
iOS 11's Misleading "Off-Ish" Setting for Radios Is Bad for User Security - panarky
https://www.eff.org/deeplinks/2017/10/ios-11s-misleading-ish-setting-bluetooth-and-wi-fi-bad-user-security
======
Terretta
> _In an attempt to keep you connected to Apple devices and services, iOS 11
> compromises users ' security._

No. It is in an attempt to resolve the real loss of money experienced by
everyday users who turn off WiFi when it’s flakey and then forget to turn it
back on, costing them cash on their cellular data plan. (And the very real
frustration when things don’t work they expect to work, and they don’t know
why.)

Meanwhile, the security motivated user will figure out she can 3D Touch or go
into settings and meet her more sophisticated use cases.

Consider the normal user’s scenarios and do the math. This saves more users
from more loss.

~~~
jonahx
> No. It is in an attempt to resolve the real loss of money...

Naked apologism. So unthoughtful, and delivered with such a righteous tone.

If this was their intention, they could have implemented the feature honestly,
informing users about what was happening, and offering a clear choice, such as
an immediate popup, between "turn off for this location" and "turn off
completely." That would have been fine.

But the existence of this "pro" to the deceptive and confusing behavior does
not justify it.

~~~
morganvachon
_" offering the option to actually turn the services off."_

I'm not getting into the rest of your discussion, but I think you completely
missed that you can indeed actually turn them off via 3D touch. Even on non-3D
touch devices like the iPad mini, you can get to the "actually off" toggles by
long-pressing the icons. Sure, it's somewhat of an extra step, but it's
misleading to claim that the option doesn't exist when it clearly does.

~~~
comex
You can? On my phone, deep pressing on the 'block' in Control Center
containing the Wi-Fi icon gets me to a submenu, which adds text labels to the
existing toggles and adds two more toggles (AirDrop and Personal Hotspot).
However, pressing the Wi-Fi button from that submenu seems to have the same
effect as outside of it, and deep pressing it (as well as long pressing it)
has no effect.

edit: but you can definitely turn them off through the Settings app.

~~~
morganvachon
As I said elsewhere, I repeated the GP's claim without testing it myself,
assuming good faith on his part. After testing I found it wasn't true.
Unfortunately I can't edit my original comment now, so I've been apologizing
throughout the thread.

------
dvcrn
I hate this. I have a ton of wifi hotspots setup in the city, some of them
require authentication, some of them don't. I leave work, mount my phone on my
bike, "turn off" WiFi and cycle before realizing that nothing (like maps) is
updating because I connected to a wifi point that needs authentication, or a
point that is now far away because I already cycled by.

While cycling, I reach to my phone and switch it "off" again just to be again
connected to some other access point at the next crossing.

I really hope for a setting in the next version so that off means off again.

~~~
jwong_
If you want to be off wifi why not just fully turn it off? It seems like you
want it to be off for a long time. Going into settings to turn off the radio
doesn't seem to be hugely laborious if you really do want it off for the
entire ride.

~~~
cassowary
That's a really silly reply. There's nothing in the UI that tells me turning
Wifi off in the control centre has a different meaning today than it had last
week. It's not at all clear that turning it off in the Settings app will have
a different result. Literally. You're obliging us to read someone's mind.

Moreover, going to the Settings app is laborious. There's a lot of stuff
there. When you open it, you don't always "start from the start", so that
pulling it up requires working out where it is in the app you are in order to
navigate appropriately. Instead of focusing on the task of disabling wifi and
going somewhere, you have to focus on the task of navigating an app. And also
if you have a phone that wasn't bought yesterday, it will probably close some
other app you were running because it's run out of RAM.

All so that some weird usecase I can't understand is available. This fellow is
the only person who's described a usecase for disconnecting from wifi networks
while leaving wifi on, insofar as leaving the radio on won't have upsetting
results for him. But the feature doesn't work for him.

For me, sometimes I need my battery to last all day not just till dinner. I
want the radio off.

