
iOS 11 and the passcode
In response to longstanding concerns about user privacy, Apple has taken steps to protect the iPhone.
Even Apple itself is unable to unlock an encrypted iPhone, as the phone is protected by the user’s passcode and Apple does not have it.
This issue came under the spotlight in early 2016, when Apple refused to assist the FBI in unlocking an iPhone 5C used by a criminal. It said the creation of a backdoor would pose too big a security risk to all of its customers.
However, according to a blog post in September 2014 by security analyst Jonathan Zdziarski, now apparently a member of Apple’s Security Engineering and Architecture team, the smartphone’s passcode could sometimes be bypassed from a trusted computer.
For example, if a user connected a passcode-locked iPhone to a computer, the passcode was only required at the first connection and not for future connections to the same computer, as long as the iPhone was not rebooted.
Our research has also demonstrated other iPhone vulnerabilities, brought about by ordinary user operations, that can lead to leakage of private data.
According to some security researchers, Apple has made a few significant changes to iOS 11 that create new hurdles for those (including law enforcement) trying to gain access to the data on a seized iPhone.
First, they say the need to input the phone’s passcode instead of only a fingerprint has been added to the process of moving a phone’s contents to a new computer. Second, a new feature called “S.O.S. mode” will disable Touch ID (perhaps Face ID for iPhone X) after tapping the phone’s home button five times, requiring a passcode to unlock the phone.
However, whether the passcode bypass from a trusted computer issue still exists in iOS 11 needs a thorough analysis.
Face ID security concerns
Apple also introduced a new biometric recognition system, Face ID, on the iPhone X. It uses a set of sensors, cameras and a dot projector to create a detailed 3D map of the face, and is used to unlock the phone.
The use of Face ID raises several concerns in terms of security as well as recognition accuracy under non-ideal conditions.
For example, the use of Face ID reduces the difficulty of unlocking a user’s iPhone by law enforcement compared with Touch ID, since the police officers or border agents could access the phone by scanning the user’s face directly.
In contrast, to unlock an iPhone with Touch ID, they need to carefully decide which out of ten fingers can be used, because Apple stipulates that a user only gets five attempts before Touch ID rejects all fingerprints, requiring a passcode to unlock the screen.
The performance of Face ID under non-ideal conditions is still unknown – for example, in a too dark or bright environment, or a face with or without makeup. After all, the iPhone X’s Face ID failed to unlock the screen at the Apple’s iPhone X launch. (According to Apple, this was a staff problem rather than a technology failing.)
Phil Schiller, Apple’s senior vice president of worldwide marketing, said Face ID achieves a better recognition accuracy than the iPhone’s Touch ID, with a one in one million chance someone else can foil it, compared to a one in 50,000 chance.
As the iPhone X rolls out, there are plenty of security expectations and concerns waiting to be verified by researchers.
Of course, the level of security you require depends on your personal needs, so iPhone users should keep an eye out for issues and decide whether passcode, Touch ID or Face ID works for them.
Wencheng Yang receives funding from The University of New South Wales, Edith Cowan University, and Defence Science and Technology Group from Department of Defence, Australia.
Guanglou Zheng receives funding from the Defence Science and Technology Group of the Department of Defence, Competitive Evaluation Research Agreement (CERA) Program.