Skip to main content

The most important feature Apple didn't talk about today

The most important feature Apple didn't talk about today

Share this story

Today's event offered Apple fans a lot to get excited about: a new kind of watch, a huge iPhone and a new way to pay for things, for a start. But there was one topic where the company stayed almost completely silent. Just a week after attackers penetrated iCloud, stealing private photos from the service’s most famous users, Apple made no reference to new security features, or plans to lock down its massive infrastructure.

Can we trust Apple to keep that data safe?

On some level, this isn't surprising. The iPhone 6 was the star of the show, a show Apple has been planning for years, so it's understandable if Tim Cook didn't want to spoil the new iPhone's debut with references to this month's bad PR. Cook addressed the hack directly last week, promising expanded two-factor protections and new notifications. Isn’t that enough? But as the company rolls out ambitious plans for both health data and credit cards, it runs up against a serious question: can we trust Apple to keep that data safe? Unfortunately for Apple, it’s a question that’s getting harder and harder to answer.

On some level, Apple Pay has a lot going for it. From a strict security perspective, it’s set up to be much more secure than a conventional credit card. It keeps credit card data as locked down as possible, relying instead on one-time payment numbers and dynamic security codes. The sensitive data is stored in a "Secure Element" enclosure that credit card companies have been promoting and testing for some time now. Thanks to TouchID, the system even has fingerprint-based authentication on its side. But its most important security feature is actually a strange admission of failure: Apple Pay appears to work completely separately from iCloud. Healthkit has the same feature, warning developers upfront not to store any sensitive health data on iCloud. It leaves Apple users in a strange place, rushing into a new infrastructure while increasingly uncertain about the security of the old one.

Apple Pay's most important security feature is actually a strange admission of failure

In the case of iCloud, the warning signs go back years. In 2012, trolls gained access to the writer Mat Honan's iCloud account with just his billing address and the last four digits of his credit card. Because of Apple's seamless connections, that meant they were able to erase all the data on his iPhone and iPad, wiping out years of family photos. In response, Apple tightened its security a little, closing some of the customer service loopholes, but the core problem of account-hijacking remained open enough for attackers to exploit two years later.

Today's rollout of iOS 8 offered the most serious solution yet, extending two-factor authentication across iCloud. For users that opt-in, it would mean a simple password would no longer be enough to access the account; you would also need an ephemeral four-digit authentication code. It’s a much stronger solution, but as PayPal can tell you, two-factor is far from an ironclad solution, and the desire for a pain-free, seamless integration often works against tight security. Apple's painful experience with the Goto Fail bug raw data instead of accounts, but it made the company seem less than adept when it comes to locking down your private info.

Apple isn't any worse at bug-hunting than its competitors

With Apple Pay, Apple will be tackling a whole new set of problems, and it’s easy to be concerned that the payments project will succumb to the same neglect as iCloud. To be clear, the problem isn't that Apple is particularly bad at security. The entire industry is bad at security, for mostly the same reasons: a complex and changing infrastructure, with little continuity and little incentive for rigorous audits. Apple isn't any worse at bug-hunting than its competitors. It's just farther ahead on everything else. Apple Pay puts more data at risk and offers more ways to get at it. That's a dangerous combination if security isn't keeping pace.

Maybe I'm wrong. Maybe the latest iCloud problems really were a wakeup call, as Cook has suggested, and the company is reviewing its protocols behind the scenes. Maybe we're headed towards a new age of network security, like the shift Microsoft pulled off in the late 90s. The company certainly has the resources to make that kind of course correction if it wants to. I hope it happens. But on the heels of Apple’s biggest announcement in years, I'm more worried than ever.

Today’s Storystream

Feed refreshed Two hours ago Not just you

T
Youtube
Thomas RickerTwo hours ago
Table breaks before Apple Watch Ultra’s sapphire glass.

”It’s the most rugged and capable Apple Watch yet,” said Apple at the launch of the Apple Watch Ultra (read The Verge review here). YouTuber TechRax put that claim to the test with a series of drop, scratch, and hammer tests. Takeaways: the titanium case will scratch with enough abuse, and that flat sapphire front crystal is tough — tougher than the table which cracks before the Ultra fails — but not indestructible.


E
Twitter
Emma RothSep 25
Rihanna’s headlining the Super Bowl Halftime Show.

Apple Music’s set to sponsor the Halftime Show next February, and it’s starting out strong with a performance from Rihanna. I honestly can’t remember which company sponsored the Halftime Show before Pepsi, so it’ll be nice to see how Apple handles the show for Super Bowl LVII.


E
Twitter
Emma RothSep 25
Starlink is growing.

The Elon Musk-owned satellite internet service, which covers all seven continents including Antarctica, has now made over 1 million user terminals. Musk has big plans for the service, which he hopes to expand to cruise ships, planes, and even school buses.

Musk recently said he’ll sidestep sanctions to activate the service in Iran, where the government put restrictions on communications due to mass protests. He followed through on his promise to bring Starlink to Ukraine at the start of Russia’s invasion, so we’ll have to wait and see if he manages to bring the service to Iran as well.


E
External Link
Emma RothSep 25
We might not get another Apple event this year.

While Apple was initially expected to hold an event to launch its rumored M2-equipped Macs and iPads in October, Bloomberg’s Mark Gurman predicts Apple will announce its new devices in a series of press releases, website updates, and media briefings instead.

I know that it probably takes a lot of work to put these polished events together, but if Apple does pass on it this year, I will kind of miss vibing to the livestream’s music and seeing all the new products get presented.


Welcome to the new Verge

Revolutionizing the media with blog posts

Nilay PatelSep 13
E
External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.


A
Youtube
Andrew WebsterSep 24
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.


A
The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.