A major update for Docker and Apple has once again managed to rile up the media with something that according to some is either a feature, a bug, or a step in their evil plan towards world domination.

Docker 1.10 released

A new version of Docker was released last week, with some major changes in both the engine and the related apps. The new Docker Compose configuration format look like a nice improvement, but there are plenty of other changes that I’m looking forward to playing with. I haven’t had a chance to do so yet though, but if I find anything I’d like to go deeper into I’ll probably do so in a separate article.

Security, is it a feature or a bug?

Once again Apple was in the news. Or at least, one of the company’s decisions caused a lot of outrage among the technology minded people who focus on Apple either because they believe the company is evil or because they like its products. Sometimes those two ideas are combined in a single person as well.

So, what was it this time? It turns out that sometimes when you have your iPhone repaired by a third-party (either because it’s cheaper or because it’s the only option available) your phone will be bricked when a software update takes place. The original article about this by the Guardian makes it sound like a horror story that is probably caused by Apple trying to earn as much money as possible. Because everyone knows that there is far more money in repairs than having happy customers who keep buying new phones every year or two¹.

Cooler (and less prone to hyperbole) heads have spoken up as well, and clarified the situation to the point where it’s obvious that this happens when the Touch ID sensor is decoupled from the motherboard. After being decoupled, Touch ID needs to be authorized once again and only Apple (and authorized resellers, something many articles forgot to point out) can do this. In other words, it’s a security measure to protect anything that is guarded by that fingerprint scanner. Like your credit cards if you use Apple Pay, or apps like 1Password.

So, in that regards, is this a feature or a bug? I suspect it’s both actually. Personally I think it’s a feature that if someone messes with my phone and tries to replace TouchID with their own solution to get access to my data this won’t be possible. Except, this seems to only happen when an iOS update takes place which makes it far less useful as a security measure. If it worked perfectly I would expect that it would do this check while the phone boots up². As it stands, it’s not as secure as I think it should be. That part in my opinion is a bug. Secondly, why does it need to brick the entire phone? I suspect this was the easiest solution for the engineers who built it, but it also shows that easy isn’t best. Blocking off anything related to TouchID would have the same result from a security perspective and leave people able to still use their phone.

The last part of this that annoys me is that there is no information on the phone about the error itself. This is a clear UX issue, as an error without a message seems designed to rile people up. People will likely be less angry, and more understanding, if this happens to them if there is a clear message saying something like: “It appears that your TouchID has been compromised, as a security precaution we have locked your phone. Please contact Apple to have this resolved.” Including obviously some contact details for Apple. Whether you would have to pay for it to get resolved is of course then a different matter and would likely depend on the reason for why it’s broken.

So, from the above it’s probably obvious that while I think the feature is a good thing, the implementation isn’t exactly great and definitely needs to be improved. More importantly though, it also makes me wonder how this is done on other devices. With both Google Pay and Samsung Pay available on Android devices that have fingerprint scanners, how is this handled there?

I’m not familiar with these systems, but I imagine that for Google Pay it’s harder to keep this secure as they don’t have control over the hardware³. On the other hand Google has an incredible number of really good developers to work on a problem like this. As for Samsung… They have more control over the hardware, and as parts of Android are open the should be able to do more with it. Whether they do so is another matter. Let’s just say that I’m not a fan of the company’s policies regarding security, although they’ve been making some of the right sounds lately, so I’m not very confident they have a policy for this in place.

If anyone has some knowledge or can point me to an article about that, don’t hesitate to point me to that as I’m seriously interested. I really hope they dealt with it better than Apple has, but most of all I hope that they built something.

Now, I didn’t write this today in order to try to convince anyone of whether Apple was right here or not. I’m sure everyone has their own opinion⁴, and that’s good as it points out mistakes like this. All I like to see is that people don’t start with the idea that something is done out of malice or greed and blind themselves to other options⁵.

Also, this ties into the usual discussions of what people should and shouldn’t be able to do with their phone. Whether that’s because of government interference or because the phone maker has restrictions. That’s a topic for another time though.