Sophos Cloud Optix
On Monday, Apple kicked off its 23rd Worldwide Developers Conference with a keynote presented by Apple’s top executives. Although the keynote was primarily aimed at third-party software developers, there were many notable tidbits related to security and privacy.
OS X Mountain Lion
In his discussion of upcoming features of OS X Mountain Lion, Craig Federighi specifically mentioned “Gatekeeper, to help keep your system free from malware.”
Apple had previously announced Gatekeeper, which will give users the option to run only apps downloaded from the Mac App Store (which have been vetted by Apple), or Mac App Store apps plus software signed with a Developer ID, or of course the ability to run all apps regardless of whether they’re signed (which Mountain Lion warns is the least secure option).
Back in February, Sophos’s Chester Wisniewski opined that “Apple’s Gatekeeper security feature leaves a lot to be desired.”
What made Federighi’s comment stand out is that, as far as I’m aware, this is the first time Apple has ever acknowledged the existence of Mac malware in a keynote address.
This may indicate a shift in the right direction for Apple in terms of openly recognizing the imperfections of its security. It’s certainly a far cry from Apple’s “Hello, I’m a Mac” television advertisements from 2006-2009, which strongly (and falsely) implied that Macs were invulnerable to infection.
On the screen behind Federighi were a few other security and privacy features in Mountain Lion, including encrypted backups and Do Not Track in Safari.
When Federighi spoke about the OS X software development kit, “sandboxing APIs” (application programming interfaces) was among the features listed behind him. Sandboxing is a feature that helps prevent exploits within an application from affecting the rest of the system.
iOS 6
When Scott Forstall got up to speak about Apple’s upcoming mobile operating system, iOS 6, one of the first slides he showed pointed out that it’s difficult for Android users to stay on the current release, a process which Apple makes simple for iOS users.
Forstall did not specifically mention the security implications of this, but as Sophos’s Graham Cluley pointed out, one of the major advantages to always having the latest mobile OS is improved security.
“Kernel ASLR” (address space layout randomization) was among the iOS 6 features listed on a slide behind Forstall. ASLR makes it more difficult for malicious code to exploit parts of the system that reside in memory.
Apple also committed to release iOS 6 for the iPhone 3GS, Apple’s three-year-old smartphone.
At first glance, this may seem somewhat impressive considering that Apple released the final security update for the iPhone 3G only 2 years and 4 months after its initial release.
As I pointed out in an article last year, this meant that those who bought an iPhone 3G on sale when the iPhone 3GS came out only got security updates for about 1.5 years.
As a result, those who signed two-year service contracts for their iPhone 3G had to go without security updates for several months until their mobile carrier decided they were eligible for a new phone.
Notably, Apple still sells the iPhone 3GS as a free-with-contract phone on AT&T in the United States. The fact that it’s still being sold is likely the only reason why it’s getting the new iOS release.
By comparison, the original iPad (which was replaced by the iPad 2 in March 2011) and the third-generation iPod touch (which was replaced by the fourth gen in September 2010) will both be stuck with iOS 5.
In the past, Apple has only released security updates for the current version of iOS, whereas with Mac OS X the company has mostly issued security updates for the current version and one previous version.
Apple certainly has a lot of room to improve on the length of time it chooses to release OS security updates for its hardware.
There was one new feature in iOS 6 that’s likely to be of concern to privacy fanatics: Forstall mentioned that iOS 6 collects “anonymous real-time crowd-sourced data” from devices to improve the traffic feature in the new Maps app. Forstall did not say whether Apple will give users the option to turn off this tracking feature.
Although it was nice to see some recognition of security throughout the keynote, there were also indications that Apple still has a lot of room for improvement. We would love to see Apple make further improvements to its product security and do a better job of keeping older hardware updated with security patches.
In my opinion Windows is way better at keeping exploits patched right when they are found and Apple is more based on preventing the exploits first hand.
I'm still confused as to why Apple would deny something like viruses can't attack their software? Either Steve Jobs wanted to keep folks buying his computers to gain sales by putting up the front about his computers being imprenetable, or he thought his OS programming could never be outdone. Ego or conspiracy?
Every system/platform is vulnerable, Apple's included. However the underlying architecture and market share of Mac OS X makes Windows clearly the lower hanging fruit for Virus/Malware developers.
That picture is likely to change a bit with Mac OS X seeing a higher adoption rate. But nevertheless, Unix-based systems (like Mac OS X) with their separation between ROOT (=admin) and regular users are less likely to get infected on a system-wide level.
Microsoft tried to catch up by introducing the really annoying User Account Control (UAC) – but fixing a ill-designed platform by slapping UAC on top of it is not gonna work.
Apple has provided an option to disable location services for Traffic since iOS 5. However, in iOS 6 and the implementation of this crowd-sourced data, you now must have location for Traffic enabled in order to use it. Can’t understand why that would be of any concern to anyone at all.