Apple Security

For a long time, Apple has not been significantly affected by malicious code. There has not been an I Love You, Code Red, or a Zeus affecting the Apple ecosystem that I can recall. This lack of malicious code epidemic has led many to assume that Macs are more secure than PCs. While I am an Apple fan and a Mac user, I think this attitude is a case of mistaking causation for correlation. While there appears to be a negative correlation between Macs and malicious code compromises, I don’t think the cause is a function of the superior programming and security of the OS X or IOS operating systems.

Next time you’re bored and looking for something to do, head over to your local Apple store and start asking questions about the Mac and OS X. Start asking about the usability of the system and ease your way into some technical questions. Once you are in the throws of the Mac lovefest ask the Genius helping you about the security of the Mac. Chances are that the Genius will tell you the security is not a problem with the Mac and it is inherently more secure than the PC. Wait for the smugness to set in and then tell the Genius that the Mac is not more secure than the PC, it is just more ignored. Ask him about the Pwn2own competitions and he says.

Ask an INFOSEC professional what they think about Security Through Obscurity and you are likely to get a response that includes a deep breath and rolling eyes before they tell you that Security Through Obscurity is not a security strategy and I partially agree.   By itself, Security Through Obscurity is not a reliable means of securing information. However, a robust security strategy is composed of many layers and obscurity is a valid layer in that defense strategy. Apple has proven this over the last twenty-five or so years as the bad guys have focused their attention on the PC world.

The PC world has garnered most of the attention over the last twenty-five years because it has been the most popular operating system by far. And, over the past twenty-five years the world of hacking has evolved from a community of hobbyists exploiting systems for bragging rights to a community of organized criminals exploiting systems to make a profit. The bad guys are now businessmen looking to make their operations as efficient as possible to maximize their profits.

If you can spend 40 hours developing an exploit code for a new software vulnerability affecting 85% of the computers on the Internet running Windows or spend that same 40 hours to exploit the 10% running OS X or IOS, which option makes more business sense? [3]  It seems like a no-brainer to me. Given this operating system distribution, it seems that Apple can continue to rely on Security Through Obscurity for a little while longer. However, that might not be the case for long if they keep up their recent growth trends.  [1] [2]

I think the development that could most significantly impact Apple’s ability to rely on obscurity as a valid layer of defense is the popularity of IOS and its mobile devices and services such as the iPhone, iPad, and iCloud. As they become more popular and widespread and touch more financial transactions the bad guys will start paying more attention. Apple’s share of the mobile market will just draw more attention from the bad guys.

Apple users should consider themselves warned, your days of being ignored are dwindling. Start thinking about how to protect yourselves and your data.  Future blog posts will have some concrete recommendations.

 

REFERENCES

[1]
“Apple Results Strong; Record iPhone, iPad Sales,” National Public Radio, 19-Jul-2011. [Online]. Available: http://www.npr.org/2011/07/19/138523187/apple-results-strong-record-iphone-ipad-sales. [Accessed: 22-Jul-2011].
[2]
JR Smith, “Hackers Set Sitghts on Apple,” AVG Blogs | JR Smith, 12-Jul-2011. [Online]. Available: http://jrsmith.blog.avg.com/2011/07/hackers-set-sights-on-apple.html. [Accessed: 20-Jul-2011].
[3]
“Usage share of operating systems,” Wikipedia, 19-Jul-2011. [Online]. Available: http://en.wikipedia.org/wiki/Usage_share_of_operating_systems. [Accessed: 22-Jul-2011].

4 Comments

 Add your comment
  1. I’m actually shocked iPhones haven’t been targeted more. In my esitmation, cell phone security will be the giant security issue of this upcoming decade. These devices are ubiquitous as computers now and do everything computers do (email, internet, etc.) if not more. I don’t think Apple will have to worry about security from an OSX/Computer perspective–but I fear what sort of horrors will befall cellular devices over the next 10 years.

    • I think you are on the right track with mobile devices. The problem is that people look at an iPhone and see a phone. They fail to realize that the iPhone is a computer with telephony capability. I was listening to a podcast a just after the iPhone 4 came out and one of the participants mentioned that his new iPhone 4 had more computing power on it than the system he used to render graphics for Star Wars Phantom Menace. That reference helps people understand the computing power they hold in their hand.

      While some people might argue with me, I think Apple has a bit of a security advantage in the App Store. I say this because it is a closed ecosystem and Apple is particular about what kind of apps it allows in its ecosystem. This quality of the App Store contents is a part of the Apple brand and I think that allowing a backdoored application into the App Store would seriously tarnish Apple’s brand. This is good because it ties an economic incentive to maintaining a catalog of quality and secure applications. I don’t think this link was intentional on Apple’s part, but it still benefits Apple’s customers none the less.

      I foresee more mobile device and Apple security posts on this blog.

  2. You’re right about the closed ecosystem of the iOS being a significant barrier for viruses and malware. By not trusting the user to install or execute arbitrary binary data, they close the single largest gateway for long-term compromise of a system.

    Even if a malicious application finds its way onto the app store, it will not be able to propagate itself, nor install hidden code that is difficult to remove. Similarly, even buggy apps that can be exploited via buffer-overflow will have insufficient privileges to be confused into installing anything unbeknownst to the user.

    The remaining dangers are vulnerabilities in the iOS kernel and app-store/installation mechanisms. And these hopefully undergo a much higher level of scrutiny than most application software.

    For preventing viruses, and malware, this is a huge win over the standard way of installing a managing software on desktops and laptops – where you’re one “allow admin privileges” click away from handing the keys over to your system.

    Now – temporarily commandeering a system, phishing, and other security issues are all a different story…

    Aaron – you say that some people might argue with you. Have you seen any literature – or are you just covering your butt? To be fair, I haven’t actually worn a white hat in some years, and I might be overlooking something…

    • @Scott – You are right about the IOS kernel and the App Store. I hadn’t really thought about the App Store as a target, but you make a great point. I’ll have to research that further to see how it works and what the vulnerabilities might be. One thought off the top of my head would be to spoof the App Store in a Starbucks or other public wi-fi environment. That would be a pretty involved man-in-the-middle attack, but not impossible. And yes, phishing etc. is a people problem and that is a more challenging fix.

      As for my comment that some might disagree, there is a school of thought out there stating that obscurity is not real security and should not have a place in a formal security strategy. I’ve had some intense conversations on this topic and it is a religious topic from what I can tell. No matter how sound your logic, you can’t talk someone down from a belief they’ve invested in emotionally. BTW, they get really annoyed when you tell them encryption is an obscurity tool.

Leave a Reply

%d bloggers like this: