MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security

Ric Ford

MacInTouch
Not at all, Robbie, the only thing I'm "suggesting" by posting information about a dangerous attack vector is that people should be wary and aware of it, so that they aren't losing valuable / private / personal / sensitive data to criminals or others without realizing it through this sort of trick.
Here's some new perspective from Apple itself about these security problems, responding to a public relations issue:
Apple PR said:
The facts about parental control apps
Over the last year, we became aware that several of these parental control apps were using a highly invasive technology called Mobile Device Management, or MDM. MDM gives a third party control and access over a device and its most sensitive information including user location, app use, email accounts, camera permissions, and browsing history. We started exploring this use of MDM by non-enterprise developers back in early 2017 and updated our guidelines based on that work in mid-2017.

MDM does have legitimate uses. Businesses will sometimes install MDM on enterprise devices to keep better control over proprietary data and hardware. But it is incredibly risky—and a clear violation of App Store policies—for a private, consumer-focused app business to install MDM control over a customer’s device. Beyond the control that the app itself can exert over the user's device, research has shown that MDM profiles could be used by hackers to gain access for malicious purposes.
 


MDM as an attack vector was demonstrated in March, 2016
The Register said:
MDM is the guts of managing enterprise, business, and education-owned Apple devices:
Jamf said:
Apple device management for your business
Learn how you can empower your employees to be more productive with their Apple devices.
Apple PR said:
The facts about parental control apps
MDM does have legitimate uses. Businesses will sometimes install MDM on enterprise devices to keep better control over proprietary data and hardware. But it is incredibly risky . . . Beyond the control that the app itself can exert over the user's device, research has shown that MDM profiles could be used by hackers to gain access for malicious purposes.
Stunning that Apple would characterize its system to manage enterprise systems as "incredibly risky." Can't imagine that's a message they want to send to Megaworldwide, Inc.

A different standard? What's missing in Apple's PR communique is an explanation of how the expelled "consumer" parental control apps differ from MDM controls in enterprise, and if the installation of an MDM "consumer" app gives the app developer control over the device (1) not available to, or (2) not explained to, its parental owners.

Apple mentions Verizon Smart Family as offering iPhone parental controls that aren't being shut out of the App Store:
Verizon Wirelss said:
What is Verizon Smart Family?
Verizon Smart Family is a service that gives you parental controls to help manage your kids' smartphone* use.

From a single app, you'll get:

Content filtering
Call, text and purchase monitoring and limiting
Contact management
Internet pausing
Location services (Verizon Smart Family Premium)
"Smart Family" is actually rather limited, and, ahem, doesn't block purchase and installation of apps that will be charged to the Verizon bill, though it does allow setting a dollar limit. Would it be possible for a user to work around that limit by purchasing an iTunes Gift Card?

Is this another unsolvable "he said / she said" controversy? Or is enough information available about the "banned" apps and whatever special and specific dangers they posed to evaluate conflicting claims?
 


Stunning that Apple would characterize its system to manage enterprise systems as "incredibly risky." Can't imagine that's a message they want to send to Megaworldwide, Inc. A different standard? What's missing in Apple's PR communique is an explanation of how the expelled "consumer" parental control apps differ from MDM controls in enterprise, and if the installation of an MDM "consumer" app gives the app developer control over the device (1) not available to, or (2) not explained to, its parental owners.
To be fair, Apple didn't say that its "system to manage enterprise systems" is incredibly risky, per se. They said (emphasis mine) that
it is incredibly risky—and a clear violation of App Store policies—for a private, consumer-focused app business to install MDM control over a customer’s device.
I don't think it is unreasonable to raise concerns over how general use of MDM-level controls by consumer apps might open large opportunities to compromise security or privacy, though it certainly is fair to question why Apple is changing its focus now.

FWIW, there is a concise roundup of perspectives on the matter at Michael Tsai's blog:
 


Stunning that Apple would characterize its system to manage enterprise systems as "incredibly risky."
They didn’t. They said it is incredibly risky for a third party app to have MDM on a customer’s device, for exactly the reasons that enterprises using MDM want it: because it gives them an extraordinary degree of access and control.
 


