Apple's new passcode-based encryption for the iPhone and iPad can be circumvented and provides only limited protection to data The privacy improvements in the latest version of Apple’s mobile operating system provide necessary, but limited, protection to customers, experts say.With the release of iOS 8 this week, iPhones and iPads configured with a passcode would encrypt most personal data, making it indecipherable without knowing the four-number password.By tying the encryption key to the passcode and making sure the key never leaves the device, Apple placed the burden on law enforcement to obtain a search warrant and go directly to the customer to get data from their device during an investigation.“Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data,” Chief Executive Tim Cook said on the company’s new privacy site. “So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.” Rival Google reacted quickly to Cook’s comments, and announced that it would turn on data encryption by default in the next version of Android. The OS has had encryption as an option for more than three years, with the keys stored on the smartphone or tablet.On Friday, privacy experts said they supported Apple’s latest move, which they viewed as putting more control over personal data in the hands of customers. “The fact that they (law enforcement) now have to go directly to you, and can’t do it without your knowledge, is a huge win for Apple’s customers in terms of their privacy and security,” Jeremy Gillula, staff technologist at the Electronic Frontier Foundation, said.However, experts also said the protection had its limits, since customers often store on iCloud a lot of the data encrypted on the device, such as photos, messages, email, contacts and iTunes content.In addition, information related to voice communications, such as call logs, is stored with the wireless carrier, as well as on the smartphone.Once in iCloud, law enforcement or government officials investigating national security cases could legally force Apple to hand over the data.Apple’s new privacy mechanism also has a weakness. Plugging the iPhone or iPad into a Mac or Windows PC that have been paired with the devices would circumvent the passcode-based encryption.Unless the devices had been turned off, the password would not be needed to access data from the computers. “This means that if you’re arrested, the police will seize both your iPhone and all desktop/laptop machines you own, and use files on the desktop to dump and access all of the above data on your iPhone,” Jonathan Zdziarski, an iOS forensics expert, said in his blog. “This can also be done at an airport, if you are detained.”Without naming Google, Cook made a point to emphasize that Apple’s profits depended on selling hardware, not collecting customers’ personal information and then selling it to advertisers.“A few years ago, users of Internet services began to realize that when an online service is free, you’re not the customer. You’re the product,” Cook said.The privacy changes came after Apple suffered a black eye this month when cyber-thieves accessed celebrities’ iCloud accounts and, in some cases, posted naked photos online. Apple found that the attackers did not compromise iCloud security, but obtained the credentials to the accounts some other way. Apple beefed up iCloud security recently by introducing two-factor authentication, which was already available to people with an Apple account tied to iTunes and other services.“Two-step verification is good, and long over-due,” Rebecca Herold, a privacy adviser to law firms and businesses, said. Related content news Multibillion-dollar cybersecurity training market fails to fix the supply-demand imbalance Despite money pouring into programs around the world, training organizations have not managed to ensure employment for professionals, while entry-level professionals are finding it hard to land a job By Samira Sarraf Oct 02, 2023 6 mins CSO and CISO CSO and CISO CSO and CISO news Royal family’s website suffers Russia-linked cyberattack Pro-Russian hacker group KillNet took responsibility for the attack days after King Charles condemned the invasion of Ukraine. By Michael Hill Oct 02, 2023 2 mins DDoS Cyberattacks feature 10 things you should know about navigating the dark web A lot can be found in the shadows of the internet from sensitive stolen data to attack tools for sale, the dark web is a trove of risks for enterprises. Here are a few things to know and navigate safely. By Rosalyn Page Oct 02, 2023 13 mins Cybercrime Security news ShadowSyndicate Cybercrime gang has used 7 ransomware families over the past year Researchers from Group-IB believe it's likely the group is an independent affiliate working for multiple ransomware-as-a-service operations By Lucian Constantin Oct 02, 2023 4 mins Hacker Groups Ransomware Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe