In conjunction with the release of iOS 12 today, Apple has released a new version of its iOS Security Guide. This update includes new details on the Secure Enclave, DFU and recovery mode, Screen Time, Shortcuts, and more.
Apple releases updated versions of its Security Guide several times per year, generally coinciding with the release of a major new iOS update or feature. For instance, alongside the iPhone X, it released a new version of the Security Guide with details on Face ID.
First off, today’s revision to the Security Guide includes new details on Shortcuts. Apple says that Siri suggestions for apps and shortcuts are generated with on-device machine learning, ensuring that no identifiable data goes to Apple:
Siri suggestions for apps and shortcuts are generated using on-device machine learning. No data goes to Apple except information which can’t be used to identify the user about what signals were useful predictors of shortcuts or app launches.
Shortcuts added to Siri are synced across all Apple devices using iCloud, and encrypted using CloudKit end-to-end encryption. The phrases associated with shortcuts are synced to the Siri server for speech recognition, and associated with the random Siri identifier described in the Siri section. Apple doesn’t receive the contents of the shortcuts, which are stored locally in a data vault.
Elsewhere, Apple offers a handful of details on iOS’s Password Management feature. The company says applications cannot access the Password AutoFill keychain without direct user permission. Apple also says that access is granted to iOS apps only if the app developer and website administrator have given approval:
Apps can’t access the Password AutoFill keychain without user permission. Credentials saved to the Password AutoFill keychain are synchronized across devices with iCloud Keychain when it is enabled.
Access is granted to iOS apps only if the app developer and website administrator have given their approval, and the user has given consent. App developers express their intent to access Safari saved passwords by including an entitlement in their app.
iOS 12 also includes support for multiple appearances in Face ID, but Apple notes that adding a second appearance will increase the probability of a random person being able to unlock your device from 1 in 1,000,000 to 1 in 500,000.
The probability that a random person in the population could unlock your iPhone is 1 in 50,000 with Touch ID or 1 in 1,000,000 with Face ID. This probability increases with multiple enrolled fingerprints (up to 1 in 10,000 with five fingerprints) or appearances (up to 1 in 500,000 with two appearances).
Apple’s full Security Guide can be viewed here. It’s most definitely worth a read if you’re curious about just how extensive Apple’s commitment to security and user privacy is.