They didn’t. They said it is incredibly risky for a third party app to have MDM on a customer’s device, for exactly the reasons that enterprises using MDM want it: because it gives them an extraordinary degree of access and control.
Tsai Blog said:
Apple Cracks Down on Screen Time Apps That Use MDM
It’s hard to believe that Apple only recently figured out that these very popular apps had been using MDM for years . . . There’s no evidence presented that any of these developers abused the power of MDM.
The apps being evicted were sold in Apple's store. They went through Apple's review process. Apple made money from their sale.

If a giant corporation is allowed by Apple to lock down and monitor iPhones assigned to employees, why shouldn't parents be allowed the same "powers" to protect their children? Wouldn't these "parental monitoring apps" have protected kids we recently learned were lured by Facebook and Google into side-loading really bad spyware?
 


Ric Ford

MacInTouch
Here's a different perspective on Apple blaming MDM for its third-party app shutdowns:
OurPact said:
There Used to Be An App For That
Apple Removed OurPact From the App Store. Here’s What You Need to Know.

On Saturday, April 27th, The New York Times exposed Apple’s systematic removal of screen time applications from the App Store.

Other major publications quickly picked up the story, leading Apple to share a public statement claiming these removals are justified on the grounds that parental control apps using MDM “put users’ privacy and security at risk.” An email from Phil Shiller, SVP Worldwide Marketing, also stated Apple’s position that these apps pose a risk to privacy.

Unfortunately, Apple’s statement is misleading and prevents a constructive conversation around the future of parental controls on iOS.

... Apple recently stated that its own MDM technology, used by millions, poses risks to user privacy and can be abused by hackers. This stands in contradiction to the fact that MDM technology was initially developed by Apple to ensure security of private data on remotely managed devices. Apple alone issues certificates to third parties to communicate with their MDM servers, and Apple themselves are responsible for sending all MDM commands to user devices.

We present here, point by point, Apple’s recent claims in defense of removing apps that use MDM, to be contrasted with quotes from their own MDM documentation....
 


Ric Ford

MacInTouch
The latest silent, invisible Apple security updates:
Eclectic Light Co. said:
Apple has pushed updates to both XProtect and MRT
Apple has pushed two updates overnight, to the ‘Yara’ data files used by XProtect, bringing its version number to 2103, dated 2 May 2019, and to its malware removal tool MRT, bringing it to version 1.41, also dated 2 May 2019.

This update to XProtect’s Yara definitions brings one addition, which Apple refers to as MACOS.6175e25. According to Patrick Wardle, this refers to malware with the ID com.techyutils.UnPack, which he thinks may be more generally known as OSX.AMCleaner, a Trojan which may have been around since late last year.

... I maintain lists of the current versions of security data files for Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.
 


... Gave my mom my old iPad about 6 months ago, mistakenly removed it from my Apple ID without setting it up for her. She gave it to grandkids to set up, and of course no one remembers the PIN they set. And I didn't think to try TouchID - though it was > 48 hours, since the darn thing was dead.

No problem, I'll completely erase and set it up from new! Nope: apparently they linked it to her Apple ID, and of course she can't remember the password.

No problem, we'll do a password reset: She's got a trusted phone number (but an Android device). Nope: too easy. Heaven forbid the virtually non-existent situation arises that somehow a text goes to some criminal who knows her Apple ID. Or that Apple sends an email to her email address (same as Apple ID).

No problem, we'll use my iPhone "Find Phone" and do an account restore! We follow Apple's directions, get a code sent to her phone... but we need to know the iPad PIN (that was the whole thing I was trying to get resolved anyway). So now we can't do anything for 12 days while the account is restored. And I'll have left, out of state by then.

I'm 100% for privacy, but at some point, this is high ridiculousness. It's making it almost impossible for me to ever sell her on expanding her Apple footprint (and mine, at this point).
 


Ric Ford

MacInTouch
Apple is apparently making changes to help protect against a nasty new attack vector:
Bleeping Computer said:
Apple Updates XProtect to Block 'Windows' Malware on Macs

Apple's XProtect security software has been silently updated to include signatures that detect Windows PE files and Windows executables that can run on Macs by utilizing the Mono .NET framework.

... In February, we reported that malware was spotted that utilize a Mac installer to execute Windows executables using the Mono C# framework. Mono is a cross-platform framework that allows C# programs to run on Windows, Macs, and Linux.

The discovered malware samples would extract a Windows executable named Installer.exe that utilizes the included Mono Mac libraries to run on Macs....
 


Apple is apparently making changes to help protect against a nasty new attack vector:
Yes, that was what XProtect version 2102 in mid-April was all about. No other changes to macOS were necessary to be able to detect that specific malware.

It should probably be noted that this was first discussed back in early February by ArsTechnica:
so it took Apple over two months to react.
 


I speculate that Apple has experienced a security breach that it has discovered but hasn't reported. My basis:

1. This morning, my iPhone 5S/iOS12 requested that I enter my password associated with my AppleID.

2. After doing so, it then said I needed to reset my password.

3. I declined, and was locked out -- no iCloud, iTunes, App Store, Apple TV, iPad, iPod, Mac, iPhone backup - nada.

4. My first thought was that my phone had been hacked, not my Apple ID.

5. Called Apple support and was told this was an indication that my account had been attacked. I said that my password was secure and unknown to anyone and asked when and where (IP address) login attempts had been made. I seldom use any Apple services and knew I had not logged in recently.

6. Apple said they could not help me or tell me about alleged login attempts until I changed my password.

7. Upon resetting my password, I was then told that no login attempts had been made for the last two weeks.

Conclusion: Something is rotten in Cupertino. A lot of churn for no known reason. I don't trust Apple one iota, because all the evidence suggests a problem on their end, not mine.
 


...
1. This morning, my iPhone 5S/iOS12 requested that I enter my password associated with my AppleID.
2. After doing so, it then said I needed to reset my password.
3. I declined, and was locked out -- no iCloud, iTunes, App Store, Apple TV, iPad, iPod, Mac, iPhone backup - nada.
...
I've had a couple of power outages recently. On restoration, my Apple TV 3d-Gen tries to auto reconnect to its App Store and iCloud functions. On my other devices (MacBook Pro, iPhone, iPad), I get a popup notification telling me a device (the Apple TV) is trying to log in with my Apple ID from location x, Allow? "Yes", I respond. Then, a 6-digit PIN appears, presumably from the Apple TV, to verify its login. Of course Apple TV 3G does not have the easy ability to respond to 2FA, so I have to go through the agonizing process of entering my complex password plus the 6-digit code (as a single entry) using the Apple TV remote and the alphanumeric grid, which takes a long time and is very easy to mess up. After a few failed tries but finally reestablishing the AppleTV's credentials, I then get messages on my other devices that I cannot use iCloud services on any of them until I re-log in on each with AppleID and password. So, a whole lot of wasted time following a simple, single "Allow" response for the AppleTV (which should have taken care of the whole thing).
 



Our sales manager came into my office this morning waving an iPad in the air. It seems his 2-y/o daughter had managed to 'disable' it by just madly tapping at the screen (over a period of time).

His panic was amplified because his wife - it's her iPad - had been taking all the photos of their kids with the iPad (3 kids under 2). Sadly, it appears it's never been connected to a computer nor been logged into a cloud account.

Now put aside the stupidity of not backing up the device, I'll put it down to the stress of managing a very young family, but I struggle to understand how a company can lock someone out of their own, legally obtained device and essentially delete their data.

This is her device, fully paid for and used in a way for which is was intended. As there was no attachment to an Apple ID, there was no risk of a breach of security for Apple, yet they still feel it OK to prevent access to their data.

Maybe it's just me, but I think that's unforgivable. Surely they could have a system through an Apple Store where you could go in, prove your identity and get your device unlocked.

I can go to a bank with suitable ID and borrow a million dollars, but it seems you can't get data off your own device if Apple deems you unworthy.

I wonder how Tim Cook or Jony Ive would feel if their laptops or phones were suddenly locked with no possible chance to retrieve anything?
 


Sadly, it appears it's never been connected to a computer nor been logged into a cloud account.
I was under the impression that, in order to activate an iPad without a computer, you must enter or create an Apple ID, and everything that I read just now seems to confirm that.
 


