The latest iOS 17.2 update arrived this week, bringing Contact Key Verification to the public. This feature, announced a year ago, promises to drastically improve the security of your iMessages through two technologies: Key Transparency, and Contact Key Verification. In this post I’ll talk about why this added security matters, what these two new features actually do, and how you can opt in to higher levels of security in iMessage on your phone right now.

Are you looking for a Mastodon instance that's actually fast, reliable, and open for registrations now that Twitter's dead? Feel free to register on https://mstdn.plus, a new, general-purpose Mastodon server on the fediverse 😊

Ok this is big.

Supporting The Fediverse Financially

Seeing a lot of confusion about how people can support the fediverse and who people should donate to. Donate to Mastodon (or whatever project) development? Your admin? Something else? This is what I think would be ideal:

Users should donate to their instance admins, there's often information about supporting your instance on its about page, check it out! Your instance bears the majority of the costs you as a user create day-to-day, so support it directly!

Admins should donate to the development of the project they're hosting, anything they can after expenses, after all your instance wouldn't be around without the software! This is why I sponsor Mastodon's main Patreon myself.

But, when you donate to Mastodon's general Patreon, you're primarily funding mastodon.social's server, not Mastodon development. If you aren't on mastodon.social, that simply isn't the best use of your donations. And absolutely $0 of that will ever go to supporting the instance you use every day.

Of course, give to whoever you want, it's your money, give to both even! But Users > Admins > Developers feels like the most sustainable funding model we should be promoting.

Trickle 👏 UP 👏 economics 👏 baby! 👏

In Defense of Internet Anonymity

In Techlore Talks #4, Henry and I discussed freedom of speech, anonymity on the internet, and the content moderation policies of online platforms. Certainly these are hot topics in this day and age, precisely because there are no clear-cut answers. In the episode, Henry posed the idea of a theoretical platform on the internet with strict identity verification, an idea which I feel has some merit: Anonymity online is too often abused in the modern day by malicious actors to spread disinformation and hateful ideas while skirting any potential consequences. Free speech is not—and has never been—an unlimited protection to say whatever you want, and if you have ever dealt with a hoard of pathetic, Lord of the Flies-esque social media profiles anonymously throwing insults your way, it’s very easy to see the appeal in a community where ideas are verifiably backed by real people.

xkcd: Free Speech

However, anonymity is still a valuable tool. Its value to society is not derived from its protection of ideas, it’s derived from its protection of people. Social media is consistently used by marginalized groups and people living under oppressive regimes to organize things like protests, and governments are increasingly called out on the international stage by their own citizens organizing themselves and posting information online that their governments might not want shared.

While some hateful people abuse anonymity on the internet to avoid the scrutiny of their peers, countless others rely on it to avoid retribution from the powers that be. A proposal requiring ID verification for social media was actually considered by the United Kingdom in 2021, in which the government rightly found that:

[… R]estricting all users’ right to anonymity, by introducing compulsory user verification for social media, could disproportionately impact users who rely on anonymity to protect their identity. These users include young people exploring their gender or sexual identity, whistleblowers, journalists’ sources and victims of abuse. Introducing a new legal requirement, whereby only verified users can access social media, would force these users to disclose their identity and increase a risk of harm to their personal safety.

Identity verification online is just as much a privilege as anonymity. A system in which an ID is required to participate will create a two-class structure in which the only people able to participate in real online discourse are people whose ideas are acceptable to their state and to their immediate peers. Any dissenting opinions would be relegated to the anonymous outskirts of the internet, if such a place existed at all, further isolating them and their ideas until they eventually disappeared.

At the end of the day, identity verification is not the solution to our collective social media woes. The onus of internet moderation should not fall on people and governments policing each other by tracing each online interaction to its original posters. Rather, social media networks need to recognize the power they have in society, and begin investing in actual moderation efforts which can separate the hate and abuse from everything else while remaining respectful of the privacy of their own users. Without anonymity, the way we use and view the internet would be unrecognizably different, and not for the better. It would be a less inclusive system operating under complete authoritarian control, and a place where content platforms like Facebook and Twitter further monetize your personal data under the guise of fighting abuse.

