A couple of disturbing reports revealed the comparative ease with which criminal gangs were able to use stolen iPhones to access the owner’s bank accounts. The initial report didn’t explain the method used, but a subsequent one did: swapping the SIM to a new device in order to reset the Apple ID password.
Apple is already working on one security measure – making it easier for users to remotely wipe data from a stolen iPhone – but the reports also highlight a security weakness that seems worryingly common among non-techies: using the Notes app to store passwords …
Barbeiro says that the easiest way criminals have to find passwords is by looking in the Notes app since many users seem to store bank and credit card passwords there […]
When they download data from the cloud to the new device, they search for information linked to the word “password” and, according to them, they usually get what they need to access the victim’s bank accounts.
It’s the modern-day equivalent of people writing their passwords in a paper notebook and keeping it in their desk drawer.
Of course, both iOS and macOS let you lock notes, so that a password is needed to read them. But again, most non-techy users seem unaware of this.
As my colleague Filipe Espósito suggested, that’s a problem Apple could solve by making a standalone iOS Keychain app, rather than have the feature buried within Settings. This would achieve two things.
First, anything stored in there would be automatically password-protected. Unlike Notes, users wouldn’t need to know that a lock feature exists, nor remember to use it. And thanks to Face ID/Touch ID, it would still be convenient to use.
Second, the very existence of the app would draw attention to the need to exercise care in securing sensitive information.
The app would need to be made a lot friendlier than the Mac app! That has a notoriously unfriendly user-interface, and the ability to store secure notes is rather buried.
One other benefit of having a dedicated iOS app is that it could also help educate users. I doubt any tech-savvy person stores their bank password anywhere. We know that no security system is perfect, and the most secure place to store really sensitive passwords like banking and other financial ones is inside our heads. There are plenty of memory techniques that can be used to reliably memorize really complex passwords.
So one thing a user-friendly Keychain app could do is include a warning the first time you open it that the safest way to store financial passwords is to memorize them. (Perhaps that much is wishful thinking – asking Apple to note that even its own secure app is not 100% secure – but hey, these feature requests are wish-lists …)
And for the rest of us, it would provide more convenient access to our keychain items when using iPhones and iPads. We’ve all experienced occasions when Keychain hasn’t recognized a particular website, and had to delve into Keychain Access on the Mac to retrieve it. This would provide an easy way to do the same on iDevices.
What’s your view? Is a dedicated, user-friendly iOS Keychain app something you’d like to see? Please take our poll, and share your thoughts in the comments.