Apple gets serious about data security with iOS 9

With iOS 9, Apple sends a clear signal to snoops: Get your paws off user data and devices

Apple gets serious about data security with iOS 9

Apple may not be the first name that comes up when you think about security, but iOS 9 shows the company has mobile security squarely in mind.

The latest Apple security push began in 2013 with Touch ID, the fingerprint recognition sensor built into the iPhone 5S. Then Apple encrypted phones by default and expanded its encryption strategy in iOS 8. With iOS 9, Apple tackles two common issues with iDevices: data stolen from lost or stolen devices, and the security of Apple ID and iCloud accounts.

Apple set up a new two-factor authentication system and updated its passcode requirements for iOS 9. These changes make it harder for someone else to access or steal user data stored on iPhones and iPads.

Stronger passcodes for better security

It seems like a minor change, but Apple changing its passcode requirements to six digits instead of the more common four digits significantly boosts security for iOS 9 devices.

This means attackers now have to try 1 million possible combinations versus the previous set of 10,000 in order to break into the user's iPhone and iPad. A four-digit passcode is very easy to crack, especially since users tend to use repeating numbers (1111, 2222, and so on), sequences (1234), or other common combinations (2580). Researchers recently came up with an automated cracking system that could break the four-digit codes in anywhere from 6 seconds to 17 hours.

Adding two digits to the passcode makes it much harder to crack, requiring up to several months of effort. In fact, a strong six-digit alphanumeric passcode can take 196 years to crack, according to the iOS Hacker's Handbook.

But all that is merely theoretical, because after 10 failed attempts, an iOS 9 device will erase itself. 

As Caleb Barlow, vice president of mobile management and security at IBM Security, wrote on the Security Intelligence blog, Apple's new passcode requirement is "a move that's two small steps for users but one giant leap forward for mobile security as a whole."

Protecting iCloud accounts

The new two-factor authentication system for iCloud is designed to prevent cyber thieves from using stolen Apple IDs and passwords to access user data.

With iOS 9, when users try to sign on to a new device with the Apple ID and password, they're prompted to enter a six-digit verification code before being allowed to proceed. The verification code is sent to other Apple devices registered to that Apple ID, or to a designated phone number as either a text message or a voice call.

Over the past year, we've seen many incidents of breached iCloud accounts and sensitive photos exposed. Not only does the new two-factor authentication system make it harder to break into iCloud accounts, it acts as an alert: If a user suddenly receives a verification code without requesting one, he or she knows someone else is trying to use the Apple ID fraudulently.

Despite Apple touting the system as two-factor authentication for iCloud, this is really a two-step verification method for Apple ID. There is no second factor -- such as a physical token or biometric identifier -- to authenticate users. Not integrating Touch ID into this system seems like a missed opportunity, but the verification code is still a good layer of protection for user accounts.

The new iOS 9 security features make a compelling case for how seriously Apple is taking data security for its mobile devices. Apple wants to stop both thieves and law enforcement from getting their hands on data stored by Apple users.

Copyright © 2015 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!