One year to the day after iOS 11 appeared, Apple yesterday released its replacement, iOS 12.
There’s always a lot of fuss about new features, which tends to obscure the fact that iOS updates these days also come loaded with useful security upgrades and patches for software vulnerabilities.
Naked Security covered the expected iOS 12 security enhancements in August, but a quick reminder shouldn’t go amiss given that some need to be turned on by owners.
Settings you need to turn on
One of the first questions iOS 12 asks during initialisation is whether owners would like to turn on automatic iOS updating. Updating happens anyway with each major update, but without automatic updating it’s still possible to miss fixes for security issues that pop up between versions.
An interesting recent example of this is the 11.4.1 update Apple offered in July to turn on USB restricted mode in response to techniques believed to be used by GrayShift and Cellebrite to bypass the iOS lock screen – it’s turned on by default in iOS 12 but users who enabled automatic updating could have had it two months ago.
Our advice is to turn this on! You can do this manually by going to Settings > General > Software Update while USB Restricted Mode is enabled via Settings > Touch ID & Passcode (Face ID & Passcode on the iPhone X) > and make sure the USB Accessories toggle is off. This will require the device to be unlocked before connecting USB devices in future, which some might find inconvenient – see Apple’s explanation of the feature for background.
Another welcome edition: Users of third-party password managers can now take advantage of the autofill feature without having to resort to tedious cut and paste or Share Sheets. LastPass, iPassword, Dashlane and Keeper have issued updates to reflect the new API that makes this possible.
This must be enabled manually via Settings > Passwords & Accounts and activating Autofill Passwords. Authentication using Face or Touch ID is still required.
On by default
iOS 12’s password manager now comes with an audit feature that warns users when the same password has been re-used across websites. This setting counters password stuffing, complete with the ability to generate a strong password to be stored in iCloud Keychain (rival password managers can do the same job).
As promised at a presentation in June to loud cheers, iOS 12’s Safari’s browser boosts its Intelligent Tracking Prevention (ITP) to limit the way big internet companies (code for Facebook?) collect data on browsing behaviour using cross-site tracking.
Security fixes
The most topical iOS 12 fix is the Safari and Microsoft Edge browser address bar spoofing flaw Naked Security covered last week (see also our video explaining the issue of URL spoofing), referenced as CVE-2018-4307 (CVE-2018-8383 on Edge).
The full CVE list is on Apple’s website, but other notables include:
CVE-2018-4363: A kernel-level flaw that might allow an application to read restricted memory.
CVE-2016-1777: Apple has removed support for the RC4 cryptographic stream cipher after a researcher discovered weaknesses.
CVE-2018-4313: discovered by a large group of researchers, this one’s an application snapshot weakness in Messages through which “a local user may be able to discover a user’s deleted messages.”
CVE-2018-4338: a Wi-Fi weakness that could allow a malware app to read restricted memory.
ejhonda
Updated yesterday. So far, so good.
Paul Ducklin
Me too. Everything I care about works fine, including the Ordnance Survey Compass app. (It looks gorgeous, and shows your location as a UK grid reference so you can quickly find yourself on your regular map.)
Mahhn
Question: ” warns users when the same password has been re-used ” does this mean that Apple is looking at our passwords. Or is it (as it should be) making hashes of each password and comparing those?
Thanks
Paul Ducklin
A password manager *does* keep copies of your actual passwords – it has to, because it needs to produce the actual passwords when needed at login time. (It stores them in encrypted form, but it has to be able to unscramble ans deploy your actual password text.) Therefore a password manager can test to ensure every password is different, and even to measure how different it is from the others, thus spotting that p4ssw0rd1 and p4ssw0rd2 are dangerously similar. You can test for a password collision with a new password by using stored hashes of existing passwords if you like, thus avoiding decrypting every password into memory every time you want to do a comparison, but if you do, there’s no chance to detect passwords that aren’t different enough. And you still need to be able to recover the actual passwords as well as their hashes, for when the passwords themselves are directly needed.
Jeff
As there’s often a lot a press on how each iOS update kills one’s battery, it’s good to remember that after installing iOS 12, the new iOS will be doing background tasks related to the upgrade (reindexing and other stuff), which takes power and can make your phone warm. This is typical after most of the bigger iOS updates. Apple says this can take up to a day with iOS 12. So good advice is to not jump to any conclusions, go overboard with messing with stuff, or downgrade for at least 24 hours after installing iOS 12. I’ve had no problems with my iOS 12 update, but it did take about 12 hours for my phone to finish the reindex.
Tim Boddington
1st install (iPad) failed but OK 2nd time. iPhone OK. Especially like password autofill.
Mahhn
I’ve seen one problem with the update, spell check is broken on FB (yeah but it’s still a bug) if you select the misspelled word, it flashes and vanishes, no chance to use the spell check.
John Smith
I just think it is funny how everyone is concerned with law enforcement getting into your devices. They have to obtain a warrant from a judge and probable cause to get it and yet the general public just gives all the information they are trying to protect to these big companies. Microsoft, Google, Facebook, Apple, Yahoo, Samsung let alone all these countless apps everyone is downloading it is written into your agreements they can just have the information plus access to your camera, contacts, messages and calls. I just think that it is funny how law enforcement doesn’t care about your phone or its information unless you commit a crime and yet the general public is protecting that.
Bryan
FYI, this (apparently) is the first IOS to adamantly require a PIN. Unlikely to impact Naked Security readership, this was news to me.
My boss updated yesterday and asked me to bypass the thumbprint and PIN. I’m an Android guy and researched before acquiescing. Once IOS12 downloaded and installed, it stonewalled progress until a PIN was chosen. Even through a reboot.
As he handed me the phone before I learned this was inevitable, I told him, “the day will likely come where you have no choice.” Well, that day is today.
:,)
Peter
Don’t update if you like being able to see the timer on the lock screen…