Got an iPhone? Here’s what we think about the security of iOS 11

We’re due for an update to Apple’s iOS pretty soon, as the current stable release, iOS 10, is nearly a year old and iOS 11’s beta is rumored to be near completion and ready to launch soon.

Exactly when we don’t quite know – Apple isn’t forthcoming about details of its roadmaps, and simply says it’ll be “this fall”. (For reference, iOS 10 came out in early September 2016, just in case we’re looking at a yearly schedule.) As we’re counting down the last days of summer in the northern hemisphere, the iOS 11 official launch is likely not long away.

So it seemed a good time to take the beta for a whirl on my old iPhone 6 to see what changes coming might be of interest to the security-minded. (You can read the very shiny list of major updates on the official iOS preview page from Apple; not everything I cover below actually appears on the preview.)

A lot of the changes touted by the official pronouncements are about usability, design, and accessibility changes — all well and good, of course — but I want to kick the tires a bit with the security and privacy settings.

The lock screen: more talk-y, less lock-y

Setting up a passcode on your mobile devices is one of the most basic privacy measures you can, and should, take. We’ve covered before that you also should disable Siri access on your lockscreen, as Siri has been an attack vector in the past to bypass basic security measures and gain access to your private phone data (like stored photos) even when the phone is locked.

And yet, even with Siri disabled and a passcode enabled, the iOS 11 update negates a lot of the purpose of the lockscreen altogether. Even with iOS 10, Apple lets us know that more and more of our phone app notifications can be shown on the lockscreen without needing a passcode to see them — so you can act on them quickly, of course — and it seems with iOS 11 that trend continues.

iOS 11 adds viewing the Control Center (the menu that you can pull up from the bottom of the screen) and returning missed calls to options that work despite the lockscreen, in addition to features that were already available on iOS 10. All of these options are turned on by default.

Is this necessarily a problem? Of course not. However, it could be problematic if your phone is in the wrong hands. A passcode should mitigate the risk to you if your phone is stolen or misplaced; ideally the passcode should help render your phone all but useless to the person who now has it.

But by default now you can still access several features while the phone is still technically locked; personally, if my phone were stolen I wouldn’t want anyone to be able to access my Wallet credit cards (especially since many transactions don’t ask for a PIN), read my app notifications, or see what was on my day’s agenda. While I can see the utility in being able to respond to phone calls or messages from a lock screen — assuming the person who now has my phone is a good Samaritan — in general, if my phone is in the wrong hands, I want my phone to be completely useless to them.

Ultimately this is a matter of your comfort and risk tolerance — if the convenience of these features is worth it for you, then you can leave them all enabled.

But if you’d rather keep your lockscreen, well, lock-y, you’ll be able to disable any lockscreen notifications you prefer under Settings > Touch ID & Passcode > and scroll down to the “Allow Access When Locked” area.

More of iCloud keychain

For those that already use Apple products and Keychain, you may be happy to find out that the iCloud Keychain is even more integrated into iOS 11 than previous iterations, with greater management and visibility within iOS. Under the Settings area, there’s a new section called “Accounts & Passwords” where you can both manually add credentials (which I imagine might be quite tedious) or, when iOS detects a credential set, it may prompt you to save the credentials.

The credentials above are ones I entered and saved on my iPhone 6 with the iOS 11 beta, and these credentials also appeared on my Macbook’s Keychain under “iCloud” (hence iCloud Keychain), but the credentials already saved on my Macbook’s iCloud Keychain didn’t also sync back up to my iPhone’s “App & Website Passwords” area.

Right now, or at least how I seem to have things configured, it seems like credential sharing could be one-way — iDevices to the greater Keychain account only — but it’s entirely possible I didn’t set things up correctly.

Nonetheless, this makes password management more streamlined and accessible for people who might not want to use a standalone password manager. I already use a password manager across my devices that I don’t intend on abandoning, but if I didn’t have that option I might consider going with this instead.

A bit more granularity over location sharing

This one’s a minor change, but a nice one: all apps that use any kind of location services are required to have three options for location access: Always, While Using, and Never.  While most apps in iOS 10 already used these three options, it was not hitherto required to have “While Using”, so if an app needed any kind of location access, it’d ask to have this access in perpetuity and not just when it needed it. (Uber was a rather notorious example of this.)

Of course, the master switch for location services is still right up at the top of the Location Services settings page, and you can simply turn the whole thing off.

If you want to play along at home and give the iOS 11 beta a shot, it’s pretty simple to do. Keep in mind that beta means things could be potentially wonky, and ultimately there is some, albeit minute, risk; so back up all your files before trying the beta and, better yet, try it out on a device that isn’t one you rely on day-to-day.

Ready to take the plunge? Follow Apple’s instructions here (it will prompt you to log in with Apple credentials) and NB you’ll have a much easier time if you’re installing via Safari.