This post was originally posted on Techlore Dispatch on October 30, 2022.

New Privacy and Security Features in macOS Ventura

macOS Ventura was released this week, and the Apple users among us may be interested in the improvements it brings to your personal privacy and security. We always recommend running the most up-to-date version of your operating system available. Updates add privacy and security improvements all the time—and macOS Ventura is no exception. Some notable new additions to the macOS privacy ecosystem include:

Lockdown Mode

Rapid Security Responses

Passkeys

Let’s venture in and see what these updates will mean for you.

Lockdown Mode

Apple’s headline security feature for macOS and iOS this year was Lockdown Mode, a setting which allows you to enable much stricter security protections on your device. Designed for the rare few who are actively targeted by cyberattacks, Lockdown Mode still received widespread attention in the privacy and security space as an important attack surface reduction tool.

Enabling Lockdown Mode can be done easily in the System Settings app:

Click Privacy & Security in the sidebar.

Scroll down to Lockdown Mode and click Turn On.

Click Turn On & Restart to restart your device in Lockdown Mode.

Lockdown Mode needs to be enabled separately on each device. Lockdown Mode changes your device’s behavior significantly in a number of ways. Its worth trying for yourself to see if it impacts your everyday usage. There is little downside to enabling it as its impact to most features is relatively minor in day-to-day use.

Safari

Enabling Lockdown Mode disables a number of “complex web technologies”. These can impact your device’s browsing performance and battery efficiency, in some cases to a significant degree. The changes to Safari include:

JavaScript’s Just-in-Time (JIT) compilation features are disabled. JIT allows JavaScript code to be compiled on the fly during its execution. Disabling JIT shows performance decreases by up to 95% in some browser benchmarks, though this difference is difficult to notice in everyday browsing. Unfortunately, the added performance and complexity of JIT in JavaScript comes with a significant security cost. An analysis conducted by Mozilla indicates that over half of Chrome exploits “in the wild” abused a JIT bug, so disabling JIT can roughly cut your attack surface in half.

WebAssembly (WASM) support is also disabled. WASM was created to allow for high-performance applications on web pages; however, it can be used to fingerprint browsers to track people across websites and apps.

JPEG 2000 support is disabled. Safari is the only modern browser to support the JPEG 2000 image format, which makes its support an easy way to identify Safari users.

PDF previews are disabled. The PDF format has historically been subject to a number of exploits; this change means that PDF files will be downloaded and have to be opened in a dedicated PDF previewing app instead.

Other technologies that were disabled include WebGL, MathML, Gamepad API, Web Audio API, RTCDataChannel, and SVG Fonts. Additionally, many other external web fonts are disabled, limiting websites to only the fonts pre-installed on the device. This notably breaks a lot of icons on various websites, which are often replaced by an empty square.

Luckily, Lockdown Mode can be disabled on a per-site basis on Safari, so none of these issues should prevent you from enabling Lockdown Mode on your device. If you encounter a trusted website which breaks with Lockdown Mode enabled, you can easily add an exception for that website while keeping the rest of Lockdown Mode’s protections intact.

Apple Services

Lockdown Mode also changes the way a number of different Apple services are used on your device.

Messages: Most message attachments are blocked, besides certain image, video, and audio attachments. This includes most iMessage “apps” such as in-conversation games. Link previews are also disabled.

FaceTime: Incoming calls are blocked, unless you have previously called that person or contact. This is likely in response to past FaceTime bugs, such as the exploit in 2019 which allowed an attacker to listen in on your microphone before you picked up the call.

Photos: The new Shared Albums functionality in iCloud Photos is blocked, and invitations are automatically rejected. Shared Albums do still work on any devices without Lockdown Mode enabled.

In addition to these, other Apple services like Home will reject incoming invitations unless you have previously interacted with the sender.

Device Changes

Some other device functionality is limited with Lockdown Mode enabled as well. If you have a Mac with Apple Silicon, connected devices or accessories are not allowed to connect unless your Mac is unlocked and explicit approval of the device is given. Configuration profiles can no longer be installed either, and the ability to enroll in a Mobile Device Management (MDM) system is disabled. These are enterprise management features, which are occasionally abused to control or monitor devices.

