Apple Releases iOS 15.7.1 and iPadOS 15.7.1 to Fix Security Vulnerabilities on Older Devices

Originally published at: Apple Releases iOS 15.7.1 and iPadOS 15.7.1 to Fix Security Vulnerabilities on Older Devices - TidBITS

Apple has released iOS 15.7.1 and iPadOS 15.7.1 to address numerous vulnerabilities on iPhones and iPads that either haven’t upgraded or can’t upgrade to iOS 16 and iPadOS 16. Update such devices as soon as possible.

1 Like

Josh,
Good day to you sir!

Did apple change the backup process of an iPhone to a Mac by adding a requirement to enter the password on the iPhone before the backup to begin?

Or maybe TidBITS knows a way to make this requirement go away?

Sincerely,

Lee

1 Like

Yes. Since 15.7.1 I’m seeing that I have to authenticate my iPhone before it backs up. Even over wifi. :roll_eyes: Hope this will eventually go away again, or at least become a user setting.

Simon,

Thank you. NOT going crazy! I thought I had screwed up some setting therefore getting this alert. It is a PITA as I back up each time I sync.

Than you again
Lee

Yes, same problem here. I have it set up to sync over wifi when I plug it in before going to bed. That triggers a backup too (as it should).

But now instead of just plugging it in, I also have to authenticate for any of this backing up and syncing to actually take place.

What I find particularly annoying is that it rerquires me to type in the password even if the iPhone is already “on” (via FaceID auth). I’m already authorized, so why in the heck should I be authenticating again? Ugh. :man_facepalming:

If I had known about this change I would have held off on the update. But once again, not a single report on this update I read anywhere online pointed this out. Waiting for those reports to come in was the reason I held off on updating a couple days in the first place despite all the usual “super important security updates, exploits in the wild, update ASAP or your cat will die” drama.

Online reports on these updates have really become mediocre. And this despite all the betas and public betas and yada. Not that good reports would somehow absolve Apple of properly documenting with actual quality release notes in the first place, especially when they feel like changing workflows.

I’m starting to rethink when to update Apple software regardless of what all the “experts” are suggesting. I’m starting to think that unless there is a bug that is a problem to me personally and I have 100% confirmation that the update will remove it, I will not update and risk breaking something else. That does indeed suck because it also means missing security updates. But this combination of Apple not warning about changes in workflow (lack of detailed update description) along with their lately very shoddy software quality control leading to new bugs with nearly every “update” is really starting to get to me.

1 Like

This sort of thing is super frustrating. We tend to encourage moderately conservative updating practices except when a security fix addresses a vulnerability that’s being exploited in the wild. But if people generally adopt a conservative approach, fewer people will have a chance to discover bugs like this and report them, such that waiting even longer will become necessary for everyone else.

It does seem that connecting iPhones and iPads directly to Macs is becoming an edge case such that Apple isn’t paying as much attention to it. Which is a shame, given that otherwise you pretty much have to pay for iCloud+ storage.

Curious. I updated my iPhone (first 2nd gen SE) and iPad (6th gen) to 15.7.1 a couple of days ago and haven’t been asked to authenticate, even though they’re frequently plugged into my iMac, where I can see them in iTunes (my iMac is still running Mojave), and they backup to iCloud, which they’ve each done at least once. So it’s not universal, but I agree, it would be extremely annoying. I’m glad whatever the bug is skipped me…

This issue pertains to backing up to a Mac, not iCloud. But it’s an iOS issue, not iTunes (interference with iMazing has already been reported)

1 Like

I can understand being uncomfortable with having your data backed up to the cloud rather than your own device. I agree that Apple should have a larger free iCloud storage tier. However, the cost for 50GB is only $1 per month ($12/year). If you are not using your iCloud storage for other large data sets, your backups should comfortably fit in 50GB. The backup does not include the full contents of your iPhone, but only content that can’t be loaded from other sources. For example, my iPhone claims that it uses about 95GB of internal storage, but the iCloud backup is about 4GB. My iPad using 111GB internally backs up to 14GB.

I use Apple Photo Sharing and Apple Music, so that no photos stored on the device and very little music are directly backed up. If you have a lot of photos or media on your phone that are not otherwide available via Apple Music (not counted as iCloud storage) or Apple iCloud photos (included in your iCloud storage), then your backups will need to include them.

