Tag Archives | Security

Apple is attempting to patent a method to conceal a biometric sensor inside of its products to allow users to lock down their systems without having to type in passwords.

This is something that I have been waiting for. I do not have a password for my iPhone, because the very thought of having to input it every time my phone goes into sleep mode is mind-numbing. If I could confirm my identity simply by touching the screen, I’d be a happy camper. And it would be more secure than a password–no one else has my fingerprints.

Rather than adding an unwieldy biometric reader to its products, Apple’s designers have dreamed up a way to hide it. The company could go in another direction: The patent includes some unorthodox alternatives for authenticating users using its existing technology, including the device being tilted in certain directions, voice recognition, and having the user touch symbols in a specific sequence.

If Apple can make it password-free authentication work in practice, it would be a valuable feature for its products. I’m not certain what the costs involved would be, but it would be a feature that I bet enterprise customers would pay more for.

iPhone users have groaned and moaned about the device’s lack of basic copy-and-paste functionality, but Apple held off on delivering the feature until it got the security right. Kudos to Apple for making security a requirement, and designing its software correctly. Third-party iPhone developers should be designing software the same way.

It has become increasingly important for developers to treat security as they would any other software severe defect–stamping out problems at the very beginning of an application’s lifecycle. It’s less expensive for software makers to address security issues before an application ships, and the security and privacy of end users is safeguarded better that way.

That’s the rationale behind Apple’s decision to delay copy-and-paste. During Appple’s press conference today, Scott Forstall, senior vice president of iPhone software, explained that the company opted to address resolve security issues that arise when information is copied between applications.

I think that is of particular importance in a smartphone’s operating system–after all, users store important information on their phones that could be compromised by malware. Clearly, Apple is thinking security, but it should be empowering its developers to do the same. As far as I know, it has not invested the resources to make that happen.

In fact, no big vendor has invested in a major security push with developers–except for Microsoft. Microsoft has published its Security Development Lifecycle (tools and processes that the company uses to build security into its software), has released free threat assessment tools for developers, and set up training programs for sharing security-related knowledge and experiences.

Over the past several weeks, I spoke with Microsoft about the future of the Security Development Lifecycle. While the SDL is not a cure-all, security vulnerabilities in Microsoft software have dropped marked since it was adopted. It would not surprise me if there were security tools incorporated into the next version of the company’s Visual Studio development environment.

Apple would be smart to take a similar approach with the iPhone, sharing its internal principles for writing secure software with third-party developers whose applications also need to be as rock-solid as possible. For that matter, so should Palm, and every other smartphone software producer.

At today’s event, Harry asked the last question, concerning the App Store approval process, and Apple marketing chief Phil Schiller pointed to security checks as one reason why giving third-party apps the go-ahead takes time. Overall, I’m encouraged by Apple’s commitment to security, but today’s iPhone 3.0 announcement didn’t answer the broader question: What is it doing to make certain that iPhone developers know how to write applications that are safe, period?