Security

General

iOS

  • Android phones can't be switched off without the passcode, iOS devices can. This can hamper the 'Find my iPhone' functionality because WiFi, Bluetooth and the Airplane mode can be toggled off. Please add an option to force passcode entry before powering down an iDevice, or disabling any signal service.
  • Add a setting to require both TouchID and a passcode to access iOS. This in essence is 2-factor authentication, using something you have (a fingerprint) with something you know (the passcode).
  • Create a TouchID API, so third party developers can include it into their apps.
  • GPS is still turned on in Airplane Mode (iOS 8.2+). Please disable GPS when Airplane Mode is enabled.
  • Prevent both iOS- and macOS apps from using Google Analyitcs (or other analytics services) to perform application statistics. This practice is widespread among iOS and macOS apps, downloaded from the App Store, and infringes on user privacy.
  • Prevent the misuse of Homekit applications on the lock screen of a stolen iDevice.
  • The anti-tracking functionality (iOS8+) for Bluetooth and Wifi probing doesn't contain enough entropy when generating 'random' MAC-addresses. Please improve this isse.
  • Prevent the usage of a 'scrambled' voice input activating Siri without the user's consent.
  • Prevent the mSpy and FlexiSPY exploits from working on iOS.
  • Prevent the BeEF exploit framework from working in Safari.
  • Instead of showing 'Your software is up to date', display 'Your device is end of life and will no longer receive iOS updates'. This way, people don't get a false sense of security thinking their device is up to date.
  • Release security fixes for EOL devices that cannot run the latest iOS version.
  • Alternatively, release the firmware under an OSS licence so that old iDevices can still run OSS developed software, extending their usefulness.
  • Allow the rollback to a previous version of iOS. This ensures that people who suffer a degraded system responsiveness can decide to downgrade to an older iOS version.
  • Separate apps like Safari, iTunes and Apple Music from iOS system updates. That way, those apps can still receive updates when a device is EOL and won't receive any new iOS updates.
  • Create a clear policy on how many years/months after purchase a device will keep receiving (security) updates. That way, buyers know what to expect when they purchase a non-current-gen device.
Random numpad

Add a numpad randomizer to iOS. See ScramblePass and BlackBerry for inspiration.

  • In corporate environments WiFi passwords change regularly, often by policy enforcement. Currently, iOS doesn't detect this password change and doesn't bring up a pop-up to enter the new password. Instead, the user is forced to lookup the WiFi network, make the device 'forget' it and then do a full procedural pairing. Please improve the usability of this procedure.
  • Add WiFi WPS support to iOS.
  • Add an option to force SSL/TLS connections to Safari on iOS. See the HTTPS-Everywhere plugin for inspiration.
  • Review the Baseband chip firmware to improve device security. See this article. LegbaCore has been acquired by Apple
  • Review the driver security for the A-series SoCs.
Unsecured call

Add a functionality to iOS that identifies possible SS7 tampering and IMSI catchers. Optionally, automatically block these IMSI catchers. See SnoopSnitch for inspiration.

  • Add opening of apps with a fingerprint or passcode. See BioProtect or Asos for inspiration.
  • Prevent leakage of device stats via Safari. See BrowserLeaks for an overview.
  • Settings → Safari → Fraudulent Website Warning: please state whether this mechanism uses an offline database or needs a DNS-style lookup for every hostname entered in Safari. Also, please add a link to the Google SafeBrowsing API that is being used.
Airport

Add native VPN support to the Airport product line, including support for OpenVPN. This feature would enable an Airport basestation to function as a VPN gateway without the need to enter settings in every device in the network.

  • Add native OpenVPN support to iOS. Currently this works only via a third party app.
  • Add an option to block outbound traffic when a VPN connection drops.
  • Improve the VPN renegotiation mechanism, f.e. after a wake-up of an iDevice, for all supported VPN protocols.
  • Add an 'always-on' functionality to all VPN protocols. This way, all connections — from boot till shutdown — will be directed over the VPN connection (business feature).

macOS

iCloud

  • Improve the control and transparency of stored data in iCloud. See this comment.

iMessage

Secret Key

Add a mechanism to iMessage where you can compare the secret (conversation) key on both ends of the conversation. See Telegram Secret Chat, the Signal key screen or WhatsApp for inspiration.

  • Create an easy, iMessage-like, encrypted, authenticated service for commodity e-mail, directly sent from Mail, f.e. using open source PGP. Currently this workflow needs third party apps and knowledge of encryption to use it.

Check

Check the Apple discussion forums for your issue. If you find a thread, include the link in your Feedback Form submission.

Submit

If you experience a bug or would love to see a feature added, let Apple know! Send them your remarks, ideas or bug reports via the Feedback Form on their website.
If you're a developer, you can submit a detailed bug report via the Apple Bug Reporter.