iOS 16.1 requiring passcode EVERY time a backup/sync is initiated

Apple generally doesn’t make security optional.

Here is the identified vulnerability:

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later

Impact: An app may be able to access iOS backups

Description: A permissions issue was addressed with additional restrictions. 

CVE-2022-32929: Csaba Fitzl (@theevilbit) of Offensive Security

Apple does not include details to prevent hackers from using it as a recipe to hack devices that haven’t been updated, but the details on how to take advantage of this vulnerability are widely available on the web, published by the discoverer of this vulnerability. And they’re scary; it’s very easy if a hacker has access to your computer. And most hacks of computers are undetectable to the user. You can find the full report on github if you know how to access it.

This is a new security measure. Investigators found that a hacker who had access to the computer used for backing up an iOS device could force a backup to an unprotected location on the computer, where it could then be downloaded and its contents compromised. So the “trust” requirement was added to verify that the phone’s owner was initiating the backup.

I never said they were infallible. I have reported why they made the change. You are certainly free to believe they shouldn’t have added this protection to your phone’s data, but you would have to take that up with Apple, not with other users in this user-to-user forum.

If you want details of the vulnerability you can find them in these two links:

• From the discoverer of the vulnerability→CVE-2022-32929 - Bypass iOS backup's TCC protection · theevilbit blog
• From a disinterested 3rd party→iOS Backup Passcode Prompt-iMazing

Both the discoverer of the vulnerability and the security team at iMazing believes that the change was needed (as do several other cybersecurity specialists).

You can certainly argue that these experts are over-reacting.

I can confirm that I am experiencing the same issue with iOS16.1 and macOS Ventura. My opinion is that this cannot be a feature. I believe that it is a bug. What I have done, and I encourage you to do the same, is to leave a direct product feedback to Apple here 👉  Product Feedback - Apple 

Axel F.

IPhone 13 Pro:

• Did a reset of the iPhone
• Both mine computer and iPhone are trusted
• However when I connect the iPhone each time I must trust the computer again on the iPhone with a passcode.

This started after the Ventura upgrade, but still happens.

Also provided feedback to Apple.

Stealth43 wrote:

Apple is not the customer though, I am. Breaking/regressing your product because of edge case hypotheticals is frankly cowardice. And as we keep *repeatedly* stating to you, there is an option C, which Apple could have easily implemented.

It is not “hypothetical” - it is a REAL vulnerability that has been demonstrated. And there is no point in discussing what Apple could have done. And how do you know Apple could “easily” have implemented it? What they did was a quick solution that would be highly unlikely to break something else; it was just changing a flag that says the iPhone is trusted. Anything more complicated would have required more significant changes that would have had to be extensively tested, to avoid introducing an undesirable side affect that could break some number of the 2 billion iOS devices in use. It would have taken weeks, or longer before a more robust solution was deemed safe to deploy, and once a vulnerability is public it must be fixed immediately, or hackers are certain to exploit it. I have confidence that Apple is working on a more user-friendly solution, but addressing this vulnerability could not wait.

I dont think it is Ventura - this only started happening for me on ios 16.1 and I am using a windows 10 computer with iTunes .. I don't own a Mac.

Stealth43 wrote:

If a hacker has access to my computer Im already hosed, this does nothing to solve anything. Apple screwing users because of (extremely unlikely) edge cases without giving us a way to turn this off is, in the words of one wise former Apple employee "user hostile, and stupid."

Also this sort of user hostile decision making on Apple's part is why more and more of us are gunshy about updating. This is regressive behavior.

Yet you would almost certainly sue Apple if your identity was stolen because they had not performed due diligence to protect your data from a known vulnerability.

Still happens after the latest Ventura and IOS update.

Personally I think that Ventura is to "blame". This started to happen after the first version of the Ventura update.

Please Apple fix this, I am disabled and this is getting pretty annoying.

Well at the very least Apple could give us an option to turn on or off this "security feature". My guess is they may want to push people towards Icloud backups for the revenue .. wouldn't put it past them after the battery fiasco (until they were caught and forced to offer battery replacements and did it for a reduced cost initially).

I am very careful about what I put on my computer so I find it frustrating that every time I sync my Iphone now it prompts me (and some times it doesn't prompt like this morning where I was forced to close iTunes and reopen it then initiate a sync again and that time it did prompt me).

Thx for the explanation, but I am disabled, and this takes extra time, and I make errors. Rather would have this disabled, and that Hacker needs access to my computer, I can guarantee that won't happen. your explanation is appreciated.

If a hacker has access to my computer Im already hosed, this does nothing to solve anything. Apple screwing users because of (extremely unlikely) edge cases without giving us a way to turn this off is, in the words of one wise former Apple employee "user hostile, and stupid."

Also this sort of user hostile decision making on Apple's part is why more and more of us are gunshy about updating. This is regressive behavior.

This is a badly thought out comment, and I encourage you to do better. I personally am not litigious and have a dislike of the legal system, but perhaps you're projecting? In any case, you dont speak for me guy. Im a 30+ year Apple user.

In any case, as Numbr007 alludes to, this could have been implemented in a far less ham handed fashion, but unfortunately this sort of move is entirely on brand for Apple lately.