Again on mobile phones protection

After my previous post on the matter I’ve found out that, first of all, iOS does support complex passwords, and second I had an experience that strengthened my feeling that Apple’s move toward TouchID is a good move.

So around 24 hours later, I guess the shock itself is wearing off, even though the scene is still extremely fuzzy in my mind.

Last night, after saying bye to [Andrea] and [Fabio] I was trying to get a cab on the South Side, and after two drivers calling to say that they couldn’t pick me up (so why on earth did you accept the ride on [HAILO] ?) I decided to cross the river — on the next pedestrian bridge next to O’Connell (Ha’Penny).

Just before finishing crossing, some scumbag yanks my phone out of my hands (while I was calling another cab). I should have just left them the phone and called Security to have it locked & tracked down, but I got into fight-or-flight mode and, as it turns out, in particular in fight mode.

I run after the guy, who was trying to cross Ormond Quay, but thanks to him trying to avoid getting driven over I catch and grab him by the chest. He drops my phone, not sure if hoping I’d let go or because he struggled; his partner then punches me in the face and screamsfor me to let him go, my glasses and my hat fall on the sidewalk, and the two guys run away.

I pick up the glasses, put my hat back on and check on the phone, it’s ringing, it’s the cab driver. One passer by actually stops to ask me if I’m okay and if I got my phone, I’m afraid I ended up being rude to him, but I was quite shocked. The cab driver has been the most understanding, I walked away from him instead of toward, but he caught up with me, and got me safely back home. I probably should have reported this but at the time I couldn’t think, and now it would be useless.

Speaking with Security tonight I realized how stupid it has been of me to run after the guy, I should have just turned back, asked Andrea to call them to pick me up and track the phone. They could have had a knife, a rock or even just any other blunt object.

I got lucky, again… it’s not the first time, I sure hope it’s not going to be the last time (although I’d like not to need to be lucky). But sure I don’t want to stray to the North Side too often.

There is no need to tell me I was totally stupid and irresponsible, I know that. On the other hand, I can say now that I’m happy Apple decided to address the phone theft problem in a non-obvious way.

No, TouchID is not better than a PIN. No, it does not resist against even shallow targeted attacks. No, it does not protect you against police forces — why should it?

But it’s more convenient than a PIN, and people who wouldn’t even use a PIN (let alone a stronger password) because of the inconvenience are likely to rather consider using TouchID. And while again this will not protect you against self-indictment (again, why should it? — yes if it wasn’t clear enough, I’m usually trusting the police more than your average paranoid), the standard city thief wouldn’t have much use of a locked phone, beside as parts.

As long as the news goes around that phones can’t be unlocked and their value on the black market goes down, the amount of thieveries will go down.

So instead of blaming Apple for not addressing your concerns of a paranoid geek (concerns that, at this point, were addressed a long time ago and the solution for was not invalidated), think about what they are really trying to solve.

Apple’s TouchID — A story of security, or convenience?

Everybody today seems to be either panicking or screaming murder at Apple because of the “revelation” by the CCC that TouchID – the new fingerprint-scanning technology in the iPhone 5S – is extremely easy to bypass. I find this both non-news and actually quite boring.

So first of all, what is this about? Well, basically it’s possible to lift someone’s fingerprint out of a glass or something, and then use that to reproduce a copy of the fingerprint, and use that to unlock the phone. I would argue that it’s probably possible to lift the fingerprint out of the phone itself, if you really want.

Why am I not excited by this method like it was a new discovery? Simple, because MythBusters used the same idea back in 2006 to work around a fingerprint-based lock. And even at that time it turns out that the fingerprint scanner from the lock, which was actual physical security, was less picky than the one from an USB device. Not surprising, as it looks like the lock only had an optical scanner.

Please don’t get me wrong, CCC did the right thing, it’s just that I don’t think it’s a new technique as some people try to paint it.

So, if TouchID is this easy to bypass, is it a completely useless move from Apple? Or, as some paranoids seem to tell it, is it a willing move from Apple to make their users less secure so that governmental agencies can more easily get data out of phones? Well, one thing is for sure: it’s not a more secure method than the PIN lock that has been available up to now.

On the other hand I’m not that quick to ascribe all of this to malice, as many do. Nor to incompetence. The problem is that the choices are not between PIN and TouchID — the choices are between PIN, TouchID and absolutely nothing, and a lot of people have been decider for the latter, because of the trouble into putting in a 4-digits PIN every time you want to use the phone. Yes I know, and most of you readers know, that an unlocked phone is an idea that goes into the absolutely stupid, but most people use iPhone because they want something that does not get in your way, as Android can easily do.

*I don’t use an iPhone, although I do have an iPad, which I use less and less, and an iPod Touch by which I swear. I need the flexibility of Android.*

Security conscious people are unlikely to move away from PIN – so their security is not going to be compromised, although I would have liked more than 4 digits – but people who were not using a PIN before, because too inconvenient, are more likely to use TouchID now. Which improve their general privacy.

A similar concept comes up if you look into passwords management: using a password manager/wallet is an option but you still have to come up with passwords. What most people realistically do, is to use always the same password, because it’s convenient. And extremely insecure.

On the other hand you have solutions like (SuperGenPass)[] that generates passwords out of a master password and the domain name. This is the solution that a colleague of mine suggested to me and that I’ve been using now for a while. It’s still not perfect security: if an attacker gets a hold of hashes and can get to the password through rainbow-table, it’s still possible to recover the master password.. it’s much harder for the attacker in that case since you need multiple rainbow tables. And that’s supposing that they can identify the SuperGenPass users at all.

Here’s it what it boils down to: will TouchID make it so inconvenient to iPhone thieves on the street to try taking your phone on the go, compared to no PIN locking at all? Yes, most likely. Which basically means that its target was reached. Will it prevent sophisticated thievery, or more targeted attacks? No, but a 4-digits PIN is unlikely to be much better, as you have just so many combinations.