Passkeys

Passkeys are likely to be the most impactful new feature for the everyday person’s security practices. Passkeys are a cross-platform standard supported by Google, Apple, and Microsoft. Based on the FIDO2 standard, passkeys are the first real effort to replace passwords as your primary mode of authentication.

Using a passkey stored on your phone is supported by most browsers in macOS, but only Safari currently allows you to use a passkey stored on your Mac. Passkeys generated on your iPhone or Mac are stored in iCloud Keychain, which is end-to-end encrypted with your phone or computer’s lock screen password. In Safari, passkeys are replacing the single-device WebAuthn registration, which allowed you to use your computer as a hardware key with Touch ID.

The benefits of passkeys are fairly limited at the moment, until more services support the standard for primary or multi-factor authentication.

Rapid Security Responses

Alongside iOS 16, Apple is introducing Rapid Security Responses (RSR) to macOS Ventura. RSR allows Apple to ship small security fixes on the fly much faster than before.

Previously, releasing even a small security patch meant Apple had to release a huge multi-gigabyte update package. This was required to preserve the system’s cryptographic integrity, following changes to how the system volume is handled in macOS Big Sur. With RSR, updates are much smaller, so patches can be downloaded much faster and applied more reliably.

RSR patches are applied immediately. However, they are tied to the macOS minor version they are released with, meaning you need to be on the latest available macOS update to receive them: they are not a replacement for regular updates.

What remains to be seen is which security patches will be released via RSR as opposed to standard security updates. More severe bugs, including Mach zone memory leaks and bugs which could cause kernel panics, are still likely to require a formal macOS update rather than a quick patch.

Gatekeeper Changes

Gatekeeper is Apple’s primary approach to handling malware on macOS, which has historically operated as a “scan at launch” feature for newly downloaded apps. In macOS Ventura, Gatekeeper has been updated to run signature and notarization checks upon every launch of an application, as opposed to just the first launch. This should improve its malware scanning capabilities, but could potentially cause problems with apps which update themselves. This practice is common with apps distributed outside the App Store, and could lead to discrepancies between the app’s code signature and actual content.

A Bug with Malware Scanners and Monitoring Tools

WIRED reported that a bug in the initial release of macOS Ventura cuts off third-party security products like BlockBlock from Objective-See from the access they need to perform system scans. There is a workaround to fix this access, so if you use tools like these you should manually check your security app to make sure it is working as intended. Apple should fix this problem in the next system update.

Final Thoughts

If you are a Mac user, macOS Ventura brings a lot of new security and privacy features to the table. We recommend upgrading to macOS Ventura as soon as possible (I already have). We’ll continue to keep an eye on how security features like these are used and improved in the future, on Apple platforms and beyond.

This post was originally published on the Privacy Guides blog.

The Trouble with VPN and Privacy Review Sites

There’s a massive problem in the privacy world. Websites, social media accounts, and other platforms are constantly popping up out of nowhere, telling you to buy The Greatest Service Ever in order to solve all your privacy woes, whatever that may be. These websites often employ marketing teams to make sure their “reviews” are what you see first when you begin your research. Some of them are even operated by VPN providers themselves, operating under anonymous business entities to hide their bias, or doing it right out in the open, hoping you’ll mistake their advertising-filled press releases and blogs as insider knowledge of the VPN space.

When a seemingly “unbiased review” on a site is merely a paid advertisement in disguise, that website is breaking their reader’s trust. From a consumer’s point of view, affiliate marketing and other paid promotional techniques like this make it near impossible to know when a review is genuine or not.

This isn’t going to be a lengthy blog post on advertising being bad, far from it. In fact, many of the VPN providers we recommend on Privacy Guides engage in responsible advertising across various platforms. The key is transparency: Their advertisements should look like advertisements, and nothing else.

I’m really looking to take the time here and identify “the bad” sites and resources that use these techniques to profit off a community just looking for reliable answers. Lots of sites like these will claim they’re acting in your best interest, but they’re just here to make money.

