I realize I have been slacking off posting here at Securosis, but thanks to a string of big event thingies, I thought I should link to a bunch of recent Apple security and privacy articles I posted over at TidBITS (mostly) and Macworld.

I do probably need to write up the bit where local apps that are iCloud enabled seem to save document drafts on iCloud once you start writing, as opposed to when you save the documents in iCloud. This means any open drafts, in many text editors, load data into the cloud even if you only want to save them locally. Apple states they remove this data once you save the file to your local drive, but it is a bizarre design decision from a company that has made so many security and privacy improvements recently.

So, um, don’t open up a TextEdit window and paste your temporary (or permanent!) passwords in it, unless you save the file someplace local first.

Now on to the articles:

  • First is an older Macworld article, Why Apple Really Cares About Your Privacy. This one predated Apple’s big public privacy push, and is the key piece that ties the rest of these together. Basically, Apple is using privacy against Google (and to a lesser degree certain other competitors) because the differences in business models makes it difficult for anyone else to differentiate on privacy to the same degree. This is an excellent alignment of economics to improve security and privacy, and I expect it to define a lot of what we see in the coming years.

The next three articles show how Apple is following through on its privacy messaging within products:

  • To start Apple dramatically improved the data security of iOS, much to the chagrin of folks in law enforcement. You likely read this all over the place, but this piece ties together a lot of context I didn’t see in other articles. Also, as an emergency responder, my arguments cannot be dismissed with the “if you only saw what we see” argument. I have seen more than my fair share of horrible things, including horrible things happening to children, so I get it. But that is no excuse to sacrifice fundamental civil liberties. Part of the problem is that some people in law enforcement are so used to getting access to whatever they need for an investigation that they see it as a legal right, and don’t understand that today’s technologies cannot include lawful access capabilities without deeply compromising security.
  • Next up I wrote a piece detailing how Spotlight Suggestions handles privacy. While less of a big picture issue, this highlights the steps Apple is taking to harden their pro-privacy stance down to low-level feature design. Not that they always get it right – as illustrated by that iCloud issue.
  • This next piece also relates to privacy, but is more about the business landscape Apple is working within. I discussed the real reason some merchants are blocking Apple Pay. Many of you understand the reasons merchants hate credit card companies (Hello, PCI!), and Apple is merely caught in the middle. For the record, I wish we would get half as many comments on Securosis articles as on this one!

One last article ties the series up (even though it wasn’t the last one published) and serves as a good bookend to the privacy piece:

  • The last piece is the most important for the long term. You Are Apple’s Greatest Security Challenge. Yes, Apple made mistakes with the celebrity photo thefts. Mistakes that those of us in cloud security are very familiar with. But, to their credit, they also deal with a scale and scope very few organizations need to consider. Including some key differences from Google, who has been doing a better job on this front. It is a very nuanced issue, and the decisions Apple makes here will have profound repercussions for the ecosystem.

That’s it for now. It seems there is Apple-related security news every week. A lot of the headlines are total BS, like the article a few years back claiming a major security flaw in iPhones, when it was really a problem in every GSM phone on the planet. But that doesn’t get page views, and Apple security has become the “if it bleeds, it leads” of the tech world.