Apple

iOS 8.3 Lets You Skip Password Entry to Download Free Apps. Good Idea?

Posted on March 25th, 2015 by

iOS 8.3 settingsThe new version of iOS, version 8.3, is getting ever closer and pre-release beta testers are stumbling across new hidden features and tweaks that Apple has made with the iPhone and iPad operating system.

An iOS 8.3 update (beta 4, build reference ‘12F5061’) issued this week contains what appears to be new functionality allowing users to disable password authentication when downloading free apps and games from the App Store.

The new functionality is quietly tucked behind a new area called "Password Settings," underneath "iTunes & App Store" in the main Settings application, and gives users the ability to "Always Require" a password when making a purchase or "Require after 15 minutes."

Get button in App StoreThose two options aren't themselves new. They're already in iOS, in the Restrictions section of the Settings app.

But what is new is an On-Off switch letting users choose whether they can get free apps from the App Store without requiring a password.

Why would you not want to enter a password before downloading a free, new app to your phone? Well, the only reason I can think of is the sheer convenience of saving yourself five seconds of typing. It's clearly not an enhancement of security to disable the password check.

In fact, if you consider how often you might hand your phone to someone else to speak to a friend, or leave it unattended away from your person, there is a real danger that someone might exploit the feature to install an app that you don't want onto your phone, or meddle with your settings.

iPhone 6s

It's easy, for instance, to imagine a clued-up child changing settings to give them access to apps and games of which their parents might not approve, or leaky apps that are careless with users' privacy being installed onto devices without the true owner's express permission.

Of course, if you haven't jailbroken your iPhone or iPad, then the apps that can be installed onto your iDevice are limited to those that have managed to pass the vigorous vetting that Apple has in place.

But I would still think it's sensible for the device's owner to be the ultimate custodian of what gets installed on their smartphone or tablet, and anything that introduces the option of disabling a password check feels like a step in the wrong direction.

Touch IDAnd is it really such a big deal these days anyway? Recent iPhones and iPads come with Touch ID, meaning you no longer have to remember your Apple ID password to download a game, or your PIN or (hopefully) password to unlock your device.

Touch ID works well for most people, and arguably is less of a hassle than typing in a password—so why does there need to be an option to disable authentication for downloading free apps? Wouldn't insisting on Touch ID at least have been enough, and not compromised security?

Reportedly, the option to waltz past a password check is not available if Apple's Touch ID fingerprint-checker is enabled—but we'll probably have to wait until iOS 8.3 has properly shipped before we know for certain.

In all likelihood, the kind of people who configure iOS to stop asking for a password are likely to be the same as those who are least security-conscious, and might well be the same folks who don't even bother having a weak four digit PIN code protecting their iDevice.

Apple should be protecting such people from the risks they expose themselves to, making it harder for criminals to exploit unlocked iPhones and iPads—whether their motive be money or mischief.

So, what do you think? Is the ability to skip the password to download free apps a good idea or a bad idea? Leave a comment below with your point of view.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • Coyote

    While the idea of installing software without authorisation is not necessarily the best (and certainly has risks [but then again, so does authorised installation, thinking about it]), it is a common thing and this goes across the platforms. Windows is a really good example (and perhaps more generally stated, the average user) but some people new to Unix (in their case it is generally some distribution of Linux) seem eager to always be privileged (root in this case), even for things they can just as well be unprivileged for (and indeed some software, including some daemons, refuse to operate if you’re root – for example – while others will drop privileges as soon as they finished with the privileged tasks).

    But regardless, it is the convenience factor and this is indeed an old discussion (and admittedly administrators are a large part of the problem, when they enforce ridiculous policies that then encourage users to find workarounds – if more would understand this… but even then there is no satisfying everyone so there’s always going to be someone who goes one extreme [and administrators are users too!]). With phones and other mobile devices, I can see why others might like it more so (they’re on the run, they’re .. whatever it might be… maybe harder to type? Though from what I’ve read, some who are used to phones do ‘type’ quite fast on their phones).

    I think the only new part here, then, is additional implementations of something that allows more convenience at the cost of less security (how much less is definitely going to be debated by others and heavily debated – it exists like fire does with lots of petrol, dry plants and and hot wind… i.e. it will never be resolved). So while it might be a poor decision for the user, it isn’t much worse than what is already there (and the part about administrators going too far also applies here… especially for personal devices, it is what they want and to deny it is potentially problematic). In that way I think Apple is closer to neutral here than at either end of the spectrum. Yes, Coyote actually said that and he means it too.

  • Chelsea Peterson

    I don’t have any of these options and I have version 8.4.1

    • Dj

      Same dude