One common thing I’ll see on these sites is a ranked list of providers that are ostensibly the best ones to choose from. These sites have supposedly done all the work for you, so you can just click and go, assured you’re making the right choices.

So here’s my issue with ranking VPN providers: Let’s face it, VPN providers are all offering the same service, and they will either protect your information or they won’t. Ranking providers like this only serves as an easy way to guide users to a certain choice (in this case, the choice that will make the reviewers the most money).

Let’s look at one of these “review” sites for example, which will go unnamed for the purposes of this article. On their homepage they prominently list 10 providers as the “best” VPN services, in this order:

NordVPN

Surfshark

ExpressVPN

PerfectPrivacy

IPVanish

Mullvad

CyberGhost

Trust.Zone

ibVPN

Private Internet Access

To their credit, this review site also helpfully included an advertising disclosure in their footer. On this fairly well hidden away page, they note that they participate in affiliate programs from 8 providers, as follows:

NordVPN

SurfShark

ExpressVPN

Perfect-Privacy

IPVanish

CyberGhost

Trust.Zone

Private Internet Access

Hmm. Look familiar? Of the 73 providers this site had reviewed at the time of writing this article, all eight of the VPN providers paying this review site happened to make their top 10 recommendations. In fact, you’d have to scroll down to #6 before you found a provider that wouldn’t pay them, practically buried.

Furthermore, their list includes NordVPN, a company notable for not disclosing security breaches in a timely fashion, and ExpressVPN, a provider notable for using weak 1024-bit encryption keys to protect their users. By any objective standard, these providers do not deserve to be included in a top 10 recommendations list for securing anybody’s information. This review site in particular claims to have set criteria for their recommendations, but this just demonstrates that any criteria can be adjusted to fit any goal you may have.

If these sites truly wanted to be helpful, they would consolidate all the relevant information and present it to their users without making the choice for them. A provider is going to be better or worse for every user depending on their particular situation, and encouraging making an informed choice between options presented equally is far more beneficial to putting one over the other in a largely arbitrary fashion.

These read like advertisements, because they usually are. Once again we see the usual suspects �� NordVPN, ExpressVPN… — paraded as the gold standard in the VPN space, not out of any inherent value, but based on the value of their affiliate programs. To further this point, let’s take a look at how much each of the five providers above will pay you for a referral (on a one-month plan).

ExpressVPN: $13 for first month

NordVPN: $11.95 for first month

VPNArea: $4.95 for first month

VPN.ac: $2.90 for first month

Unfortunately, Perfect Privacy would not share their commission rates publicly, but if anyone has any information on that I’d be happy to receive it. What I will say is that based on the information above, I would not be surprised if it fell right between ExpressVPN and NordVPN’s rates. Their one-month plan costs $12.99, so assuming a 100% match on the first month (the standard from NordVPN and ExpressVPN) that would add up quite nicely.

Once again, we see a lineup of providers ordered in a way that conveniently pays the most to the website owner. And therein lies the issue with affiliate programs. Once you begin receiving financial compensation on a per-signup basis, you are now motivated to push the most users to the sites that pay more on a monthly basis, rather than the sites that will actually help the user.

Occasionally, these recommendations are coupled with a “review” that is supposedly independent and unbiased, but in reality are simply more marketing tools to persuade you towards their opinions. In most cases, these reviewers will simply copy the VPN provider’s own press releases and even media, presenting their advertising as fact to their readers. These reviews are always hidden away as well, with main navigation links directing users towards the more affiliate-link-laden lists and tables that they’d much rather you browse. The true value of these review articles is the Search Engine Optimization (SEO) advantage they bring in the rankings on Google, and not much more. More traffic = More clicks, at the expense of good, independent content and integrity.

Originally, this article contained a section about how ‘ThatOnePrivacySite’ was the last bastion of a hope in the VPN review world. However, that has since sold out to ‘Safety Detectives’, a site guilty of using all the affiliate tricks mentioned above. Goes to show, eh?

