Much like beauty, secure design seems to be in the eye of the beholder.
Those who have gotten early access to Apple’s next software release, iOS 8, have started playing around with it, and the security-minded among the previewers have started looking for flaws and bugs. Jose Rodriguez, a 37-year-old soldier based in Spain’s Canary Islands, is known for finding “lockscreen bypass bugs” in iOS, or ways of circumventing the passcode Apple users put on their devices to keep strangers out. In playing around with an iPhone with iOS 8, Rodriquez quickly discovered what he saw as a bug: Apple’s voice-activated assistant Siri acting like the worst bouncer ever. In iOS 8, he could activate Siri from the homescreen and she would let him circumvent the lockscreen to post to a person’s Facebook page or look at their notes and call history. No passcode necessary. He posted demonstrations on YouTube.
But it turns out this is not new and not a bug. You can do it in iOS 7 as well. Most of my iPhone-using friends and colleagues were surprised when I showed them that I could take their locked iPhones and post a status of my choosing to their Facebook walls on their behalf, see the last 25 people they’d called, or look at recent notes they’d made to themselves. That means a snoopy significant other or a paranoid boss could see who you’ve been talking to. A frenemy could sabotage your Facebook wall. And voyeurs can see what you want your phone to remember. But this may be a tech deja vu moment for some of you as this has all been covered before.
“Pranksters, rejoice,” wrote Digital Trends in September 2012 showing how you could nab a friend’s iPhone and post an embarrassing Facebook status on their wall with iOS 6. And the Guardian hit it last year: “Siri flaw” in iOS 7 lets an attacker “bypass lockscreen to get full access to iPhone’s phone app, contacts and call history, and send text messages and emails.” Apple hasmade fixes to bugs in the past that allowed attackers to bypass the lockscreen by manipulating the emergency call function or the alarm clock feature, but when it comes to Siri, Apple wants users to be able to avoid typing in their passcode. This is a feature that the smartphone giant keeps incorporating despite security researchers pointing to it as a flaw.
There is a way to prevent terrible-bouncer Siri from slipping people into your phone’s control system around your passcode. In Settings, you have to go to “Passcode,” and take away Siri’s ability to welcome strangers by turning off her “access when locked.”
Why is Siri’s right to bypass your lockscreen on by default? Because Apple’s iOS developers apparently rate her convenience factor — and your ability to easily update Facebook or see your call history without typing in a passcode — as more important than making that information more difficult to access for a stranger. Apple didn’t respond to an inquiry about this. “Apple probably doesn’t want to castrate Siri’s functionality,” speculates Rodriguez.
It is always hard to gauge what privacy defaults should be — as people’s expectations of privacy vary dramatically — but it is telling that iExperts and the media keep returning to this one and reporting it as a “bug.” A popular YouTube reviewer of all things Apple spotted Rodriquez’s video and called the feature an “iOS 8 Facebook Glitch.”
That suggests that Apple should give people the option to let Siri bypass the lockscreen, but that it should be opt-in rather than the default. Or it could give them more granular control over exactly what Siri lets a person get up to when a phone is locked.