It’s a huge mistake to remove password prompt for free apps in iOS 6

Tony Bradley
31 July, 2012
View more articles fromthe author

According to sources with access to the developer beta of iOS 6, the next version of Apples mobile operating system will allow users to download and install free apps without requiring a password. If Apple doesn’t fix that before iOS 6 is officially launched, it will significantly impair the security of iOS devices.

iOS has established a reputation as the more secure mobile platform. The walled garden of the Apple App Store and the scrutiny apps must go through before they’re available provide additional layers of defence lacking in other mobile operating systems.

In this case, though, Apple seems to be choosing functionality and expediency over security. Its a decision that could come back to haunt Apple and all iOS users.

The decision to remove password authentication from free app downloads is just another example of Apple making consumers responsible for their own security and that’s always risky at best.

My iPhone and iPad both have passcode protection implemented (as your iOS devices should as well). But, if I do happen to leave my iOS device open or let someone borrow it for some reason, I can at least rest assured that nobody can install any apps on it without my knowledge because doing so requires my Apple ID password.

Generally speaking, the most I really have to worry about is that one of my kids might fill up my iPhone or iPad with a bunch of silly free games. However, the potential exists for much more nefarious activity. For example, someone with access to your device–a jealous lover or stalker–could install a free app like Finder+ that would let him or her monitor and track your whereabouts.

Granted, the app won’t be invisible. You should be able to see the apps that are installed on your device. It is possible, though, for someone to bury the app in a folder where you wont easily spot it and might not stumble on it for a while.

It also opens the door to more insidious phishing and smishing attacks against iOS devices. An attacker can email or text a link that leads to a malicious app and as long as its free it might be possible to install that app without your knowledge or approval.

Entering the Apple ID password takes five seconds. The decision to remove that crucial element of authentication in the name of convenience is inexcusable and Apple should seriously reconsider.



8 people were compelled to have their say. We encourage you to do the same..

  1. David says:

    Really you are that paranoid? I have been using Beta 3 and I love the no password on free apps. When installing updates to existing app you don’t need to enter your password either. It has always driven me crazy having to enter a password for updates and free apps

  2. Luke says:

    Im with the other poster. Typing your password for free apps has always been frustrating. Maybe give password protection as an option for people with kids using their device or whatever, but the default should definately be no password

  3. Shyam says:

    I agree with the author, My ipad is personal to me and I do not want anyone installing any apps on the device without my knowledge or approval

  4. Jamie Skella says:

    The real issue here is that it doesn’t sound like Apple plans on giving users a choice – iOS 6 users will simply not be required to input their Apple ID credentials to download free apps, even if they prefer that.

    If that is the case, the better approach would be to give users the ability to set a preference regarding the need to enter a password to download applications, free and paid.

    Personally, I would like to be given the choice to disable the requirement of password entry for all app downloads even when a purchase is required. I have a top-level lock on my phone and am well aware of what the associated risks would be.

    I simply hate the inconvenience of needing to repetitively punch in my password throughout any given day.

  5. John says:

    Crazy Much??? Whats to stop someone logging in on another Apple ID (one they know the password to) and installing free apps to your device already?? Or paid ones for that matter. You perceiving this as a lack of security is actually just you having a lack of understanding about how IOS works. It doesn’t compromise your security at all.

  6. Will says:

    this is pathetic. if you are that paranoid about someone altering your iPad then you shouldnt let them use it. This meaning that the lock screen password will keep them out. you can easily delete apps and if they “bury” it in a folder there cant be that many places to hide that folder. why are you letting, someone who would stalk you, use your iphone anyway

  7. Eddie says:

    Your statements about Apple’s walled garden of the Apple App Store and a person linking you to a malicious app contradict each other.

    There is no chance for you to accidentally download a malicious app just because there is no longer password protection acting as a confirmation screen of sorts because Apple ideally would not allow such an app into their “walled garden”.

    Furthermore, access by apps to other parts of your phone has been tightened with iOS 6, users now requiring to give permission to apps to gain access to things like Contacts or Photos and even Location Services which shows an icon when being used and can quite easily be turned off or checked what is using Location Services.

    I think its a fantastic idea although I am on iOS 6 Beta 3 and am finding that I still have to plug in my password when I am downloading free apps or updating old apps… Maybe there is an option and I did not agree to it.

  8. Dan says:

    I’m with Eddie (above). You can’t compliment the “walled garden” of the Apple app store without contradicting your premise that removing passwords for free apps opens up users to maliciously installed malware.

    Equally, leaving your phone lying around in an unlocked state is probably asking for trouble anyway. The least of your issues would be someone installing apps without permission (versus, say, impersonating you on phone calls, text messages and emails).

    Ironically, the only time I’ve left my phone on my desk unlocked is because I’ve just entered my password to install/update some apps. In that case, the cached password (15 mins, I think?) renders your argument equally invalid.

    This just smells like a cheap shot at Apple because they don’t buy in to your own special brand of paranoia.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us