I can't think of a non-technical/non-exceptional use that is benefited by this
feature.

(NB. I quite like the idea that my wifi will spontaneously turn back on again
when the battery is charged adequately, or at 5am or some such. It would've
saved my data on numerous occasions. But that's a different feature that
hasn't been implemented.)

------
davb
In general, iOS isn’t very friendly to users who favour 3G/4G over WiFi. I’ve
got unlimited data on my LTE plan but very shaky WiFi at home. I can’t start
an iCloud backup without WiFi and can’t download apps or updates over a
certain size. And now WiFi miraculously turns itself back on after I turn it
off in Control Center (as I’ve done for some time). If I want it _off_ I’ve
got to dig through Settings.

Changing defaults is bad enough, but not giving users a choice to change them
back is incredibly frustrating, especially for a device with such a diverse
range of users and use cases.

Apple (and Google, in their own way) seem to think they can push users towards
a lowest common denominator use case. It just doesn’t work.

Take “Do Not Disturb While Driving” for example, which kept activating when I
was taking the train. I don’t drive. I set the option to manual yet it still
continued to activate whenever I moved above a certain speed. I feel like the
folks at Apple have decided “well, since we all drive, it’s probably true of
most people”.

~~~
digi_owl
Sadly the default assumption in IT these days is "users are dumb sheep". Its
not just Apple or Google, MS is doing it as well, and I see more and more of
it in the FOSS world.

~~~
dx034
Because if they changed it, 1% would be happy while the other 99% would
complain about high charges. And $1000 phone bills because of an iCloud backup
are the stories that go viral.

You can warn 3 times and people would still agree and complain later.
Disallowing options that are costly for the vast majority is the only option.
The number of iphone users with true unlimited data is probably <5%.

~~~
madeofpalk
Fun fact: there was a really obscure bug on the first LTE iPhone where
sometimes your iCloud backup would happen over LTE _even if you 're connected
to wifi_.

That was not pleasant.

------
mikeash
All they had to do was implement it to cycle between three states: on, off-
temporarily, and actually off.

Or label the damned things.

But no, they fundamentally changed how an important UI widget worked with no
obvious indication that anything is different.

~~~
hn_throwaway_99
This decision seems so fundamentally "anti-Apple". What happened to "it just
works"? Heck, they could have even promoted a third option as being super
innovative (not like it is, but marketing "Now with 'WiFi Safe Sleep!' or
something like that would have been the old Apple way).

~~~
josteink
> hn_throwaway_99

Is really HN so hostile to statements critical of anything Apple does that you
actually need to create a throwaway for it?

To me, that seems a bit extreme.

Edit: Not so throwaway after all then. Didn't consider checking.

~~~
icebraining

        created: 228 days ago

~~~
thaumasiotes
Age doesn't make the account not a throwaway. Number and frequency of
comments, and variety of topic, make it not a throwaway.

------
userbinator
In other words, the WiFi actually has 3 states: Off,
Idle/disassociated/disconnected, and Connected/Associated. Most people have
experienced all 3 states, but it seems Apple is under the impression that
users are too stupid to know the difference between them...

 _The Wi-Fi will turn back full-on if you drive or walk to a new location. And
both Wi-Fi and Bluetooth will turn back on at 5:00 AM. This is not clearly
explained to users, nor left to them to choose, which makes security-aware
users vulnerable as well._

Why 5:00 AM, and why only WiFi when location changes (and how far must the
location change? That is not mentioned even on the Apple support page)? This
set of conditions reminds me of the decisions taken by aircraft automation
systems --- read how the Boeing autothrottle works, for example:
[https://en.wikipedia.org/wiki/Autothrottle#Usage](https://en.wikipedia.org/wiki/Autothrottle#Usage)

Of course, the majority of iOS users have nowhere near that ability to
memorise how this "automatic wireless control" works, so Apple doesn't bother
to make the explanation prominent; which brings me to the next point: Apple
products aren't designed for you. They're designed for the user Apple wants,
and by not giving any choices to change the behaviour, Apple is gradually
"creating an average user" by forcing them into compliance and causing the
rest to a different platform.

To continue the analogy, Apple's design has all the complexity of aircraft
automation, and works well for the ideal use case, but none of the
transparency and predictability, nor the ability to turn it all off and "fly
manually" when it fails.

Also, the original item on HN about this,
[https://news.ycombinator.com/item?id=15297387](https://news.ycombinator.com/item?id=15297387)
, was rather ironically accompanied by this one submitted around roughly the
same time:
[https://news.ycombinator.com/item?id=15299165](https://news.ycombinator.com/item?id=15299165)

The security aspect is not just a theoretical one.

~~~
briandear
Use Siri. Or use airplane mode. This isn’t that hard.

What’s the use case where you want to completely kill WiFi but not Bluetooth
for “security?” If I am in a security sensitive environment, I use airplane
mode. That’s it’s purpose: to completely shut down all radios.

~~~
davidcbc
Airplane mode also turns off cellular data.

Personally, I only want Bluetooth on when I'm intentionally using it, but
having to go into settings to turn it on and off is cumbersome when I used to
be able to toggle it from the control panel.

------
Perceptes
This has bugged me too since upgrading to iOS 11. I understand the motivation
for the change, but it was not necessary to make the UI misleading. It should
very clearly indicate between "off" and "off-ish," and allow switching to a
true off state, perhaps by long-pressing the icon to get additional options,
like how several other control center panels work.

~~~
MBCook
The messages the display at the top of the screen when you tap the icons were
the labels below the icons if you expand the panel clearly show whether the
radios are off or just disconnected.

~~~
joombaga
The message says "disconnected", it doesn't say anything about the power
state. If I didn't know, it wouldn't occur to me that "off" and "disconnected"
are distinct states, especially since this differs from the previous behavior
of the same button.

------
paloaltokid
Yes, this was a big surprise in iOS 11. I can understand the appeal of making
it work this way, but I wish it was implemented as a parallel set of options.
Or at least make it configurable in settings of how it should work.

I feel the same way about the "Do Not Disturb While Driving" feature. I like
the feature a lot, and I've been using it, but I wish it was a parallel
feature as well. My "Do Not Disturb" patterns are different in the car from
when I'm not and I'd like to be able to configure it as such.

~~~
zwily
I wish the “Do Not Disturb While Driving” would re-enable itself after the car
starts moving again. I lie and tell it I’m not driving all the time at a light
to select the next podcast.

~~~
lucaspiller
Yeah this is a bit of a weird feature. I understand it’s a kind of mental
barrier to prevent you using your phone while driving, but it’s weird you
can’t keep it on and still use your phone - especially when you aren’t moving
as you say.

~~~
theobon
Every jurisdiction I'm aware of considers using your phone while stopped at a
red light the same as while driving. Apple enabling this behaviour within a
feature specifically designed to support safe driving laws would be illogical.

------
raimue
It is interesting to see how this is now suddenly perceived as an issue with
iOS 11, while Android already introduced the same behavior with 4.3 in 2013.

The "off" setting these days only indicates that the device will not associate
with any WiFi network, but it keeps the radio on for location services.

Without commenting whether this is actually bad for security, articles on the
matter should point out that Android phones are doing the same to raise
awareness.

Edit: iOS enables WiFi on switching location, but re-enabling WiFi based on
known locations is only a new feature of Android 8 Oreo. So for most Android
users WiFi will at least not be turned back on automatically yet.

~~~
josteink
> It is interesting to see how this is now suddenly perceived as an issue with
> iOS 11, while Android already introduced the same behavior with 4.3 in 2013.

> The "off" setting these days only indicates that the device will not
> associate with any WiFi network, but it keeps the radio on for location
> services.

That's not true. This is provenly and factually false.

On All Android devices I've had (and I've had all version from 2.2. through to
8.0), turning wifi off causes lots of apps to nag you about turning it back
on, exactly because of they wish to use location services.

