Apple

iOS 8.3 Lets You Skip Password Entry to Download Free Apps. Good Idea?

Posted on March 25th, 2015 by

iOS 8.3 settingsThe new version of iOS, version 8.3, is getting ever closer and pre-release beta testers are stumbling across new hidden features and tweaks that Apple has made with the iPhone and iPad operating system.

An iOS 8.3 update (beta 4, build reference ‘12F5061’) issued this week contains what appears to be new functionality allowing users to disable password authentication when downloading free apps and games from the App Store.

The new functionality is quietly tucked behind a new area called “Password Settings,” underneath “iTunes & App Store” in the main Settings application, and gives users the ability to “Always Require” a password when making a purchase or “Require after 15 minutes.”

Get button in App StoreThose two options aren’t themselves new. They’re already in iOS, in the Restrictions section of the Settings app.

But what is new is an On-Off switch letting users choose whether they can get free apps from the App Store without requiring a password.

Why would you not want to enter a password before downloading a free, new app to your phone? Well, the only reason I can think of is the sheer convenience of saving yourself five seconds of typing. It’s clearly not an enhancement of security to disable the password check.

In fact, if you consider how often you might hand your phone to someone else to speak to a friend, or leave it unattended away from your person, there is a real danger that someone might exploit the feature to install an app that you don’t want onto your phone, or meddle with your settings.

iPhone 6s

It’s easy, for instance, to imagine a clued-up child changing settings to give them access to apps and games of which their parents might not approve, or leaky apps that are careless with users’ privacy being installed onto devices without the true owner’s express permission.

Of course, if you haven’t jailbroken your iPhone or iPad, then the apps that can be installed onto your iDevice are limited to those that have managed to pass the vigorous vetting that Apple has in place.

But I would still think it’s sensible for the device’s owner to be the ultimate custodian of what gets installed on their smartphone or tablet, and anything that introduces the option of disabling a password check feels like a step in the wrong direction.

Touch IDAnd is it really such a big deal these days anyway? Recent iPhones and iPads come with Touch ID, meaning you no longer have to remember your Apple ID password to download a game, or your PIN or (hopefully) password to unlock your device.

Touch ID works well for most people, and arguably is less of a hassle than typing in a password—so why does there need to be an option to disable authentication for downloading free apps? Wouldn’t insisting on Touch ID at least have been enough, and not compromised security?

Reportedly, the option to waltz past a password check is not available if Apple’s Touch ID fingerprint-checker is enabled—but we’ll probably have to wait until iOS 8.3 has properly shipped before we know for certain.

In all likelihood, the kind of people who configure iOS to stop asking for a password are likely to be the same as those who are least security-conscious, and might well be the same folks who don’t even bother having a weak four digit PIN code protecting their iDevice.

Apple should be protecting such people from the risks they expose themselves to, making it harder for criminals to exploit unlocked iPhones and iPads—whether their motive be money or mischief.

So, what do you think? Is the ability to skip the password to download free apps a good idea or a bad idea? Leave a comment below with your point of view.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →