About Apple security

A lot has been said about Apple and their attitude towards security these past few days. They should have done this, they should have released that etc. And I agree with most of it and have even made similar claims. Apple has a long history of not dealing with security related issues in a timely manner. It took Apple 3+ years to fix a vulnerability exploited by FinFisher, it took Apple several months to fix a Java vulnerability even after Oracle had released a patch and now it took Apple 4 days to fix an SSL vulnerability (and this vulnerable code has been in the wild for months). There are quite a few security issues that never make the news because we don’t know about them until they are addressed or because their importance is downplayed. Updates to OS X’s XProtect to block certain malware that take much longer than they should are just another example.

Apple has the resources to be amazing at security if they wanted to be so why aren’t they? Some blame the secrecy, others blame pride, I think it’s a combination. I think Apple loves the reputation it’s OS has as being super secure and invulnerable to viruses and will play that card as long as they can. Even if this reputation is based on outdated notions. Believe me when I say I love Apple and Apple products but I do not suffer from the tunnel vision and reality distortion field that grips most Apple fans (though when I did it was nice, after all ignorance is bliss). I know there is malware out there that affects the Mac, I know OS X has vulnerabilities, I know OS X needs help from 3rd party programs to be able to keep my data secure and lastly; I know Apple would never announce an issue with one of it’s products unless it absolutely has to, that’s just good marketing.

But what about “Your privacy is important to Apple.“? Having my secure communications intercepted because of an SSL vulnerability, to just go with the latest example, puts my privacy at risk. If my privacy is that important, why wait 4 days to release a patch?

What about “For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available,“? Just because Apple does not release details about security issues does not mean others are oblivious to them and not actively exploiting these vulnerabilities in the wild. While it’s nice to know the entire world doesn’t know about a vulnerability, those that matter most likely know. NSA, GCHQ, Underground markets where these vulnerabilities are sold and traded and other malicious people out there. These undisclosed vulnerabilities can also put my privacy at risk.

I understand why Apple does this. Letting people know about vulnerabilities is bad for the reputation and image of the company, it also forces the company to address these issues ASAP. The notion that ‘What they don’t know can’t hurt them’ rarely works for any situation but is especially bad for software. Apple employs some of the best talent in the world in many fields but no matter how smart, there are many more equally or smarter people out there. For good or bad, these are the people that find the vulnerabilities and either report them or sell them. In the case of the recent SSL vulnerability we as Mac users are lucky that it was found and reported by one of the good guys but this could have just as easily ended up as a best seller on the black market as these exploits are worth significant amounts of money. Without the pressure from security experts and media, who knows if Apple would have still released a fix when it did, we’ll never know. As Stilgherrian points out in one of his articles for Zdnet; “For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available,”. Which means it may know full well about unpatched vulnerabilities, but even if they’re being actively exploited, you won’t know about them.”

So, can we trust Apple to have our best interests at heart? Sadly I think not. Apple will always do what’s best for the company first, naturally, as any business would while trying it’s best to please the customer. If this results in products that are beautiful, functional and secure this would be perfect. However we are left with beautiful and functional, security is lacking. The security that is present in OS X comes mostly as a side effect from using UNIX as a foundation, not from careful planning and design. Features like Gatekeeper and XProtect are nice on paper but mostly useless as they are either bypassed because they are annoying or outdated. Security must be part of the design, not added later, to be most effective.

“Apple’s goto fail is a clear sign that the magic garden needs weeding — or even a good dose of Agent Orange, rather than endless Kool-Aid. But the first step in fixing a problem is admitting that it exists, and Apple has yet to do that. It seems that when it comes to security, Apple still couldn’t find its butt with both hands.” Stilgherrian says in his article. This sounds harsh but I have to agree. I love writing for this blog, creating the security awareness but wouldn’t it be much better if blogs like these were not needed? No platform will ever be 100% secure and I do not fault Apple for having vulnerabilities in it’s software, that’s just the way it is. However when a vulnerability is found either by Apple or a 3rd party, all possible efforts should be made to get it fixed as soon as humanly possible for the sake of company reputation and the end user. This is something Apple needs to work on.

Where am I going with all this, am I just ranting or do I have a point? A bit of both I guess. OS X at it’s foundation is one of the most secure operating systems available at the moment but is it safe enough for you? That’s only a call you can make but I think it isn’t. Don’t get me wrong it’s a very good start and it can be great with some help. You are in charge of securing your data and privacy and OS X alone will not get the job done.

Help comes in many forms.
• Enabling features like the built-in firewall, FileVault and login/screensaver password.
• Installing updates to your OS X and 3rd party plug-ins and software whenever they are released.
• Using an antivirus to catch malware, spyware and adware. Rare or low-risk does not mean it can’t happen to you,  just ask any of the 600.000 that were infected by Flashback.
• Using a network monitor like Little Snitch to see if suspicious connections are made.
• Use a good browser and configure it properly.
• Keep an open mind. Don’t be one of the sheep that just repeat what other sheep say. Next time you hear about a Mac virus, instead of saying “Macs don’t get viruses” maybe think “Instead of playing the word game (there are no viruses for the Mac but there is plenty of malware/adware/spyware) maybe I should check this out”. Next time you hear about a gaping hole in the security of OS X or iOS, instead of sticking with “Impossible, it’s the most secure platform out there” maybe… You get the idea.

I can go on and on but I’d just be repeating stuff I have been writing about since I started this blog. But there is one more thing, the most important thing you can probably do is: stay informed. There are many websites such as this one that can tell you all about the latest security issues and possible remedies before Apple acknowledges there even is an issue or (if ever) it hits the mainstream news. This can make all the difference between you becoming a victim or not. Websites can be from researches and enthusiasts, professionals, companies or even hackers. I encourage you to never get your information from just one source, always check multiple sources to see if they validate the findings. Sites like Intego’s Mac Security Blog, Sophos Naked Security and ESET WeLiveSecurity, just to name a few of many, are from companies that sell security products. Often you’ll find a report of *name your security issue* comes with the added advice to use their product in one way or another to be safe from that security issue. In these cases don’t disregard their articles as just another sales pitch as the information they provide can be very useful. If you’re not interested in their product just ignore the pitch and take home the knowledge 🙂

With some extra help your Mac can be a great ánd secure system. Sure, enjoy the beveled edges, the thin design, the speed and all-day battery life. Of course, that’s part of the reason you got your Mac! But put in some extra effort to make it a truly great experience. Maybe Apple will pick up the slack and before long you can go back to powering on your Mac without a worry in the world just like you did all those years ago but for now, it’s up to you.