Apple today published an updated version of its iOS security white paper [PDF] for iOS 12, with information on new features and updates introduced with the iOS 12 software.
According to Apple's Document Revision History, the updated guide covers iOS 12 features like Siri Suggestions, Siri Shortcuts, the Shortcuts app, Screen Time, Password AutoFill Student ID cards, and more.
On Siri Suggestions, for example, Apple explains that suggestions for apps and shortcuts are generated using on-device machine learning, with no data going to Apple except info that can't be used to identify the user.
On the Shortcuts app, Apple explains that shortcuts can be optionally synced across Apple devices using iCloud or shared with other users. Apple protects against malicious JavaScript within shortcuts by updating malware definitions to identify malicious scripts at run-time.
Custom shortcuts can also run user-specified JavaScript on websites in Safari when invoked from the share sheet. In order to protect against malicious JavaScript that, for example, trick the user into running a script on a social media website that harvests their data, updated malware definitions are downloaded to identify malicious scripts at run-time. The first time that a user runs Javascript on a domain, the user is prompted to allow Shortcuts containing javascript to run on the current webpage for that domain.
Screen Time, meanwhile uses CloudKit's end-to-end encryption to protect usage data. Apple only collects Screen Time statistics if iPhone and Apple Watch analytics is turned on, with Apple monitoring whether Screen Time was turned on during Setup Assistant, whether Screen Time is turned on, whether Downtime is enabled, the number of times the "Ask for more" feature is used, and the number of app limits applied.
One interesting bit in the document relates to the new feature that lets a second appearance be added to Face ID in iOS 12. Adding a secondary appearance, says Apple, will decrease the probability that a random person can unlock the iPhone from 1 in 1,000,000 to 1 in 500,000.
The probability that a random person in the population could unlock your iPhone is 1 in 50,000 with Touch ID or 1 in 1,000,000 with Face ID. This probability increases with multiple enrolled fingerprints (up to 1 in 10,000 with five fingerprints) or appearances (up to 1 in 500,000 with two appearances).
Apple's security document explains in detail how each and every iOS 12 feature works and how it's protected. The guide is filled with many small but significant details on iOS 12 features, and for anyone interested in the security of the iPhone and the iPad, the full document is worth checking out.
Top Rated Comments
Think of it this way. Let's say you use a 4 digit pin to unlock your phone. The chances of a person guessing that pin is 1 in 10000. Now let's say you can unlock your phone not with just the one pin code, but another pin code. Suddenly, the chance of a person guessing your pin becomes 2 in 10000, or 1 in 5000.
The same idea goes for FaceID and TouchID, the difference being that someone isn't going to be "guessing" your fingerprint or face - but that a person with similar fingerprints or face may be able to unlock the phone. This is called a false positive - someone is able to unlock the phone when they shouldn't be able to (versus a false negative, when someone should be able to unlock the phone but they can't).
At the moment, the false positive rate for FaceID is 1 in 1000000 - i.e. the chance of a person who looks similar enough to you unlocking your phone is 1 in a million. If you add a second appearance (either of your own face or of someone else), then the false positive rate will double to 2 in 1000000, or 1 in 500000.
Do you really think that Apple would secretly do this? Do you know what kind of PR nightmare that would turn into if someone found out?
Seriously, if you’re this paranoid, just don’t use FaceID. But stop spreading FUD.