~~~
icebraining
In the Advanced Settings, there's an option called "Scanning always available
- Let Google's location service and other apps scan for networks, even when
Wi-Fi is off".

As far as I know, the feature came disabled by default, and Android asked you
the first time you turned off Wi-Fi if you wanted it on, so it's not really
the same as iOS. On the other hand, some people have complained that upgrading
to Android 6 has turned it on for them, but that might have been a bug.

In any case, this is a passive scan, it didn't connect you again after you
moved places or during the night.

------
trowawee
This has been easily the most obnoxious change of iOS 11. It is super annoying
to have to dismiss the list of available WiFi networks every single time I
open my phone while walking around the city, no matter how many times I turn
my WiFi off.

~~~
djrogers
Turn off ‘ask to join networks’ - mine been that ways for 10 years and it’s
much better.

~~~
trowawee
I...don't want my phone to automatically connect to random open access points?
I live in a city where there are at least 5 separate open networks available
at nearly all times if you're just walking around, most of which I do not want
to connect to.

~~~
neotek
Turning off "ask to join networks" also stops your phone from connecting to
open networks automatically. It will still autoconnect to networks that you
have previously connected to, though, unless you explicitly tell it to forget
that network.

~~~
jachee
Exactly. Also: auto-joining open WiFi networks—especially generically-named
ones—is a pretty serious security risk. So easy to spoof an SSID and capture
everything that's traversing it.

~~~
Ensorceled
Unless you use a VPN.

~~~
jachee
Alas, there's no auto-enable-upon-connection VPN, of which I'm aware. And if
your device connects to an open SSID while in your pocket, you're not even
aware of it.

------
UnoriginalGuy
Well this finally explains why Bluetooth kept re-enabling itself seemingly at
random after I turned it off in iOS 11...

I agree with the EFF on this one, at no time was any of how this works
communicated, particularly not the "turns back on at 5 am" quirk. These
features aren't inherently bad, but lack of communication is bad.

~~~
MBCook
See my other post in this thread, it is communicated.

It’s definitely settle. But it is there.

~~~
jackvalentine
If that counts as communicating changes, it seems a bit Hitchhiker's to me. No
user should be expected to notice and figure out the changed behavior for
something they do that takes half a second, based on that 'communication'.

> “But the plans were on display…” > “On display? I eventually had to go down
> to the cellar to find them.” > “That’s the display department.” > “With a
> flashlight.” > “Ah, well, the lights had probably gone.” > “So had the
> stairs.” > “But look, you found the notice, didn’t you?” > “Yes,” said
> Arthur, “yes I did. It was on display in the bottom of a locked filing
> cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware
> of the Leopard.”

~~~
MBCook
I meant that the buttons communicate what they do, not the Apple effectively
communicated that they changed what they do.

That’s all.

~~~
jackvalentine
I would still disagree with that, but I suppose we’re getting in to circular
opinion waste of time territory now...

------
fulafel
This is especially egregrious coming just after the wifi drivers RCE debacle
([https://googleprojectzero.blogspot.fi/2017/10/over-air-
vol-2...](https://googleprojectzero.blogspot.fi/2017/10/over-air-
vol-2-pt-2-exploiting-wi-fi.html)).

~~~
CodeWriter23
But Broadcom fixed all their bugs this time. Really.

------
hungerstrike
I wonder what Steve Jobs would’ve said if this were a feature of other devices
when he asked everybody to get off of Wi-Fi at WWDC?

[https://www.youtube.com/watch?v=6lqfRx61BUg](https://www.youtube.com/watch?v=6lqfRx61BUg)

~~~
icebraining
Probably the same thing, as this feature would do what he intended.

