Apple releases minor security updates for the iPhone and iPad from time to time. When folks ask me if they should upgrade, I virtually always say yes. Why not have an iPhone that is more secure, and less likely to be hacked by bad guys? So this past Friday afternoon when Apple released iOS 7.0.6 and said that it was a security update, I updated my devices but otherwise did not think much of it. (And no, you did not miss an update if, like me, you went from iOS 7.0.4 to 7.0.6; 7.0.5 was only released for iPhones sold in China.)
But over the weekend, there were two posts about this update by John Gruber of Daring Fireball (Post 1, Post 2) that I thought were pretty interesting. According to PRISM documents leaked by Edward Snowden, the NSA gained the ability to intercept encrypted iPhone traffic in October of 2012, and that's apparently right after the bug fixed by iOS 7.0.6 was introduced. As Gruber notes, this could mean all sorts of things. It could mean that someone at Apple intentionally added a backdoor for the NSA. Or it could mean that someone at Apple made a simple coding mistake but the NSA found out about it and exploited it.
Or it could just be a big coincidence, but there is at least a chance that Apple has now found and fixed a security bug that had been exploited by the NSA.
Normally I think of security patches as being important ways to protect your iPhone and iPad from "bad guys," the sort of criminals that we expect the government to prosecute. But iOS 7.0.6 may also give you a way to protect your device from the government itself.
When I think of secure information on my iPhone and iPad, much of the most confidential data is located in the 1Password app. Fortunately, the security flaw fixed in iOS 7.0.6 did not have anything to do with the security of 1Password data. Jeff Goldberg, the security guru at AgileBits (the company that makes 1Password) whose title is "Defender Against the Dark Arts," wrote a great post that explains in plain English the details of the security flaw and why confidential 1Password data was not compromised. Unfortunately, the security flaw did affect the Mail app in iOS, which raises many red flags. Indeed, this is the very thing that many of us have been worried about with all of the recent NSA allegations — has the NSA been reading (or at least saving) our confidential emails?
If you haven't updated to iOS 7.0.6 yet, you should do so. If you are still running iOS 6, Apple also released iOS 6.1.6 to fix the same bug.