Saw today that JAMF, which I believe is the leading supplier of Mac / iOS management "solutions" to corporate and education, just announced new MDM features that seem remarkably similar to what the apps that were just evicted from the Apple Store were doing.
iTunes "App Store" said:
App Store Preview: Jamsoft Parent
Jamf School Parent empowers parents to manage their children's school-issued devices. Using the intuitive interface, you can restrict which apps your child can access on their device, receive notifications when your child arrives at school, and schedule homework time or bedtime by using a Recipe to allow or restrict certain apps.

Key features:
- Restrict and allow apps in real time (including games and social media)
- Restrict and allow device features (including the camera)
- See the device's last known location
- Create scheduled app restrictions for homework time, bedtime, and timeout
- Be notified when your child arrives at school

This app may use your location even when it isn't open, which can decrease battery life.
This is just a piece of a comprehensive set of products. More information at the Jamf
website.
 


I was under the impression that, in order to activate an iPad without a computer, you must enter or create an Apple ID, and everything that I read just now seems to confirm that.
In the pre-Christmas 2018 sales I picked up a set of 9.7" iPads. We use them with FaceTime across remote locations as a kind of intercom. Turns out, with the difficulty I've had with cross-OS remote desktop management, much support is possible if a remote user just aims the iPad camera at the troubled computer screen.

We set these up with a set of new Apple IDs we're not sharing and not publishing. We sure don't want family, friends, and strangers bursting into our "office intercom."

Hadn't paid much attention to the iPad on my desk, as I only use it for the intercom function. But today's discussion led me to open its settings, where I found to my surprise it was actively using iCloud Drive. The one photo I'd taken on the device when it was new is sitting there, as are contacts, iPad backups, Siri (I have Siri turned off as I don't want her listening to my phone calls in the office).

Even with "Location" Off, "Find my iPad" was On, though with a warning it couldn't find my iPad on a map without location services enabled. What wasn't clear: what else Find My iPad could do. To check, I logged into the iPad's iCloud account on my computer, clicked over to "Find" and learned it had the approximate location (from IP address, possibly from Apple having mapped the SSID of our office Wi-Fi?). I did have "Find" send a beep to the iPad, which worked.

The device's iCloud Drive (with the one photo uploaded) is storing 18 MB. The one "Live Photo" taken on the iPad seems to be 6 MB locally. If there's a way to find how large the iCloud version is, I'm not finding it. That leaves 10 MB on iCloud which doesn't show in the "online iCloud Drive." Doesn't seem like much, until contemplating a conversion table I found that says 10 MB will hold 5,000,000 "words."
 


I was under the impression that, in order to activate an iPad without a computer, you must enter or create an Apple ID, and everything that I read just now seems to confirm that.
I genuinely don't know - I don't currently own an iPad - I'm just going on what he told me.
 


Our sales manager came into my office this morning waving an iPad in the air. It seems his 2-y/o daughter had managed to 'disable' it by just madly tapping at the screen (over a period of time). His panic was amplified because his wife - it's her iPad - had been taking all the photos of their kids with the iPad (3 kids under 2). Sadly, it appears it's never been connected to a computer nor been logged into a cloud account.
I cannot personally vouch for this service, but the founder has been written up and they may be worth contacting:

 


Saw today that JAMF, which I believe is the leading supplier of Mac / iOS management "solutions" to corporate and education, just announced new MDM features that seem remarkably similar to what the apps that were just evicted from the Apple Store were doing.
This is just a piece of a comprehensive set of products. More information at the Jamf
website.
No, Jamf's offering is not like the parental apps just removed. Jamf's offering is marketed to school districts, not directly to the parents. It is designed to be used with institutionally (i.e. school)-owned devices. However, it appears to allows parents to have some control over the devices that are issued to the individual students, but since the devices are still owned by the district (presumably), Apple doesn't consider this a "security risk"

For the record, Apple's excuse for removing the parental apps is pure bunk. They blatantly lied in their press release and Schiller's statement. I have no problem with Apple not wanting companies to use MDM on personal devices, but don't lie about the security implications and malign the companies that used that method.
 


