Apple is not my usual cup of tea, as there are way enough sites that make a living on Apple rumors. I recently took a look at one of them, Apple Insider, to check on a few things happening there, and I found three interesting articles, all somehow linked to mobile security.
The first one is a hardware extension, combined to a specific application. It is called EasyPay Touch, and it transforms a standard iPod Touch into a portable checkout terminal. Apple is already using such terminals in its Apple stores, but so far, they were not baseed on Apple devices. Now, they will.
The article provides a good description of the device and application. The iPod Touch is encased in an outer shell that also includes a magstripe reader and a barcode scanner. To perform a transaction, the clerk scans the products, then swipes the customer’s card, and gets the customer’s signature. All on the EasyPay device.
When I first saw that, my first though was: wait, payment terminals need to comply to security standards like PCI/PED. Well, since PED standards for PIN Entry Device, this particular device has no such requirement, and apparently, it can work.
Replace the Touch with an iPhone, add a contactless reader/writer, and this thing will sure look like a killer portable terminal, suitable for a lot of professionals.
The second article is about a job posting for an iPhone OS security manager. Well, that job description sure has a few of my colleagues make California dreams, especially those in the mobile security area. And reading the details is not going to calm them down. One of the responsibilities mentioned will be “Setting the roadmap for the iPhone OS platform security with an emphasis on hardware support and trusted computing methods”. Yes, that’s “trusted computing”, and this looks a lot like things that we are doing.
It is quite unlikely that one of my colleagues actually lands the job, but the explicit interest of Apple for trusted computing could bring quite some credibility to the method that Apple selects to secure its iPhone. And more importantly for the community, the technology that will be selected will be put to a true real-life test, because I am quite convinced that some of the best mobile phone hackers will try to defeat any countermeasure added to the iPhone. Resisting to that will be hard, but succeeding at it would be the best possible customer reference. Good luck to the happy contenders!
The third article is about a rumor on iPhone and RFID, which is also relayed on other media, more knowledgeable about RFID and NFC. Of course, Apple is insisting on NFC’s reader/writer mode, which allows them to read tags, most likely becuse that’s the part of NFC with the cool applications, and Apple does not care that much about card emulation. But the really exciting part, if it is true, is the last sentence the second article’s quote, which reads:
Guess I’ll be touching my iPhone to my Mac to link them together to sync iTunes by next year.
Sounds stupid, doesn’t it? Well, I still believe that this particular application (putting tags with control URLs of some kind on a device, and then reading the tag to initiate a transaction that somehow involves/controls that device, or interacts with it) is by far the coolest application of NFC. It is all about context awareness, and that’s what I really want.
I always wondered why Apple didn’t jump on the NFC train. The technology is hip, touch&go experience and if opened for the App developer, it would add more $ to the (sickening) successful App store. If this rumors are true, they’re setting now the directions for the next iPhone with NFC.. and we know that lately if Apple started something, it was a great success. It could be also a clever move to counter Nokia’s future NFC strategy.
Regarding the job posting for the iPhone OS security manager, you should know that this is not the first time that this position is advertised. And it is still possible to jailbreak iPhones.
Since I’m pretty sure that last time Apple managed to hire at least one qualified applicant, I’m thinking that the shear enormity of the task at hand still escape them. The most essential task at hand (security and risk analysis) is mentioned only once and is not part of the list of required skills.
If security was really important to them, they would create a position at a much higher level in the hierarchy: right now I think that they are still at the “security is a product” level.
Now don’t get me wrong: from a business point of view, I’m not sure that they really have to move beyond this level right now. After all we’re not talking about voting machines, border-control terminals or EMV payment terminals.
Finally, I totally agree with you on the RFID issue. I think that lots of interesting applications could be really “bloom” with a simple sprinkling of RFID readers and simple, dumb RFID tags. Just take a look at Bluetooth pairing. I mean, I have an iMac and an Apple Wireless Keyboard and every time I have to change the batteries (not often), Bluetooth pairing is a huge pain. It is supposed to work seamlessly but in my experience it often takes at least 20 minutes of fiddling. And I’m talking about 3 products (iMac, Wireless Keyboard and Mac OS X) that were produced by a single company, in a single timeframe.
If Apple integrates a reader in the next iPhone generation AND allow applications to access the reader, it could actually kickstart a real consumer industry around this technology, just like it did with mobile browsing and mobile phone applications. The funny thing is that if that happens, a proprietary solution from a single company will again win against standard-based solutions (JSR-257 and the like).
Now I just need to find a proprietary solution to a problem that’s been hotly debated for years in a standard group, sell the solution to a company with a market clout large enough to turn into a “fait accompli” standard, and I will be rich.
Well, look at the next post (just published), and you will see that we are on the same line. I am not sure that I agree about the proprietary stuff; the iPhone platform is proprietary, but RFID is standardized. Of course, Apple will not use JSR-257, but Android won’t either.
Now, will Apple use “real” NFC or not? For me, that is the question, and I don’t have the answer.
@Eric: well, I’m not thinking of a 100% proprietary solution. I’m thinking “standard reader (ISO14443 A/B)” but with a proprietary encoding for the data inside the tags. You know, standard stuff is never good enough for Apple, it must make the owner feel “special.” So I’m sure that Apple would add something somewhere.