Guest blog: Does Apple stand at a security crossroads?

"Ben Jupp, a Sophos technical specialist who lives and breathes all-things Mac, Linux and Unix, ponders Apple’s attitude to security. Over to you Ben.."

Ben Jupp
Apple gets a pretty rough press when it comes to security and to be honest I think it’s deserved. This isn’t to say that I think Apple never thinks about security; in fact I think that that couldn’t be further from the truth.

But does Apple really do enough?

Apple’s track record of security in operating systems hasn’t been a great one. Mac OS 9 was never the internet-ready OS it should have been, and lagged behind Microsoft’s offering at the time, Windows 98 SE.

Mac OS 9 had next to no concept of security; I still chuckle when I remember installing it and being told that I’m not allowed a password longer than eight characters!

So when Steve Jobs returned to Apple, bought NeXT and then OS X came out I’m sure I wasn’t the only person hoping and praying for an OS that was a marked improvement on Mac OS 9, and also actually had some security features.

Well, OS X has certainly improved, possibly even matured over time, and the security it has is light years better than when it started.

But does Apple really take it seriously, or is it something born out of necessity to appease the security vendors, vulnerability researchers and enterprise users?

In my opinion Apple stand at a crossroads with regards to what they do about security. They can either continue as they are claiming that they have no malware, no problems and just doing enough to get by. Or they can invest in making security a ‘feature’ of the Operating System.

Microsoft was in this same position a few years ago and seems to have made the right choice. They release regular security patches, they work with the security community as a whole, and have added many features to their Operating Systems to assist users; Windows Firewall, UAC, Anti-Phishing in IE, etc.

So, could Apple achieve or exceed what Microsoft has done?

Yes, and I think it could be an amazing thing to observe.

Time Machine icon
All Apple needs to do is see security as something that they can sell, and something that they can beat their competitors with, similar to what they did with ‘backups’ recently.

Time Machine, whether you like it or not, has been a success. Everyone spoke about it when Apple announced Time Machine, as it brought backups to the masses, and made it simple. This is no mean feat considering ‘backups’ are a truly, truly, dull unsexy feature.

Mac OS X is not actually all that insecure if you set it up right, and this is where Apple has to step up.

The Firewall should be on by default, Safari needs to not automatically unzip and mount downloaded files, the default user shouldn’t automatically login, and my list could go on and on. Make these features secure and simple to use and Apple will be well on their way.

Add to this transparent disclosure of security updates; letting users know when something has been fixed, why, and in what patch. That would help Apple present itself as a responsible and secure vendor.

It’s not just me who thinks this. A poll conducted after the recent debacle over Apple silently updating Mac OS X’s anti-malware protection shows that many in the Mac community want to be informed more fully about security updates.

Should Apple document when it updates Mac OS X's malware protection?

Apple has to make a choice soon about what are going to do. If they leave it too long they will get crushed by an Indiana Jones-esque boulder of malware, targeted attacks, and pissed off users. They should be the bigger man and do the right thing, hats, whips and all.

Come on Apple, show us what you got!