For the record, Apple's excuse for removing the parental apps is pure bunk. They blatantly lied in their press release and Schiller's statement. I have no problem with Apple not wanting companies to use MDM on personal devices, but don't lie about the security implications and malign the companies that used that method.
I don't fully understand [criticism] of Apple's position. It clearly wasn't enterprise use of MDM that was judged to “put users’ privacy and security at risk” but the third-party app developer's use of such methods.
 


I don't fully understand [criticism] of Apple's position. It clearly wasn't enterprise use of MDM that was judged to “put users’ privacy and security at risk” but the third-party app developer's use of such methods.
I think there are a couple of different issues here. First, I'm not aware of any evidence (or even claims) that the companies using Apple's MDM were using their access to violate the privacy of their customers. Apple is objecting on the basis of potential mis-use of data, not claims that it has been mis-used.

Then there's the question of whether the companies' customers understood the kind of access they were granting, and the potential for privacy violations if it's misused. Assuming the customers understand the issues and trust the company, shouldn't they have the option of allowing that access to get the features the apps provide? Apple is taking away that option.

Finally, this wouldn't be an issue if Apple allowed apps to access its Screen Time APIs. It currently doesn't, so competitors have few, if any, options other than MDM to implement similar features.
 


I don't fully understand [criticism] of Apple's position. It clearly wasn't enterprise use of MDM that was judged to “put users’ privacy and security at risk” but the third-party app developer's use of such methods.
But, that is the story that Apple is trying to sell here. That, somehow, by using the MDM protocol, these are risking user privacy. That is, quite frankly, a lie. For if it was the truth, then Apple's MDM system would be severally broken. Even Apple's won documentation disputes what Phil wrote in his email. From the document "Managing Devices & Corporate Data on iOS" [PDF],
MDM can see:
  • Device name
  • Phone number
  • Serial number
  • Model name and number
  • Capacity and space available
  • iOS version number
  • Installed apps
MDM cannot see personal data such as:
  • Personal or work mail, calendars, contacts SMS or iMessages
  • Safari browser history
  • FaceTime or phone call logs
  • Personal reminders and notes Frequency of app use
  • Device location
As someone who is certified in Jamf and worked with several other MDMs, I can confirm that the data that an MDM can see is not nearly as intrusive as Apple tried to imply. (In fact, I felt Apple even did a little fear mongering and implied that these apps were nefariously using the data, without providing any proof.)

From my standpoint, if I were a large enterprise customer utilizing MDM, I would ask Apple to clarify how the MDM can be a privacy risk when it is sold as a way to ensure data is managed and kept private.
 



Yes, you need an Apple ID to set it up. But you don't ever have to set it up with iCloud. The two are separate.
I wouldn't exactly call them separate, in that an Apple ID is needed to access iCloud, iTunes, Mac App Store, etc., although I do agree that one does not have to ever use iCloud.

But that wasn't really the point I was trying to make. I probably should have included more of the original poster's quote
As there was no attachment to an Apple ID, there was no risk of a breach of security for Apple, yet they still feel it OK to prevent access to their data.
Since it's all [second-hand information], we really don't know how Apple reacted to this issue, but I believe there must be an attachment to an Apple ID and that, with proof of ownership, Apple won't intentionally prevent access to the data, if it's possible to retrieve it.
 



I don't fully understand [criticism] of Apple's position. It clearly wasn't enterprise use of MDM that was judged to “put users’ privacy and security at risk” but the third-party app developer's use of such methods.
I would be more sympathetic to Apple's position if these apps had not been previously approved for sale - and, once approved, being available for many months, even years in some cases, and now all of a sudden they are a security problem. All of a sudden, because Apple is now providing similar security features. As Andre Aggasi used to say in his Canon commercial, "Image is everything!", and Apple's image in this case has been sullied.
 


Yes, you need an Apple ID to set it up. But you don't ever have to set it up with iCloud. The two are separate.
They may be separate, but there is little knowledge of what Apple ID does what to various parts of macOS. Apple, if you are reading this, create an Apple ID manager that provides clear management of Apple IDs.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts