IOS 9 security flaw

[ShadowJade]

Moments after DLing IOS 9 yesterday, I noticed and reported what I believe to be a serious security flaw. While locked, a double tap of thehome button now activates Apple Pay, (I will sadly miss music controls). While using the credit cards still requires your fingerprint, the rest of your passbook, (err Wallet), cards are right there ready to use QR codes and all. My preloaded Dunkin Perks card, my upcoming concert tickets...
Also sad for my son to losehis ability to listen to an audiobook and follow along with the digital book on the same device...this is no longer possible with audiobooks moved into the iBooks app

 

[CosmoPilot]

Moments after DLing IOS 9 yesterday, I noticed and reported what I believe to be a serious security flaw. While locked, a double tap of thehome button now activates Apple Pay, (I will sadly miss music controls). While using the credit cards still requires your fingerprint, the rest of your passbook, (err Wallet), cards are right there ready to use QR codes and all. My preloaded Dunkin Perks card, my upcoming concert tickets...
Also sad for my son to losehis ability to listen to an audiobook and follow along with the digital book on the same device...this is no longer possible with audiobooks moved into the iBooks app

Settings > Wallet & Apple Pay

Turn double tap off!

Security flaw fixed!

 

[sinsin07]

Moments after DLing IOS 9 yesterday, I noticed and reported what I believe to be a serious security flaw. While locked, a double tap of thehome button now activates Apple Pay, (I will sadly miss music controls). While using the credit cards still requires your fingerprint, the rest of your passbook, (err Wallet), cards are right there ready to use QR codes and all. My preloaded Dunkin Perks card, my upcoming concert tickets... snip

And when you did that for the first time you also got a notice that you can turn this off in settings.
Don't tell just half the story.

 

[I7guy]

Doesn't double tap log you in? If you get a fingerprint not registered to your 6 does the same thing happen?

 

[ShadowJade]

No I did not.

 

[ShadowJade]

Yes it does. Not sure why this exists anyway...you don't need the phone "ready" for Apple Pay...simply holding it near the NFC device brings up the fingerprint screen.

 

[Smith288]

Doesn't double tap log you in? If you get a fingerprint not registered to your 6 does the same thing happen?

No. Laying your finger unlocks. Double tap doesnt do anything unless you mean double clicking which is a different action. Double clicking with apple pay double click off just reads your finger print and unlocks.

 

[Smith288]

Yes it does. Not sure why this exists anyway...you don't need the phone "ready" for Apple Pay...simply holding it near the NFC device brings up the fingerprint screen.

I like it. It's a lot less goofy looking randomly waving your phone around a payment terminal and then the cashier awkwardly goes "yeah, we dont have apple pay". Dont act like you havent been in this scenario about 50 times already.

 

[ShadowJade]

So back to the problem...if I want double tap on for Apple Pay I need to expose my Passbook cards/boarding passes/concert tickets? That seems half-baked to me.

 

[geoffm33]

And when you did that for the first time you also got a notice that you can turn this off in settings.
Don't tell just half the story.

If you can turn off a feature that exposes a security flaw for rewards cards and payment cards (non-apple pay cards like Starbucks, etc) then it's still a security flaw.

 

[CTHarrryH]

Find the answer on the other exact thread you opened

 

[ShadowJade]

Sorry it posted twice on my iPhone due to network I was on. It is still a flaw if wanting to leave Apple Pay on exposes the other cards without needing a fingerprint or password.

 

[CosmoPilot]

Yes it does. Not sure why this exists anyway...you don't need the phone "ready" for Apple Pay...simply holding it near the NFC device brings up the fingerprint screen.

The double tap allows for changing which card you want to use. I really like this feature.

 

[gsmornot]

So back to the problem...if I want double tap on for Apple Pay I need to expose my Passbook cards/boarding passes/concert tickets? That seems half-baked to me.

Its an option you can have on or off. The point is to give you access to your rewards cards along with Apple Pay in a simple to use format. Its something that can be turned off. If it makes you nervous also consider turning off other ways to get you. Siri from the lockscreen because someone could ask for directions home, control center because a person taking your phone could activate airplane mode before you have a chance to use Find My iPhone, Notification Center because people will see your meetings and text messages, Lock Screen previews of messages and alerts. The point is, it gives you the ability to access something faster but is not a flaw because its a known feature and is able to be deactivated along with the other items listed here.

 

[CosmoPilot]

If you can turn off a feature that exposes a security flaw for rewards cards and payment cards (non-apple pay cards like Starbucks, etc) then it's still a security flaw.

It is not a security flaw!

The double tap only brings up your cards (no useful info is displayed). You still have to use a registered fingerprint to get anywhere with it.

If you don't believe me, ask a trusted friend to take your iPhone and learn anything of value by double tapping the home button. Might as way have him or her try to purchase something too. As you will see they cannot. But like I said if it bothers you just turn that feature off.

The feature is designed to allow you to switch payment methods quickly without digging deep into the wallet app first.

 

[CosmoPilot]

So back to the problem...if I want double tap on for Apple Pay I need to expose my Passbook cards/boarding passes/concert tickets? That seems half-baked to me.

You do not need to double tap to use apple pay. You only need to hold your iPhone next to a pay terminal. The double tap exists so you can swap from your default card to another payment method quickly.

 

[sinsin07]

If you can turn off a feature that exposes a security flaw for rewards cards and payment cards (non-apple pay cards like Starbucks, etc) then it's still a security flaw.

The quoted statement didn't allude to whether it was a "security flaw" or not.
It just added detail that was left out in the OP's original comment.

 

[protobiont]

So back to the problem...if I want double tap on for Apple Pay I need to expose my Passbook cards/boarding passes/concert tickets? That seems half-baked to me.

If someone steals your phone, they're going to try to wipe and sell it, not get free donuts, go see a concert, and then try to board a plane...

 

[garlicbread24]

It is not a security flaw!

The double tap only brings up your cards (no useful info is displayed). You still have to use a registered fingerprint to get anywhere with it.

If you don't believe me, ask a trusted friend to take your iPhone and learn anything of value by double tapping the home button. Might as way have him or her try to purchase something too. As you will see they cannot. But like I said if it bothers you just turn that feature off.

The feature is designed to allow you to switch payment methods quickly without digging deep into the wallet app first.

the OP is saying it also gives you access to other wallet things outside of debit/credit cards like the starbucks "card". those do not need your fingerprint in this case

 

[C DM]

the OP is saying it also gives you access to other wallet things outside of debit/credit cards like the starbucks "card". those do not need your fingerprint in this case

Convenience over additional security... you get to choose which one you personally want more.

 

[jmantn]

Convenience over additional security... you get to choose which one you personally want more.

Exactly OP has A CHOICE. No one is making you leave this on.

Just like having a six digit passcode versus alphanumeric. No one makes u leave it at six digits just like no one makes you leave control center enabled on home screen or have Siri active while phone is locked. Oh and same thing for emergency ID being available on via lock screen.

I also got a notification stating I could turn off the double tap to access wallet when I first used it.

Honestly this is why it takes so long to get more advanced features because it's always a small group that complains and is the most vocal when the majority is screaming for more things like this.

 

[NoBoMac]

What C DM said.

Control Center on lock screen is another convenience vs security thing on the iPhone. By having on lock screen, does have easy access to basic controls, but if phone is "lost", the person that has the phone can easily put into airplane mode, making it dead to "Find my Phone", remote wipe.

 

[JT2002TJ]

I like it... makes starbucks faster and easier. Now if the same double tap would bring up my starbucks card on my watch, I would be even happier. I think it was a nice addition.

 

[CosmoPilot]

Convenience over additional security... you get to choose which one you personally want more.

So we're not worried about the credit cards then...a Starbucks card???

Okay. I guess!

If my phone gets stolen, I'm worried about more than someone getting a latte with my info.

Thus Apple has provided Find My iPhone. So in the event someone has access to my phone other than me I can still locknut down. I only need to find someone with an Apple device...hopefully one of those this of people are around.

Seriously, the #1 thing when a phone is stolen is to ensure criminals cannot get into your device and get sensitive information. With TouchID, I use a complex alpha-numeric passcode (only need it once because fingerprint is used after initial log in). Having access to random NON-Bank cards is not going to matter at all. In the mean time, you grab my iPhone and disable or lockout your phone with Find My iPhone app.

Still 0 security flaw...as always disable double tap if your Starbucks Card is that important.

 

[crashoverride77]

If someone steals your phone, they're going to try to wipe and sell it, not get free donuts, go see a concert, and then try to board a plane...

Well, not anymore, thank you iOS 7 and activation lock.
People stealing iPhones these days are idiots, the same idiots that than try to sell them on eBay with a big disclaimer "PHONE IS ACTIVATION LOCKED" which is basically saying yeah, I stole or found this phone.
Its hilarious.

Back on topic, as other people have mentioned, you cannot do anything with the cards unless you use TouchID. So its not really a security flaw and as another user also said its the same as notification centre, siri etc. Don't like it, turn it off.