Has Apple Gotten Religion on Software Security?

Information security is an unpredictable, fluid discipline. There are very few absolute truths, but for the last few years, one of those has been that Apple isn’t paying much attention to software security. At least that’s the received wisdom.

Information security is an unpredictable, fluid discipline. There are very few absolute truths, but for the last few years, one of those has been that Apple isn’t paying much attention to software security. At least that’s the received wisdom.

This theory is based mainly on the fact that security researchers have been breaking OS X, Safari and the iPhone OS on a regular basis. Thanks to incomplete or nonexistent implementations of memory protections such as DEP and ASLR, researchers have found a number of innovative techniques for exploiting Apple’s flagship products. None of this is much different from what’s been said about Microsoft’s software in the past, or even now, for that matter. Researchers continue to find serious weaknesses in Windows, Internet Explorer and Office on a monthly basis, and attackers continue to exploit those vulnerabilities.

The difference, however, is that we have a pretty good idea what Microsoft is doing to correct those problems. The company has been very public about its software security program, to the point of publishing its threat modeling process and tools and exporting the program to its partners and other third parties. Its executives and internal security experts such as Michael Howard and Adam Shostack talk openly about the specifics of the Trustworthy Computing effort, its limitations and even its failures.

This has had an undeniably positive effect on both the security of Microsoft’s products and its public image among security researchers and customers.

Apple, on the other hand, is a black box. Its employees say virtually nothing of consequence about security, the development process in general or the security response process. Security researchers say dealing with the company can be an incredibly frustrating experience, a one-way street leading to Cupertino. But that’s nothing new for Apple; that’s essentially how the company conducts business in general, not just in the security world.

Last year, I wrote a column asking where Apple’s version of Trustworthy Computing was. Since then, little has changed in the company’s public stance. Silence is still the order of the day, and that’s the main problem. Apple could have an extensive software security program in place, with advanced training and development methodologies. But we have no way of knowing. This isn’t to say that Apple needs to give up intimate details of its efforts the way that Microsoft has, because that’s clearly never going to happen. But the company is doing a disservice to its customers as well as itself by not speaking publicly at all about this problem.

The one sign of hope in all of this is Apple’s recent hiring of Window Snyder, the former head of security at Mozilla and an alumna of Microsoft’s security organization. Snyder was deeply involved in the Trustworthy Computing program, which, while by no means perfect, has made a major difference in the security and reliability of Microsoft’s products. She also was instrumental in making Mozilla more open and communicative about its security practices, bringing in the concept of threat modeling, as well.

But, Apple has said nothing about what Snyder will be doing. The likeliest scenario is that she was hired to put together a software security program and stop the flood of bad PR. Apple is among the more image-conscious companies on the planet, and while the vast majority of its customer base is in the consumer sector, the iPhone has made serious inroads in the enterprise and Apple’s executives can’t like seeing a constant stream of stories about new attacks on the iPhone and Mac.

So this may be the beginning of a new day for software security at Apple. Or not. It’s Apple, so there’s no telling. We may not know until a year or two or three from now when the company puts out a new version of OS X or the iPhone OS and the attackers and researchers and pen testers take their runs at it and find the game has changed.

But until then, you want it to be one way, but it’s the other way.

Suggested articles


  • Rob on

    Whatever happened the the MAC implementation that they were promising? I was really hoping for an implementation that the average user could use.



  • Anonymous on

    "Snyder was deeply involved in the Trustworthy Computing program..."

    Um, would that be Microsoft's Trustworthy Computing program? We all know how roaringly successful that was. /sarc

  • Josh on

    The problem is that there is some security actions that Infinity Loop broadcasts.  For example, they had been advising that consumers run some form of antivirus or antimalware solution but as soon as that got traction in the news such recommendations were removed.  It was more important to maintain image rather than give sound advice to customers, especially as Apple malware is slowly increasing in numbers. Given there worldwide low market share it will always be economically advantageous to favor windows over mac when writing malware, but the untapped market of victims does attract a few authors each year, and the number is increasing.  Decisions like that, where they actively encourage suppressing sound advice to maintain the marketing message of their annoying "I'm a mac" ads does suggest that there is much they hold more important than security still.  Or perhaps Steve Jobs really does believe their product is bullet proof and that no third party products (cough*adobe*cough) can be exploited on their platform.  Of course the irony to their whole campaign about PC malware is that Quicktime is one of the most exploited 3rd party apps in Windows - they are actually helping manufacture the criticism of their competitor.


    > "Um, would that be Microsoft's Trustworthy Computing program? We all know how roaringly successful that was."

    More successful than any other security initiative in the commercial space.  Vulnerabilities will never be entirely eliminated in any piece of software and even as MS closes their holes the fact that 3rd party apps can also be exploited (specifically Acrobat, Flash, Quicktime and the Sun JVM, since they are more common attack vectors than any MS product these days) means the platform will never be locked down.  Even in a completely walled garden environment like the iPhone there are apps that have been yanked from the store because they were essentially malware; Apple controls both the platform and the distribution method and has not avoided incident.  

    With Regards to MS, every iteration of their OS has been substantially more secure than previous iterations, every iteration of their browser has a similar trend.  SQL Server has had so few vulnerabilities discovered that security researchers feel it is a waste of their time to look (seriously, look up quotes from David Litchfield, one of the formost DB security researchers - he still routinely breaks Oracle but has given up looking for SQL Server vulnerabilities because he can't find them).  If you look at its vulnerability numbers in the NIST NVD or similar vulnerability tracker there are almost none in current version, single digits for the life of the product.  There is a similar night and day comparison in vulnerabilities between the .Net Framework and Sun JVM, between WMP and Quicktime, Office and Open Office (seriosuly OO, Macro vulnerabilities in 2009?), Hotmail and Gmail (woot, more Google Gadget XSS), etc.  


    It isn't 2001 anymore, and you shouldn't rely on Apple to inform you about their competitor's security, especially when the security of quicktime, itunes, and safari are among the worst in the industry.  What Apple has is less risk, since risk is the product of likelihood and impact, and the likelihood of attack on the Apple platform is much less.  What they don't have is security, which is a measure of vulnerabilities rather than risk, and they are producing those in spades.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.