Apple to Require Two Factor Authentication for Developers

Two Factor authentication on a Mac and verification on an iPhone

Today Apple sent out an email to developers about the security of their accounts. The emails states:

In an effort to keep your account more secure, two-factor authentication will be required to sign in to your Apple Developer account and Certificates, Identifiers & Profiles starting February 27, 2019. This extra layer of security for your Apple ID helps ensure that you’re the only person who can access your account. If you haven’t already enabled two-factor authentication for your Apple ID, please learn more and update your security settings. If you have any questions, contact us. Best regards, Apple Developer Relations

There are a few possible reasons for this. The first is, as the email states, to help secure developer accounts. By enabling the two-factor authentication, particularly for Certificates, Identifiers, and Profiles cannot be added by unauthorized users.

This will have some downsides though. By requiring two-factor authentication, only ten devices will be able to receive the two factor authentication codes. For most individual users, this will not be a problem. Five of these trusted devices can be Macs and five of these can be iOS devices.

I contacted Apple Support to verify the number, and it is indeed ten trusted devices that can be associated with an Apple ID.

For larger development groups who may need to allow more than one user to login to the Certificates, you will likely need add a user who has access to the Developer Resources.

If you have not already enabled two-factor authentication on your Apple Developer account, you will want to review the two-factor authentication support page to be sure that you have a way to recover your account, if needed.

Apple Celebrates Heart Month 2019

Apple Watch with Activity Challenge

When you think of February it is possible that you might think of hearts. To coincide with this February is also known as Heart Month. One of the areas where Apple has set a focus on for the Apple Watch is health and fitness and in particular heart health. There are two ways that Apple is celebrating Heart Month in two different ways. The first is with the Apple Watch and the other is with Today at Apple classes.

When you think of February it is possible that you might think of hearts. To coincide with this February is also known as Heart Month. One of the areas where Apple has set a focus on for the Apple Watch is health and fitness and in particular heart health. There are two ways that Apple is celebrating Heart Month in two different ways. The first is with the Apple Watch and the other is with Today at Apple classes.

Apple Watch

Last February Apple offered a challenge for Apple Watch Activity Challenge. You were able to earn this badge by closing your exercise ring, which is 30 minutes, each day for seven days in a row. This ran from February 8th to February 14th.

This year Apple will be offering another Apple Watch Activity Challenge. It is the same challenge and runs for the same time frame, February 8th to the 14th. If you complete the challenge you will get a special badge in the Activity app. Along with the badge you will also get some stickers for Messages.

In order to receive the Activity Challenge and possibly get the stickers, you will need to be running at least iOS 12.1.3 on your iPhone and watchOS 5.1.3 on your Apple Watch.

Today at Apple

Besides the Apple Watch activity challenge with its badge and stickers. Apple will be hosting three different “Heart Health with Apple sessions at three different stores across the United States.

In recognition of Heart Month, Apple will host special Today at Apple sessions, “Heart Health with Apple,” in stores in New York, Chicago and San Francisco with celebrity fitness trainer Jeanette Jenkins, Sumbul Desai, MD, Apple’s vice president of Health, Nancy Brown, CEO of the American Heart Association, Jay Blahnik, senior director of fitness for health technologies, and Julz Arney and Craig Bolton from the Apple Fitness Technologies team. Attendees will hear a discussion about heart health and participate in a new Health & Fitness Walk, which was co-created with Jeanette for participants to take a brisk walk with Apple Watch around their community.
  • San Francisco: Apple Union Square, February 11, 2019, 6 p.m.: Dr. Sumbul Desai, Jeanette Jenkins, Julz Arney
  • New York: Apple Williamsburg, February 21, 2019, 4:30 p.m.: Dr. Sumbul Desai, Jeanette Jenkins, Jay Blahnik
  • Chicago: Apple Michigan Avenue, February 27, 2019, 6 p.m.: Dr. Sumbul Desai, Nancy Brown, Jeanette Jenkins, Craig Bolton

It is not surprise that Apple is promoting health, given that one of the Apple Watch is fitness. Regardless, it is good to see Apple hosting sessions at their stores to promote heart health.

Source: Apple

Apple Promotes Deirdre O’Brien

Picture of Deidre O'Brien at Apple Park in Cupertino California.

Today Apple has announced that Deidre O’Brien has been named Senior Vice President of Retail + People. O’Brien has taken over for Angela Ahrendts joined Apple in early 2014. In that time she has been in charge of Apple’s Retail Stores. Angela Ahrendts plans to depart Apple in April for new personal and professional pursuits.

Deidre O’Brien’s role has been expanded. Her previous role was Vice President of People, and she will be continuing her existing role as well as taking over Retail.

Deirdre will bring her three decades of Apple experience to lead the company’s global retail reach, focused on the connection between the customer and the people and processes that serve them. She will continue to lead the People team, overseeing all People-related functions, including talent development and Apple University, recruiting, employee relations and experience, business partnership, benefits, compensation, and inclusion and diversity.

There are two things that I want to highlight. First, it is good to see Apple promoting from within. Additionally, it is definitely a plus to see that the person promoted is a woman. The latter is good to see because the ratio of men to women in senior positions within the technology sector is too often too high.

