iOS 17.4 is here with major changes to the iPhone’s app ecosystem in the EU thanks to the Digital Markets Act (DMA). While the large takeaway from the update is compliance with the DMA, Apple is bringing forward a handful of improvements across the board, including a big upgrade to iMessage security.
iMessage PQ3 Protocol
Last month, the company revealed that iMessage will begin receiving a new PQ3 cryptography standard once iOS 17.4 is available to the public. PQ3 aims to thwart future attacks that could one day be facilitated by quantum computers once they become commercially available.
The new PQ3 protocol is the first ever to reach the so-called Level 3 security, surpassing all encryption standards currently available in apps like Signal and WhatsApp. Apple further claims that PQ3 is the strongest encryption protocol in the world on a commercial scale. PQ3 is described as an example of post-quantum cryptography (PQC) protocols, which are defined as the stepping stone for quantum-resilient standards that can run on classical computers today without the need for quantum machines.
PQ3 will start rolling out gradually with iOS 17.4, iPadOS 17.4, watchOS 10.4, and macOS 14.4 updates, which are making their way to the public starting today. All participating parties in a single iMessage chat must be running those updates to take advantage of PQ3. Full support for PQ3 on all iMessage conversations will be completed later this year, presumably with iOS 18.
Stolen Device Protection Improvements
With the iOS 17.3 update, Apple introduced a new Stolen Device Protection tool designed to stop thieves from tampering with stolen iPhone settings if they were able to obtain its passcode. Apple is further improving on this feature with iOS 17.4 thanks to new settings and options included with the new update.
When the feature is enabled, a Face ID or Touch ID scan is required to access sensitive information such as iCloud Keychain passwords, disable Find My’s Lost Mode, perform a factory reset, apply for a new Apple Card, access saved payment cards in Safari, and more. A biometric scan is the only acceptable method to access or change those settings, with no option available to enter the iPhone’s passcode if the biometric scan is unsuccessful.
The feature introduces a one-hour security delay after the biometric scan for more sensitive settings, such as resetting the Apple ID account’s password, turning off Find My, changing saved Face ID and Touch ID scans, changing the iPhone’s passcode, and disabling Stolen Device Protection itself. While the one-hour delay was automatically disabled when changing those settings in a trusted location such as home or work, iOS 17.4 includes a new option to explicitly require the delay even in familiar locations.
Security Bug Fixes
Apple also says that it patched several security bugs with iOS 17.4 and iPadOS 17.4, including two vulnerabilities that may have been exploited by malicious actors.
Kernel
Impact: An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
Description: A memory corruption issue was addressed with improved validation.
RTKit
Impact: An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
Description: A memory corruption issue was addressed with improved validation.
Apple Security Document for iOS 17.4
Users who wish to download iOS 17.4 and iPadOS 17.4 can do so by navigating to Settings -> General -> Software Update on their iPhones and iPads.