------
galeforcewinds
Bob Pease once said, "my favorite programming language is solder." That this
OS runs on closed, proprietary hardware means we either need a third-party
solution, for purchasers to vote with their feet, or for the vendor to be
brought to their senses. Perhaps this is a regulatory matter for the FCC to
evaluate (now or later).

~~~
dx034
There is an alternative called Android where you have a choice of different
manufacturers that all deliver somewhat different systems. And you can install
your own OS on most devices. Android has more users than iOS so it's not that
Apple would exploit their monopoly.

People can vote with their feet but they like what they get with an iPhone.
The number of people that want to compile their own OS is very limited.

------
getaclue
Is it to farfetched to say that this may have lead to a decrease in
performance and battery life that I've noticed on my iPhone 7 plus? I mean...
the phone feels... sluggish now. I don't know how else to say it.

Interesting time we live in friends.

It seems like you have to observe every application, every update, and monitor
everything if you want your software to do what you expect it to do by using
it. Passing it down to the user I suppose.

I used to assume that options and controls meant something for the user.

~~~
spc476
I'm resigned to the fact that _any_ workflow I have will break with the next
update. And if it's a web application, it will break with the next refresh
(I'm looking at you, Google Maps!). It's the CADT model [1] writ large.

[1] [https://www.jwz.org/doc/cadt.html](https://www.jwz.org/doc/cadt.html)

~~~
devrandomguy
Dude. That redirects to a picture of a scrotum in a cup, if you arrive with an
HN referer header. I'm guessing you got pranked, lol.

~~~
spc476
No, I forgot JWZ did that. Sigh.

------
Waterluvian
Every week at least a few times I turn off WiFi because it's interfering with
something I want to look up quickly. But then I get home and realise later
I've been watching YouTube over 3G.

I like the feature, I just want a three state switch in the UI.

------
omarforgotpwd
You can still go into settings and turn it off for real. So whatever, makes
sense to me. A lot of times the Wifi is bad so i want to disconnect, but I
don’t care if the OS uses the wifi radio to talk to my apple watch or
determine my location or whatever. This makes total sense to me because 99% of
the time I use the control center I just want to disconnect from wifi network
that isn’t working.

------
djrogers
When I tap the WiFi or BY icons after a 3D Touch in either it says ‘not
connected’ - it’s doesnt say off. That’s pretty self explanatory. When they’re
off they are crossed out - also self explanatory.

The only real problem here is that this could have been explained to the user
on first use.

------
api_or_ipa
Not sure if this is new in the ios world, but I discovered this 'feature' in
Android years ago. Turns out Beacon Requests are very important to location
services, especially where gps doesn't work (like in any indoor location).

------
yoz-y
I very much like the new system, I usually disable wifi either when it is too
flaky or when I need to test something with an external network. Before when I
forgot to put it back on my gps location would be slow and drain the battery,
not everything is good. I do not use hotspots as my LTE is usually faster and
more reliable (not to mention more secure).

However. It seems that there is a clear divide on how this button should work,
and this usually means that there should be an option to set the behavior.
Apple hates settings but I do believe that they will do something about this
in a few releases.

------
torstenvl
I'm really surprised to see so many on HN defending this behavior change, when
it objectively violates traditional UI/UX principles and Apple's own HIG. The
principle of least astonishment is there for a reason: as Apple itself says,
iOS interfaces must "incorporate[] features and behaviors in ways people
expect."

The toggle is too close to previous versions to have a different behavior. I'm
not opposed to the behavior itself, necessarily, and it seems like some people
might find it useful. But implementing it as a bait-and-switch was the wrong
call.

------
Xeoncross
Just an added thought. I question the possible health side-effects of having a
transmitter (even a small-power one) 14hrs a day on my hip or in my shirt
pocket 2 inches from my baby's brain.

I learned the dangers of hi-power devices even at 10ft away - I prefer to turn
off the wifi/bluetooth (at least) when possible.

Apple has made airplane mode really easy and quick until now, even when the
phone is locked.

------
zestyping
This is lying to the user about a security-critical setting. Plain and simple.
It's a dishonest user interface and Apple should be ashamed.

------
Systemic33
Apple technically does show the difference, but it is very very subtle, and
most users would never notice unless told so.

Connected state = Blue background color

Disconnected state = Gray background color (Force Touch shows "Not Connected")

Off state = Gray background with gray slash across the icon (Force Touch shows
"Off")

------
vinniejames
This has been driving me crazy. Couldn’t figure out why my WiFi kept turning
back on. Not to mention, the first two iOS 11 releases broke the “Phone” app,
leaving me unable to make actual phone calls.

Hello Pixel 2

------
manigandham
All Apple had to do was make a 3rd stage icon/look to have: on, temp
disconnected, off. Cycle through with a tap or 3D touch. Everyone's happy.

------
balthamael
Apple is for "sheep", what else is new?

Like removing the headphone jack to underhandedly force people into Bluetooth
headphones(with Apple conveniently owning Beats, who has the biggest market
share of aforementioned headphones) and insultingly excusing it with
"innovation" and non-reasons. Yet people will crawl out of the woodwork to
arbitrarily defend their phone brand, which is apparently really important for
their identity.

------
myrandomcomment
So I filed an RFE to stop bitching at me to turn on WiFi to improve location
services —�- I guess I should have been more detailed :)

------
nickhalfasleep
Any software switch is liable to be compromised. If you need real certainty,
put the device in a faraday sock.

------
rileytg
my airpods disconnect when i turn bluetooth off from control center. very
weird that’s not an exception...

~~~
freehunter
So Bluetooth devices disconnect when you hit the button to disconnect
Bluetooth devices?

~~~
vacri
From The Fine Article:

> _Location Services is still enabled, Apple devices (like Apple Watch and
> Pencil) stay connected, and services such as Handoff and Instant Hotspot
> stay on._

> _The only way to turn off the Wi-Fi and Bluetooth radios..._

The GP is right that it's weird that Apple Watch stays connected when you ask
for a disconnect, but Apple Earbuds do not.

TFA wasn't only talking about the wifi radio.

------
calvinbhai
Though I wish it was communicated better, I don’t know how they can do it.
It’s good to know the difference.

I love this feature. Fringe wifi areas are where I turn wifi off, and often
I’m not turning wifi back on. It affects cellular data consumption, location
accuracy and also the battery.

I don’t understand how is this affecting the security of the device.

------
calebm
No means no Apple.

------
foo1423
I find it strange that no one here on hn is pointing out that maybe Apple has
changed things due to the fact that they want your radio data...

------
hguhghuff
Off means off.

Or it should.

------
pdimitar
I have a lot of respect for EFF but this time they just do a blind hate.

Many people forget to re-enable Wi-Fi after they turned off due to a spotty
connection. This feature saves them money.

The security-minded users have zero trouble going to the real control panel --
it's quite honestly one Home button press and one one tap away! -- and do the
real disabling of Wi-Fi / Bluetooth.

Come on. This is not a grand conspiracy. It's an attempt to make all sides
happy. I agree it could've been communicated better -- that's very obvious --
but everything above that is just Apple hate.

------
CodeWriter23
Fake News. Your password hint is your password. Employing fascism to fight
fascism. Off means on. This world is so full of shit.

------
kevin_thibedeau
As opposed to Google's dark patterns that make maps unusable with location
tracking off.

~~~
panarky
Google Maps is perfectly usable with location turned off. I often use it this
way just to stretch the battery.

~~~
dingo_bat
He means location tracking, not location. If you turn off location tracking in
settings, maps will keep bugging you. Even though it just needs location at
that time and it is enabled, but you must allow Google to create a fucking
timeline of you all the time otherwise maps will keep nagging you.

------
abalone
Even if you are the fabled user who would turn your radios off and cripple
your phone just to decrease your attack surface... like you’re walking into
enemy territory... Wouldn’t you just use airplane mode?