Source: Apple

Apple Revokes Enterprise Developer Certificates

On Tuesday Techcrunch reported that Facebook had been paying people, in particular teens, $20 a month to install their “Facebook Research” app. The “Research” app includes a Virtual Private Network (VPN) client. The “Research” app is a rebranded app that was removed from the public iOS App Store in August of 2018 because it violated App Store terms of service. The old name of the app was Onavo.

The method used by Facebook for this installation is by using an Enterprise Developer Certificate, which is designed for distribution of applications to a company’s employees. In addition to distributing apps to their own employees Facebook used this method for external testers. This is in direct violation of the terms of service for the Enterprise Developer account which were agreed to upon signing up for the account.

Once Apple found out about this, they revoked the Enterprise Developer Certificate. Revoking this certificate had a major impact on Facebook. Besides having their “Facebook Research” app no longer function, all of Facebook’s internal applications used by employees were broken, meaning that they can no longer function.

From an Apple spokesperson:

“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”

It turns out that Facebook is not the only big tech company that has been misusing their Enterprise Developer account.

Yesterday, January 30th, Google stated that they were doing something similar with their Enterprise Certificate with an application named “Screenwise Meter”. When users used the app, they were able to earn gift cards by installing the application. Just as with Facebook Apple has revoked Google’s Enterprise Certificate. This revocation has same effect as Facebook, where Google’s internal iOS applications ceased functioning. This includes employee-only beta versions of apps, as well as other applications used by employees. Here is a quote from the TechCrunch article:

“We’re working with Apple to fix a temporary disruption to some of our corporate iOS apps, which we expect will be resolved soon,” said a Google spokesperson. A spokesperson for Apple said: “We are working together with Google to help them reinstate their enterprise certificates very quickly.”

As of today, Thursday January 31st, Facebook has had their Enterprise certificate re-instated, but Google has not had their Enterprise Certificate re-instated, yet.

Some Thoughts

I am somewhat surprised that Apple revoked the Enterprise Developer certificates, given that the companies involved.. However, Apple is fully within their right. Both companies violated not only the terms of service, but also used the applications to acquire consumer information. This is a clear violation Apple’s principles and definitely should not be tolerated.

Besides the violation of the policies, there are consumer implications. Both companies are relying on ignorance of users to collect information. In both cases the apps collected browsing history of all activity on the users iPhone, through the VPN that was installed when the app was installed. Additionally, Facebook gathered Amazon purchase history by having users send screenshots of their Amazon orders.

I suspect that Google will get their Enterprise Certificate re-instated in the next couple of days. In the wake of these incidents, I would not be surprised if Apple starts cracking down on this type of behavior for all Enterprise Certificate holders.

If it any smaller company had done something similar, it would be my guess that Apple would revoke the certificate and that would be the end of the discussion. A smaller company would likely not be able to get their Enterprise Certificates re-instated at all.

These two instances should be a wake up call for all Apple Enterprise Certificate developers. If you are providing applications to end-users through your Enterprise Certificate, Apple may end up revoking your certificate and there may be no recourse.

It will be interesting to see what other ramifications this will have on other developers. I also wonder if Facebook and Google will try doing something similar again in the future. Only time will tell whether or not this will happen.

Source: TechCrunch (Facebook) and TechCrunch (Google)

Apple’s Group FaceTime Bug

Over the last weekend a report of a serious privacy bug was found in Apple’s Group FaceTime service. The bug would allow someone to enable the microphone and camera on someone’s device.

The Issue

You can read the 9to5mac article for the steps on how this bug was activated. The short version is that if the person you are calling declined the call with the sleep/wake button, and you added your own phone onto the call again, you would be able to hear the original caller’s microphone and see their camera.

Apple is currently working on a fix. In the interim Apple has disabled Group FaceTime on the server-side, until a fix is released, which should be this week.

Security Implications

Imagine this scenario. A group of 3 people decides to have a FaceTime call. Person 1 calls Person 2. While the phone is ringing, Person 1 attempts to call Person 3, but accidentally clicks on their own contact information while scrolling.. Person 2 declines the FaceTime call accidentally, and the audio from Person 2’s is audible by Person 1.

I cannot emphasize enough how bad this bug is. Not just because of the fact that it should not have gotten through Quality Assurance (QA) and testing, but also because of Apple’s focus on privacy. In regards to getting through QA, using the sleep/wake button to dismiss a call is an extremely common action and adding another person to a Group FaceTime call is the entire point of Group FaceTime. To add on to this, despite announcing Group FaceTime was announced at the 2018 World Wide Developers Conference (World Wide Developer Conference, Apple delayed Group FaceTime due to bugs and issues. This one was obviously not noticed during testing.

You might think that this is a minor bug because you “have nothing to hide”. While that is all well and good for you, there are others that need privacy or are in sensitive situations where this can be abused. One example of this could be a domestic violence situation where an abuser can use this bug to be able to spy on someone. This would not be a good situation at all.

Another example could be a lawyer, who needs confidentiality of their clients. One last example is world leaders. If any of the world leaders, or their assistants, use and iPhone, they may have been able to use this bug to listen in. In other words, this is a really bad bug.

The fact that this bug got through is bad, but it is compounded because one of Apple’s core tenets is security and privacy. Any privacy bug is a problem for Apple because they make it a differentiator to other products on the market.

It is good to see that Apple has taken this seriously and has temporarily disabled Group FaceTime services. Even though this is bad, it is possible that Apple will make some internal changes to improve testing of their features for privacy bugs.