iOS 16 Privacy & Security

Last Monday Apple released a big update to its flagship mobile operating system, iOS (the software that runs your iPhone). Today I’ll give you a run down of the new security and privacy features in iOS 16. (There are tons of other features, too – if you want to check out the full list, click here.)

Note that I usually wait a week or so after major software upgrades are released before I install them. There are usually some little bugs and annoyances that need to be fixed (and iOS 16 has some). Apple usually follows up with a “dot update” shortly after the main release to fix them. You definitely want to get the minor updates right away (when they number after the first dot changes, like 15.7 from 15.6 or from 16.0 to 16.0.2) – they usually including important security updates. But you can hold off on the major updates (when the first number changes, like from 15.7 to 16.0) until you’re ready.

There’s already been an iOS 16.0.2 update and iOS 16.1 is in the works. So, if you want to update, I’d say go ahead. Here are the cool new security and privacy features you’ll find when you do.

Passkeys

One of the coolest new security features is aimed at finally getting rid of passwords. This technology is often referred to generically as “passwordless”. In reality, it’s just a much more secure standardized process for doing web authentication. Honestly, this one subject could be an entire article, and maybe some day I’ll do that. But for now, here’s what you need to know.

First, this technology requires websites to cooperate. That is, your iPhone supports this with iOS 16, but if the website you’re trying to log into doesn’t support it, as well, then it won’t work. Expect this to slowly roll out over the next 2-3 years. But it’s a true win-win for everyone and I hope most major sites will support this technology sooner rather than later.

Passkeys work by generating a pair of keys – a public key that you share with the website where you have an account and a private key that’s very securely stored inside your Apple devices (locked with Face ID or Touch ID). Passwords, by comparison, are a shared single key – both you and the website have to keep this secret. With passkeys, you don’t have to worry about a data breach, at least in terms of password databases. Stealing the public key won’t do the bad guys any good. Also, passkeys won’t work on fake websites, meaning that it will be a lot harder for bad guys to trick or ‘phish’ you. Also, these keys are generated by your device automatically, so they are crazy strong, unique for every site, and you don’t have to remember them.

Here’s roughly how it will work. When you create an account on a website that supports passkeys, you’ll be asked to scan a QR code with your iPhone’s camera or perhaps even just clicking a ‘create account’ button on the webpage. (You will also be able to switch an existing password-based account to use passkeys.) This will generate the key pair, sending the public key to the website and storing the private key on your iPhone. When you go to log in, instead of entering a username and password, you will do… something else. There are a few options, including scanning another QR code with your phone and just clicking a button. It’s not clear yet which methods Apple will use. But one thing is clear: this is the future and it can’t come fast enough.

Automated Security Updates

As you know, I always tell you to enable automatic software updates. (I did so again in this very article.) All software has bugs. It’s just a fact of life. Software is written by humans and humans make mistakes. The bad guys today have gotten hyper efficient at exploiting these bugs as soon as they’re found – like, within hours. With iOS 16, Apple has created a special software update process specifically for security updates that doesn’t require a full software update. You’ll find this setting under General > Software Updates. I believe it’s enabled by default. Leave it on.

Locked Photos

I’m sure you know that you can delete pics from iPhone’s Photos app. But did you know that you can hide photos, too? Well, in iOS 16 the Hidden and Recently Deleted photo albums now cannot be opened without biometric authentication (Face ID, Touch ID) or a passcode. Makes perfect sense. Not sure why this wasn’t there all along.

Safety Check

The new Safety Check feature appears to be aimed at people who may be in an abusive relationship. While I hope none of you are in this category, this feature is useful for anyone who may need to dial back some over-sharing. Safety Check has two components: Emergency Reset and Manage Sharing & Access. I’ll cover them briefly here, but if you need to know more, click here.

Apple products make it easy to share information with particular people, like close friends, significant others and family members. If you’ve used this feature liberally, it might be good to review all the information you’ve shared with others. The Manage Sharing & Access feature within Safety Check allows you to review all the people you’ve shared with… ever. Note that this includes apps and devices, as well. The list can be quite long. You can select specific people, devices and apps, review what you’ve shared and revoke sharing where needed.

But if you’re really in trouble and need to quickly stop all sharing, you can use Emergency Reset. Here’s what the screen says: “If your personal safety is at risk, use Emergency Reset to quickly protect your information from people and apps, change your Apple ID password, and review your emergency contacts. Any changes you make will be saved as you go. Keep in mind that people may notice if you stop sharing your information with them.” This is the ‘in case of emergency, break glass’ situation. I hope you never find yourself in this situation, but it’s great that Apple has provided this tool for people who need it.

Lockdown Mode

Most of us are just common schmoes. We’re not rich or famous, and we don’t draw the specific attention of state-sponsored hackers or intelligence agencies. But if you’re a dissident, investigative journalist or activist, you might find yourself the target of well-funded, persistent hackers. With iOS 16, Apple has created a new Lockdown Mode that turns off some convenient user features that are often abused by these attackers. For example, message attachments other than images are completely blocked. Incoming FaceTime calls are blocked if the user hasn’t initiated any contact with the caller in the past. Wired connections are blocked if your iPhone is locked. You can find out more here. Apple has put their money where their mouth is, too – they have offered bounties of up to $2 million for anyone who figures out how to hack an iPhone in Lockdown Mode.

I would like to say, though, that I think a lot of regular people (like you and me) might seriously want to consider enabling this mode. I’m not sure most of us would really miss some of these features and it would definitely improve security. I could see enabling this mode when I’m traveling to DEF CON, for example.

Clipboard Permissions

When you copy or cut text on your device, the data is stored on a virtual clipboard. That clipboard, historically, is available to all apps. After all, you could want to paste that text into any app. But some malicious apps have abused this privilege, looking for info like social security numbers, credit card info, passwords, etc. With iOS 16, Apple requires each app to ask permission to access the clipboard. As you might expect, this could get ugly… lots of pop-ups requesting permission. And in fact, this was a problem – but supposedly it was addressed with iOS 16.0.2.

Coming Soon to macOS

Many of these same features will be coming to the next major Mac operating system update, too. The next version, dubbed Ventura, should be released in October. I don’t know if I’ll write an article on that one. We’ll see.