At Privacy Guides, we’ve developed a set list of criteria, and we make that abundantly clear when you read our list of recommended VPN providers. We also refrain from using affiliate links. As we’ve discussed, they are fundamentally flawed ways to market a service, and using them would break the trust our community has in our recommendations.

We do have a sponsorship program, but all of our finances are handled in an incredibly transparent fashion. As a non-profit organization, the funding we receive cannot be used for private profit, and our community can see both where we receive money from and how it is being spent thanks to Open Collective. Additionally, the recommendations on our site are handled by an entirely separate team of editors and contributors than the administrative team such as myself that handles the sponsorships and finances. The editors have sole control over our recommendations and operate entirely independently and on a volunteer-basis to ensure the choices we make are for the benefit of the privacy community over one individual.

Ultimately, as a matter of policy our sponsors have no say over our recommendations, or whether they are recommended or a competitor is removed. We have given our community vast access to our website and internal workings to keep us in check and ensure we’re staying true to our word. This separation of management and editors is a strategy that has served the media industry well for decades, and makes all of our team and organization a more credible and trustworthy source of information.

Summary

We have a lot of points we want to get across. The current landscape of privacy reviewers and “experts” weighing in on topics regarding the very companies that pay for their reviews is morally reprehensible, and just another way for big tech companies to collect all of our data more easily.

Review sites should make it abundantly clear when their reviews are paid for by the VPN companies in any fashion, whether that be via affiliate programs or good old-fashioned sponsorships. This can’t be via a hidden-away disclosure in the footer or not published at all, but clear and close in proximity to the claims published on their site. Customers are not expecting or seeking out these disclosures when they visit review sites, and can’t be expected to immediately discern whether you’re speaking from a place of unbiased fact, or from a place with the greatest financial incentive. Better yet, they should reconsider their entire business model. Our site is based solely on a community donation model that still keeps us sustained. It’s the more difficult way to build a site to be sure, actually working to gain the trust of a huge community, but the difference in quality and integrity is remarkable.

VPN providers should consider spending less money on paid reviews, and more money on securing and validating their infrastructure. Regular security audits are one fantastic way for companies to demonstrate their dedication to keeping their users secure. We strongly believe VPN services should consider our criteria, especially in regard to the ownership of their organization. Your VPN provider should not be hiding away in Panama controlled by anonymous leadership. While you as a user deserve privacy, transparency should be required of providers if you are expected to trust them. I would not give my money to some anonymous overseas investor, why would I give all of my internet traffic to some anonymous overseas administrator?

Finally, when you’re choosing a VPN provider, do your own research. Understand what a VPN actually does for you. Understand what it is a security audit proves, find out who owns and operates the VPN service you want to use, and make sure their policies and technologies reflect your values. Ultimately gathering the information yourself and making an informed decision is the only way to make sure your privacy is being respected.

Thoughts on Apple’s Independent Repair Program

I can honestly say I didn’t see this coming. On August 29th, 2019, Apple announced they would begin not only selling original OEM parts to independent repair businesses, but also provide them with the tools, guides, training, and diagnostics required to complete repairs on out of warranty iPhones. This is great news.

It’s a surprising turn of events from a company that has spent years lobbying against Right to Repair bills across the nation. These steps might be a sign that Apple is listening to the demands and reality of their customers, namely more local and (relatively) inexpensive repairs for their products. Even in the United States, the existing network of Apple Stores and Apple Authorized Service Providers is extremely lacking, especially for those outside major city-centers. Internationally the situation is almost laughable, with people of many countries not having access to official Apple Stores at all. Granting independent repair providers access to original Apple parts and tools will mean that iPhone users in need of repair service will have more options at their disposal outside of paying exorbitant fees for Apple’s out-of-warranty repairs.

Program Information

How this program works appears fairly simple. Repair shops with an Apple Certified Technician can apply to join for free. Once approved by Apple, they supposedly “can gain access to Apple genuine parts, tools, training, service guides, diagnostics and resources” needed to complete a variety of repairs on out-of-warranty iPhone models. While detailed information is still lacking at this time, presumably this will allow independent providers to finally overcome longstanding issues in the repair community, such as Touch ID replacement, unverified batteries displaying warnings, missing True Tone capabilities after a repair, and other issues arising from using non-genuine parts.

