I’ll cross post what I wrote to folks on the MacRumors forum:
I believe this may be an intentional change to temporarily avoid a security issue, which otherwise hadn't been fixed yet: https://theevilbit.github.io/posts/cve-2022-32929/ (as shown in the blog post and embedded Twitter thread linked earlier)
> The issue is that an attacker can invoke the `AppleMobileBackup` utility and make a backup to a custom location. Thus completely bypassing the protected backup location.
The issue was "fixed" on the macOS side by updating the binary to not support this behavior, but the problem is that you can still swap in a binary from an older version of macOS to get around this.
So, presumably, the problem is blocked from the iOS side now until the issue is resolved from the iOS side to make the older macOS binaries not work with newer iOS. I think it's safe to assume there wasn't time to fix this fully (since it needs to behave differently depending on the version of macOS making the request to avoid making older Macs entirely incompatible despite the prompt) and therefore the fix is temporary, but it would be a shame if it was permanent.
I think the old binaries can be patched for new iOS. Or new binaries can be patched for custom backup locations. Or perhaps the open source libimobiledevice [1] can be used somehow.
In any case, requiring passcode might be a good permanent solution after all.
I believe this is theoretically fixed in Ventura via the mechanism of always checking notarization status upon execution, in which case Apple could publish a notarization revocation ticket for the old insecure AppleMobileBackup binary to make it inoperable without significant intentional user action.
I don't think it's to avoid a security issue. Almost any Mac made in the last 5+ years has had sufficient security to stand up to nearly nation-state attacks on its disk contents.
What I think is far more likely: it's a dark pattern to discourage people from doing their own backups.
One of selling points of iCloud is scaring people into the possibility of their stuff being lost from their phone getting destroyed/lost/stolen.
Up until this change was implemented, it was painless and transparent to do backups of your phone. You just needed to have your Mac or Windows computer turned on and your phone on WiFi with power. It Just Happens.
This is also a convenient way for law enforcement to get people's iMessage history, because iMessage backs up by default to iCloud, unencrypted, including the user's iCloud encryption keys. Without this, if LEOs wanted a criminal's messages they'd have to pound sand.
We know that the FBI has at least a somewhat sympathetic ear at Apple, probably because keeping the FBI happy means Congress doesn't start applying levers on the company.
Given the timing which is right after they deployed the enhanced iCloud security that supposedly E2EE's everything in a (again, supposedly) very secure way, I suspect this was a tradeoff they made to keep the FBI/Congress happy, while also boosting revenue.
'Hey, we'll nerf the local backups, and don't worry too much about enhanced security, most people won't turn it on because it's a pain and we'll put scary warnings on it.'
Does anyone else hate the way it's now a requirement to enter your password for an App store purchase?
What is the point of that? I recently upgraded my phone and I didn't have this happen before?
What's annoying for me is I use a very strong password, which is stored in my password safe, which isn't compatible with this prompt, so I basically just stopped buying things from the App store, problem solved?
> Does anyone else hate the way it's now a requirement to enter your password for an App store purchase?
As far as I know, it's always been a requirement, though after entering once, you can install more apps without entering a password for a temporary period. It's a good idea, too, since your AppleID is tied to your debit card or credit card, so if someone got a hold of your unlocked iDevice, if the AppleID password wasn't required, they could install as many apps as your debit card or credit card will allow. That's no good. Getting a refund for an AppStore App is near impossible.
> Getting a refund for an AppStore App is near impossible.
Don't know what you're talking about -- I've done it several times when an app turned out not to work or not have a feature I needed. The refund was processed every time.
Obviously if you needed to refund 100 apps in a week you'd probably have an issue, but normal occasional refunds seem to present no problem whatsoever.
I mean, that is generally what happens when you chargeback with any service, really. They have no obligation to accept your business and by charging back you have shown that, t least for that card (but in many places, the entire account) will result in increased fees and handling which is certainly something a business can reduce if they want to by refusing your business.
Generally speaking, expect to not be able to use the card if not the whole account when you charge back. It's intended to be a last resort option.
Chargebacks are incredibly expensive for the merchant. They would be insane to continue to do business with someone who’s done one.
It sucks because sometimes the company is wrong and the customer is right, and a chargeback is the only way for the customer to win. But from the company’s perspective those are a small minority of cases; most chargebacks are abusive customers trying to get something for nothing, and it’s best just to cut them off.
Imagine you had a small dispute at a local bar, maybe they gave you $10 less in change than they should. And you see the till open on your way out, and there’s only a $100 bill in it. We can debate the morality of taking it, but I don’t think anyone would expect to be welcomed back after taking it.
If Apple is going to “vet” programs for a 30% cut then I expect the app to work. If it doesn’t, and the developer is unresponsive, then it’s up to Apple to make it right. If they won’t, then I will use the method of last resort. I don’t give a tinker’s cuss how much it cost. Apple makes a fortune doing this, and brought it on themselves.
You're well within your rights to do that, nobody is saying otherwise. What I am saying is that Apple has the right to then say "you're too much hassle" and close your account.