3 Likes

I can see this as a security feature. Malicious USB connections are known to exist - you plug your USB cable into a “charge port” at a public location, and without your being aware, some server at the other end of that port is downloading your phone.

Preventing USB access after the phone has been locked for a few minutes (added many iOS releases ago) was one fix for this. I think blocking backups without authentication is another important step to protect against this, because people often plug into chargers while they are using the phone (in other words, when it is unlocked). So this will mean that something trying to download the phone’s content will cause that popup to appear and (hopefully) you will realize that something strange is going on, allowing you to disconnect before any data has been compromised.

Of course, the real “fix” here is to not plug into a USB port that isn’t connected to a device you control. When on the go, carry a small charger brick and plug into a power outlet instead of into a USB port.

1 Like

The problem is that this should not pertain to pre-authorized automated backups over WiFi, which is what the reports seem to be indicating is affected.

That is, I have already authorized my iPhone to periodically backup wirelessly to my Mac when they are on the same local WiFi network. The trigger for this backup may be plugging the device in, but the backup doesn’t actually take place over that cable, because the cable isn’t necessarily connected to the Mac that’s authorized.

If I understand the reports correctly, that’s what’s frustrating people here—you shouldn’t have to repeatedly authorize backing up to a known device over a known WiFi network. If the authorization protocol is sufficiently secure, authorizing my iPhone to automatically back up wirelessly to my Mac should be a one-time thing (maybe needing refreshing periodically or if a certain amount of time has passed since the devices last connected), not an every-time necessity.

I can absolutely see requiring authorization for backups over a cable to a not-yet-authorized device—which the existing setup already took care of. This new behavior doesn’t seem to serve any useful purpose, which means it’s most likely a bug, not a feature.

Since my devices back up automatically over WiFi to iMazing daily, whether plugged in or not, I’m not going to move up to 15.7.1. I don’t need that headache. (Both my iPhone and iPad are too old for iOS/iPadOS 16, and I simply can’t afford to replace them right now.)

1 Like

That’s exactly right.

This has nothing to do with plugging in to some random USB port.

We’re talking about initiating a backup & sync between an already authenticated iPhone and a previously authenticated Mac. And it’s not just affecting USB, it’s wifi too which makes it even more non-sensical.

iMazing posted about the backup passcode prompt issue introduced in iOS/iPadOS 16.1.x and 15.7.1.

Some of their key points:

iOS/iPadOS 16.1.x and 15.7.1 make automatic local backups awkward

While the new security measure Apple introduced is intended to protect user data, it also makes automatic backups less seamless and more disruptive. These obstacles could lead to a reduction in backup frequency, which would actually put user data at risk.

…a better approach to this issue would be to prompt the user for a device passcode before every backup only if backup encryption is disabled

It is our hope that Apple will be listening to the user community on this subject, as backing up iOS and iPadOS devices locally has become more difficult than it should be.

https://imazing.com/blog/ios-backup-passcode-prompt

I find iMazing unusable now because I have to authenticate repeatedly for each backup, presumably because the WiFi connection breaks and has to be re-established

Imazing published a detailed explanation about iOS change that now requires authentication for each and every backup (other than those going to iCloud).

1 Like

I am very surprised that this issue hasn’t got more widespread, general attention, especially as it also affects the latest current iOS 16.1.1. Is it, what, everyone has switched to iCloud for backups? (I note that you can still use iCloud for backup even when syncing media—you don’t have to use both simultaneously.)

It’s already had a long discussion here. Suddenly having to enter passcode when backing up an unlocked iPhone?

1 Like

Thanks. Yes, I recall seeing that thread when I was looking for discussion about it at the time, but it was already closed (understandably, IMO, since it went a bit off the rails). But I meant in general, i.e. not in the usual Mac circles.

As I think I said in that thread, I saw a few complaints on Reddit. Not many, and not many lately. I really think that almost everyone backs up to iCloud (or, tragically sometimes, doesn’t back up at all, because they don’t want to pay for iCloud storage.) I haven’t backed up to a computer for a few years now.

1 Like