Independent shops will still not be “authorized” by Apple to complete warranty repairs, nor will their technicians be reimbursed by Apple for their time and labor in the same way Apple Authorized Service Providers are. I would imagine independent shops also won’t be advertised on Apple’s store locator to those seeking iPhone repairs. These are small differences between this program and the AASP program, but they shouldn’t be overlooked.

Part Availability and Cost

Because this program is so new not much information is known about the parts that will be available to order, the tools that will be available, et cetera. However, an article issued to current AASPs was leaked, detailing some possible information for us to look through. Notably, pricing for some parts was included in the document, including “exchange” pricing and “stock” pricing. Exchange pricing is the price a shop will pay for parts if they return the old/damaged part to Apple. Stock pricing is the price you would pay for the part otherwise.

There are some concerns I have with this pricing. Battery exchange pricing to me seems very reasonable for original quality parts. For some reference, aftermarket batteries for most iPhones currently costs repair shops $7-$15 per battery, which is cheaper than the pricing Apple will supposedly provide. However, paying a premium for very high quality batteries that won’t display “Service” warnings is a cost most shop owners and customers will likely be willing to pay.

The screen pricing on the other hand seems completely unreasonable, and in some cases the part itself appears to be more expensive than Apple’s own out-of-warranty screen replacement costs. A high quality aftermarket screen for the iPhone 8 runs current shop owners around $20. $156 for an original screen is going to be a hard sell for many shops, especially because that price doesn’t factor in the shop’s labor and markups. I can see this pricing being worth the cost in a few circumstances. Situations where Touch ID or Face ID components are damaged may warrant the additional cost for a new display and Touch ID pairing. Other than that however, I don’t see many shops going with these screens as their main offering.

The pricing outlined in this document is mostly speculative at this point until we see some more concrete information. Other leaked Apple service documents start battery pricing at around $16 for example, and cap screen pricing at around $350 rather than the $417.47 quoted above. However, I wouldn’t expect it to vary dramatically from this table. The parts sold through this program will likely be at a significant premium compared to the aftermarket pricing independent shops are used to, and when it comes down to it they likely won’t make sense for many repairs. Owners of devices more than a few years old will be most motivated by price, and when given the option between an original Apple screen or an aftermarket screen that will provide 95% of the quality for less than a third of the cost, likely won’t be choosing Apple’s parts.

Luckily, this program will not prevent independent shop owners from offering that option to their customers. Shops will still be able to offer non-genuine parts from other vendors even if they join this program, so at the very least Apple’s initiative will merely give customers more options, even if it isn’t fully utilized.

Outside of screens and batteries, we don’t know what parts will be available to independent shops through this program. Apple claims that independent shops will have access to the same parts available to AASPs, but the reality of the situation is that AASPs don’t actually have access to a whole lot. Today, AASPs are essentially a glorified shipping center for Apple, sending devices that need anything more than a simple screen replacement to a centralized facility. In some cases they are forced to replace devices completely, even when independent shops would find the problem an easy fix.

Certification

Another aspect of this program that will likely be of interest to third-party repair shops is the certification process. Any technician ordering and replacing parts as a part of this program will be required to become an Apple Certified iOS Technician. This certification consists of two exams: the “Apple Service Fundamentals Exam (SVC-19A)” and the “ACiT 2019 iOS Service Certification Exam (iOS-19A)”.

These exams are $20 each and are administered online (not proctored in a testing location). They are 70 questions each and they are open resource, so you can use online resources to help you answer questions, however you only get 2 hours to complete the exam, so researching every question isn’t feasible. You need 80% on each exam to pass, and once you pass both you will be certified. As a part of this Independent Repair Provider Program, Apple will waive the fees on these exams after your business is accepted.

Training courses for these exams can be purchased by anybody from Apple for $299 through a product on their store, “AppleCare Technician Training”. It is unclear at this time whether Apple will provide this training to IRP Program members after they are accepted. I would assume it will not be provided for free, but shop owners should apply to the program first to see if it is. If I find anything out about it I will update this post.

