Apple forces its users to care about their own security
Apple now requires the creation of a unique password for every application that wants to access your iCloud account. This will bolster the security of the data stored in the service by ensuring that a problem with one application won't provide access to all of the information managed by iCloud.
The update follows a series of improvements meant to improve the security of Apple's syncing service after it was wrongly implicated in the nude celebrity photo leak in September. Perhaps the most important update is one that prevents attackers from trying an unlimited number of passwords to gain access to someone's iCloud account; Apple previously allowed them to try as many passwords as they liked even though limiting log-in attempts is a basic security practice.
Today's update will force people who have already granted applications access to their iCloud accounts to sign out of the service and then sign back in with a new app-specific password. The extra layer of security is meant to protect data used by apps without two-factor authentication, and Apple calls out Microsoft and Mozilla in its instructions for making app-specific passwords for not including the feature in their email apps, as if it has the right to criticize others' security.
Apple has a demonstrated history of failing to implement basic security features. These failures left information transferred by iOS and Mac products insecure for the better part of two years, allowed anyone with the technical know-how to attempt to brute-force their way into someone's iCloud account, and couldn't manage to encrypt email attachments with iOS 7. Apple seems to care about its customers' security, as shown by its improvements to iOS 8; but is the company really competent enough to protect them?
So while today's update makes customers more secure and reflects well on Apple, it's a lot like the company's updates to iOS 8 and the accountability report it published in September. As I wrote when that report, which is good for Apple but still leaves a lot to be desired, was released:
It’s heartening to see Apple take such a comprehensive approach to informing its customers about its privacy policies and security practices. The new section of its website offers more information than the transparency reports most companies have relied on, and Cook has taken a strong public stance against the government’s attempts to gather so much personal data. The updates to iOS 8, which are supposed to make it next to impossible for data to be compromised, are also welcome even though Apple’s track record with even basic security features is mixed.
But this is still an incomplete look at what Apple does to protect its customers’ data, and until these issues are clarified or the company learns to respond to fears about its iffy security tools before it makes the biggest product announcement since it revealed the original iPad in 2010, the company should still be questioned and criticized. This is our data, and until we take an active role in holding companies responsible for their actions, we’re never going to be secure Now Apple is forcing its customers to be more proactive about their own information security. For all the company's faults and underhanded attempts to hide security issues from its users, the decision to involve consumers with their own security might just be the nudge that a few people need to start taking the way their personal data is handled a little bit more seriously.
[illustration by Brad Jonas]