Can confirm, i've been using iOS since iPhoneOS 2.0 and it was always a requirement. Using saved passwords and Touch ID/Face ID actually makes buying stuff on the App Store less annoying than how it was before.
You can turn this on in Settings > Face ID & Passcode - enable the option for "iTunes & App Store", and you can use Face ID for app store "purchases" (free or otherwise).
You can disable the requirement for a password for free apps via the Settings > (your name) > Media & Purchases > Password Settings menu.
I have both enabled since forever but I still get password’ed every once in a while even when installing free apps. The App Store password prompt is also stuck in distant past with no keychain integration, so I always have to cancel the purchase, copy password from password manager, then purchase again. Super annoying.
I half believe they do it to get everyone to remember their password since if you forget it, you can't factory reset your device and it becomes unsellable.
I wish Microsoft would do this. A lot of people have setup a PIN to login to Windows and forget their password (and have no idea that there's a difference or what a Microsoft account is or how to access theirs), then get locked out of their account. There are also plenty of places where the PIN isn't an option (like the recovery console).
Authy get it, they prompt you to enter your backup password, just to check you know it, but you can skip so it doesn't get in your way when you're in a hurry.
I have one bank that never re-prompts for their passcode, and I've been locked out of the app since I got a new phone and put the wrong code in; because they name everything differently from all the other banks too. N.B. I can see the same accounts via my business login and phoning them is pain, so...
I have an account with an Italian bank that is also one of the biggest European banks, when I switched phone they asked me for (iirc) 3 different codes plus an additional sms otp, after that they first disconnected my old phone from the account and then they asked for my debit card PIN which I didn't remember because my card was replaced less than a month ago. I was then locked out from my account and I still didn't manage to get back in. To be fair I didn't even try to call their customer support, I just drained the account using Apple Pay which luckily was still working.
It essentially meant I never install apps on my Apple TV unless I'm very motivated.
My password is long, unlocking with another Apple device usually means finding my iPad somewhere in the house (the only device I have on my person is an Android phone - Apple don't seem to consider this case).
Because even installing a "free" app is considered a purchase/transaction (you can even see the text "processing payment" very briefly). The app is then "owned" by your account forever, so even if the developer later chooses to make it paid, it's still "yours" at the price you bought it ($0).
But that's an irrelevant implementation detail. The password requirement is there to protect the account owner from harm should an unauthorised user purchase apps or other expensive content using their account. There is no such harm for free apps.
I dunno what's going on with that because I haven't been asked for probably a couple of years now - it's always FaceID for free or paid. And it's not a timeout thing - I probably only make an app-store "purchase" once every couple of months.
This. If you're tightly managing the phone, for instance because of kids, then you're going to want to restrict access to free apps because it'll inevitably lead to accidental or intentional IAP purchases.
Apple’s geographical restrictions are account based, not current location based. Some apps are only available in certain countries.
Hence, even free, apps are associated with an account in a particular region. Also, it’d be easy to ruin someone’s life by downloading a free app like Tinder or Grinder to their phone.
The app I'd like to install is Chrome. The iPhone is only for testing. It doesn't leave the house and I don't use it as a personal device so there isn't really anything to protect on it.
Maybe I'm being unnecessarily stubborn, but I don't with to sign in with Apple ID on it.
I don't think Chrome would be region locked.
> Also, it’d be easy to ruin someone’s life by downloading
That could be restricted by requiring the user sign in with their device unlock credentials. I don't see how requiring the device be associated with online Apple ID helps protect you. After all, if someone malicious got their hands on the phone and wished to install something contraversial they could create and sign into a throw away Apple ID.
If you are managing a phone for your kids, for instance, they would certainly have access to the device passcode but would certainly not have access to the Apple ID password.
Yes, they could probably create a throwaway account (I don't think you need a credit card to "purchase" free apps) but it's a barrier to entry that is likely too high for a lot of kids at the age of having a managed cell phone.
Why do you need to test Chrome on the iPhone instead of just testing on Safari? Chrome on the iPhone is literally a reskinned Safari. As are all iOS browsers.
It's not quite that simple. There are occasional differences with user interactions where one will have a bug the other doesn't (or you could say the bug is with the site). My colleagues have demonstrated these bugs to me.
I've never looked into how you reskin a web engine, but I think there must be enough settings and hooks that not everything works exactly the same between iOS web browsers.
Yes, there appears to be some sort of auth token expiration going on. Even after setting up Face-ID-based authorization, I occasionally get asked for my AppleID password when using the app store.
That's incorrect. I just tested and there's definitely a touchid/faceid prompt when you try to download a new app. Also, apps that you already downloaded/purchased require no identification at all.
> I’m not one to subscribe to conspiracy theories about Apple using security as an excuse to push people into paying for iCloud+, but this poorly implemented solution doesn’t instill confidence.
Make no mistake, Apple has no compunctions whatsoever to use incessant nagging and degraded user experience to push you where they want you.
Right. Because so many people in 2023 actually connect iPhones and iPads to computers especially Windows users who make up the vast majority of iOS users
Yes I’m absolutely sure that you are representative of most users. Besides, you should want an extra level of security before someone can connect your phone to a computer and slurp up all of your data.
Sounds like a great way to desensitize people to very important security warnings (which will have similar prompts for passwords) and to discourage backups (make it more annoying).
Realistically, who is this affecting? How many people are actually relying or even using local backups? I certainly haven't as long as iCloud Backups have been a thing because they've been miles ahead in terms of UX and general use since they were released. They're on by default and automatic.
At the end of the day, this might desensitize the 5 power users who still use local backups, and they are probably harder to desensitize than most.
The alternative they described (make it so AppleMobileBackup required a passcode only when changing the backup location) would require the phone knowing the location of the backup and trusting the other side wasn’t lying. Might’ve been too complicated to do (especially in a way that could be applied to older versions of macOS/iTunes where AppleMobileBackup wasn’t updated).
Yes because there aren’t any security concerns about being able to connect your device to a computer without requiring a passcode where the computer can slurp up all of your data.
What would be the factually incorrect headline you're talking about, are you directly referencing the simplification that the OP's headline does, or a fictional headline?
As someone who recently bought iMazing to do regular local backups of iOS and iPadOS devices, this is really annoying. Although I have only noticed it impacting my iPad. It doesn't impact my iPhone.
Regardless, I hope Apple come up with a better solution.
I like how bugs are spun as features with Apple software now. It seems there is no accountability at Apple. I struggle with iCloud, message syncing, and Siri daily. If I was CEO I would be upset with the quality of software running on customer devices and would be holding product and engineering accountable.
I’m in the process of moving to better purpose built products. System76 for general compute, and Garmin for health and activity tracking. I’m hoping for the Fairphone to land in USA soon so I can transition to it.
Also, spending time on a solid home server setup and leaning on Home Assistant community to provide an ideal smart home. HomeKit is just another walled garden that will harm IoT advancement.
When this passcode requirement started appearing some months ago, my first thought was what broke? I searched apple.com multiple times as well as other apple-specific sites to try and find out what happened and how I can turn it off because its really annoying. And I found absolutely nothing. Nobody was reporting on it anywhere. This is the first article I've seen the documents what's going on and that it is intentional. Now that I know, I hate it even more. But it still pisses me off that Apple instituted this policy but never mentioned it.
Not shocking - between the "use icloud" nag screen when attaching photos in Messages and basic stuff not porting over with local backups instead of icloud (weather, health, stocks etc), this is another yet another customer-adverse step that substitutes montly sub for "just works".
This past month I migrated from iphone 12 to 13 and it involved manually reloading/resetting virtually everything, despite making a local backup of the old phone. It would seem that the apple builtin apps specifically just don't restore without icloud - it's almost as if there's a product manager somewhere that's using icloud utilization in GB as their OKR benchmark, and that's one way to hit it.
Apple discontinuing TimeCapsule and disbanding the team couple years back isn't lost on me either.
And if you do you can’t really just buy extra storage. It comes bundled in iCloud+ or Apple One.
And not to mention the complete opaque “System Data” usage of iPhone Storage. One day it’s 1GB and next day it’s 20GB. Without any way of knowing what exactly is taking that space. Of course you can’t clear those up since you are on an Apple device.
You might have set your computer to trust. But there is nothing stopping someone else from making your phone think it’s a trusted computer. That’s the entire point.
The exploit in question doesn't "spoof" anything. The iphone is still talking to the same computer, that part hasn't been bypassed. You can't use this exploit to plug an iphone into a new computer and make a backup. The only thing that changed is that previously the iphone could be assured that random apps on the computer couldn't access the backup data, but now it couldn't. However, I don't think this difference is meaningful. For one, you could bypass TCC by whitelisting apps, unbeknownst to the iphone, so there's no real expectation that the backup data is kept 100% confidential. Furthermore, iphones could be backed up to windows machines, which don't have such protections at all.
> For most people, however, I recommend iCloud backups because they happen automatically, without any human interaction.
The cynic in me says that this is exactly why they're doing it. And that's why I tend to boycott services from device manufacturers - the incentives are all wrong.
This must break a lot of workflows. Backing up automatically and to a custom location is exactly something I'd like to do if I had an iPhone (no, I won't use iCloud).
If someone has physical access to my encrypted Mac with a password, what am I worried about more than a stolen device? Sure it’s a headache. But I have insurance.
I believe this may be an intentional change to temporarily avoid a security issue, which otherwise hadn't been fixed yet: https://theevilbit.github.io/posts/cve-2022-32929/ (as shown in the blog post and embedded Twitter thread linked earlier)
> The issue is that an attacker can invoke the `AppleMobileBackup` utility and make a backup to a custom location. Thus completely bypassing the protected backup location.
The issue was "fixed" on the macOS side by updating the binary to not support this behavior, but the problem is that you can still swap in a binary from an older version of macOS to get around this.
So, presumably, the problem is blocked from the iOS side now until the issue is resolved from the iOS side to make the older macOS binaries not work with newer iOS. I think it's safe to assume there wasn't time to fix this fully (since it needs to behave differently depending on the version of macOS making the request to avoid making older Macs entirely incompatible despite the prompt) and therefore the fix is temporary, but it would be a shame if it was permanent.