On April Fools’ Day 1976 in Los Altos California, Steve Jobs and Steve Wozniak started a company that would change the face of computing. Fast forward 40 years and Apple has become synonymous with high-tech products that exude quality.
But alongside its ubiquity amongst users, the company has drawn increasing attention from malicious parties. So, as the Cupertino company approaches middle age, how well have its security practices aged? We asked a number of experts in the field.
‘Until the return of Steve Jobs and the introduction of innovative technology like the iPhone, the Apple Mac was rarely used for business,’ said Thomas Fischer, Principal Threat Researcher at Digital Guardian. ‘This meant it was not a prime target for malicious parties as there was little value to be had in breaking in.’
‘However, Mac-focused malware has been around since as early as 1982. In most cases, the malware had similar mappings to its PC counterparts and some of the same vulnerabilities in Office could be found and leveraged in Macs. In some cases, malware was developed to focus on key Mac technologies like HyperCard.’
‘To say that the threats Apple faces are becoming worse, or that the recent spike in news coverage is a sign of things to come, is almost a fallacy. Threats have been present since the beginning; they just haven’t been the predominant focus.’
‘I remember as far back as the original Apple II having to run anti-malware to scan floppy disks for malicious software. Now that the Mac and iPhone are positioned as a business tool, almost on par with Microsoft, employees are using them to store and access critical company data. This makes the Apple environment an equal target for malicious parties.’
‘Apple has long recognised this threat, especially after the early versions of Apple iOS were ‘jailbroken’ only hours after their release, forcing the company to issue updates.’
All considered, by far the biggest security accomplishment is Apple’s design process, which ensures that software and hardware have robust security measures built in from the offset.
> See also: Apple has been targeted by ransomware for the first time, so how big is the risk to business?
‘Security has become a core focus in the newer versions of both MacOS and iOS, from sandboxing of applications on MacOS to the built-in encryption across both systems,’ says Fischer.
Michael Hack, SVP EMEA Operations at Ipswitch, argues that Apple’s not ready for a mid-life crisis just yet.
‘With the recent rise in Apple vulnerabilities and malware, it would be easy to think that Apple is experiencing a mid-life crisis – it has even started to get interested in flashy cars,‘ he says.
‘However, in its recent clash with the FBI, the company’s stance on creating a backdoor into its OS demonstrates that Apple goes to extreme lengths to make sure that its customers’ data is protected and private. This isn’t exactly a recent development either. Apple added the option to encrypt all of a user’s files in back in 2009 with iOS 3.0.’
‘In a recent interview with TIME Magazine, CEO Tim Cook explained that ‘security isn’t just a feature, it’s a base, it’s a fundamental’.’
‘Apple demonstrates this throughout its track history – from the introduction of FileVault in 2003, which allowed users to encrypt their home directory, to the inception of Touch ID (the first fingerprint recognition technology to be fully integrated into an operating system). Ultimately, whilst Apple has seen its fair share of bumps and bruises, it’s well on its way to becoming a secure silver fox.’
Don Green, Mobile Security Manager at WhiteHat Security argues that security is at the core of Apple’s OS, but apps are weak around the edges.
‘Within the mobile app security space, Apple has come a long way in improving security since the opening of the App Store in July 2008,’ says Green.
‘The company has improved the security of iOS with every update and has continually created and improved tools for developers to code more securely. Notable examples include iOS 6’s implementation of app permissions, which required apps to request permission from the user to access personal information stored on the phone. The iconic Touch ID allows users to securely access their phones and apps without having to type a full username and password.’
‘Unfortunately, the security practices of mobile app developers remain outside the control of Apple. It is here where potential vulnerabilities and issues can be easily introduced.’
> See also: Why RBS and Natwest were wrong to trust Apple on biometric security
‘Even today, developers can find less-than-ideal recommendations on well-known developer forums. In one example, a forum member suggested that storing sensitive information in plaintext on the phone was an acceptable practice.’
‘Apple’s control over the end user is equally weak. Whether through visiting malicious sites, downloading apps from piracy stores, or simply using weak passwords, there are many ways for user to compromise themselves and undermine even the most secure coding practices and operating system.’
Green believes that Apple has made great strides in improving the security of its OS in recent years.
‘In a perfect world,’ he adds, ‘all app developers would be constantly up-to-date with the latest cyber threats and all users would have secure passwords and not visit malicious sites. Unfortunately, all we can do today is to make sure everyone is playing their part to make the mobile app world a little bit safer.’