The SVC-19A exam contains all the basic knowledge Apple expects technicians to know. Topics include:

Customer Experience: These are skills you would use to interact with customers, gather information, explain technical concepts to customers, etc.

ESD Precautions: You will need to know the specific precautions Apple recommends taking to prevent ESD damage, identify the effects of ESD damage, and identify common myths regarding ESD.

Safety: You will need to identify safety precautions and policies Apple technicians must adhere to, demonstrate how to handle batteries safely, and respond to battery damage events.

Troubleshooting: You will need to identify the different stages of troubleshooting, demonstrate deductive reasoning skills, and show how to use “smart questioning techniques and first-level evaluation and isolation skills to identify issues as being generally hardware-based, software-based, educational, or environmental in nature”

Product Knowledge: This section is mostly software related and will have you demonstrate how to do basic tasks in macOS and iOS, like running backups, finding menus, etc.

Two topics in particular, ESD Precautions and Safety, should be carefully studied. If you get more than two questions wrong in either category you will fail the entire examination regardless of your overall score. I would flag any question mentioning “ESD”, “safety”, or “batteries” during the test, and revisit them at the end of the exam. The exam is open resource so I would highly recommend researching the answers for each of these questions even if you think you know the answers, to make sure there are no mistakes in those sections.

The “iOS” related exam, iOS-19A covers a wide variety of iPhone related topics, including software and hardware repairs. This exam consists of 41 questions on troubleshooting again, this time with more of an emphasis on specific iOS and iPhone issues. It also contains 29 questions on servicing iPhone, including identifying “the correct specialized tools, fixtures, and procedures required to service” specific iPhone models.

Out of the two exams I would say the second iOS examination would be difficult for even experienced technicians to pass without any AppleCare Technician Training beforehand. The Service Fundamentals exam was largely common-sense or knowing basic tasks, but the iOS examination contains many questions related to Apple specific tools and procedures. You need to know things like the color of the screwdrivers they use on certain phones to the icons on the repair trays they use to remove displays.

And unlike the Apple Certified Macintosh Technician exams — the training materials of which have been copied and reproduced on a variety of websites over the years — the iOS test is much newer and contains many questions with answers simply not available to the public. Luckily, the examinations are only $20 each — pocket change compared to other industry certifications — and can be taken an unlimited amount of times, so it may be worth taking one as a sort of “practice” to get a feel of the tests.

Overall, this certification process makes sense for the program. Some shop owners may think of the process as unnecessary because their technicians already perform these tasks on a daily basis, but from Apple’s perspective the ability to weed out inexperienced businesses will allow them to assure a quality experience for even out-of-warranty customers and deal with less warranty issues with their parts. Many of the warranty returns part providers currently deal with are from inexperienced individuals not completing a repair properly or not using the correct tools or parts for the job. This certification at the very least demonstrates to Apple that you are less likely to file too many warranty claims through this service.

Final Thoughts

This program isn’t the perfect solution we’re looking for. It only covers certain iPhone models — no mention of iPads or their line of computers! — and only certain parts. But this program comes with the admission that perhaps the “regular” shops and people are indeed capable of repairing Apple’s products, and it’s an important step in the right direction. Rather than criticizing Apple for the small flaws in this program, we should be congratulating them on this step towards a more comprehensive repair program. Encouraging this behavior from big businesses like Apple will make it more likely that programs like this will be introduced and expanded in the future.

As it stands, only a few established businesses will be eligible for this program. Individual users and smaller businesses looking to repair phones with original parts will still have to look elsewhere. But hopefully this program will extend to everybody else in the future, and we’ll see more repair-friendly solutions from Apple in the product announcements to come.

I am not yet a part of this program, so I don’t have any other “insider” information on this new service, this is all just based on information currently available to the public and information made avaliable to me as I went through the certification process. I did just recently become an Apple Certified Macintosh and iOS Technician in order to apply for this program, so I’ll be hopefully finding out more information in the future. I’ll have to wait and see what NDAs apply before considering an update at that time 🙂