This article can also be found in the Premium Editorial Download "Information Security magazine: Compliance and risk modeling."
Download it now to read this article plus other related content.
Apple, Inc.’s complex posture on security poses challenges for information security decision-makers charged with assessing the risks created by an influx of iPhones, iPads and Mac OS X devices.
In the past year, security experts have proclaimed that Apple is simply not taking security as seriously as its major competitors. Apple’s security lags behind Microsoft Corp.’s by as much as 10 years, according to Kaspersky Lab CEO Eugene Kaspersky, who expressed concern in April 2012 about growing malware threats, after the company’s slow response to a critical Java update, made customers’ systems vulnerable to the Flashback Trojan.
Apple has since been lauded for smart security decisions, such as eliminating the use of vulnerable Java versions on its devices, and adding support for two-step verification on Apple IDs in March 2013. Is Apple a model of solid security stewardship, or merely paying more attention to security to avoid backlash?
Another criticism levied at Apple is its lack of transparency. The company is not upfront about malware threats and vulnerabilities in its products, according to its critics. The effects of this lapse, however, are impossible to measure—and some people think that being closed and secretive is beneficial in terms of security.
So it’s better to focus on what we know for sure: what security features are available, what vulnerabilities have been exploited, and how Apple has changed its practices in response to adverse events.
Inherent security of products
There’s no quantitative way today to measure the overall security of disparate systems, so the best we can do is to compare security features and vulnerability histories. Historically, Mac OS X systems have lagged behind Windows PCs, most notably in the lack of centralized security management features. All mobile devices, including Apple iPhones running the iOS mobile operating system, trailed Research in Motion's BlackBerry handsets, which offered strong storage encryption technologies, and were considered the gold standard for centrally managed and secured mobile devices.
Apple’s recent releases of Mac OS X and iOS have raised the bar, however. Changes to iOS and Mac OS X have facilitated centralized security management of Apple devices from Mac OS X Server.
The company beefed up the security of Mac OS X Lion v10.7, for example, by extending FileVault full disk encryption to external hard drives, with XTS-AES 128 data encryption. When OS X Mountain Lion v10.8 was released in July 2012, Apple introduced a Gatekeeper feature for whitelisting and blacklisting applications. The Software Updates tool, which can be set to check for Apple security updates daily, became part of the Mac App Store.
Mac OS X and iOS security features are now largely comparable to those offered by competitors, although enterprise management still lags behind. Fortunately, a flood of third-party solutions have emerged for Mac OS X and iOS enterprise management (i.e., mobile device management tools). Apple also offers its own Mac OS X and iOS management tools through Mac OS X Server, at minimal cost.
Apple's App Store added a volume purchasing program for business in 2011 that includes custom B2B apps for iPhones, iPads and mini-iPads, which are reviewed using the company's stringent approvals process. However, developers are responsible for securing the data in B2B apps. The App Store is cited as an area where Apple is ahead of its competitors in terms of security, because it performs rigorous screening of third-party apps. The recent discovery that Apple’s App Store has not been using HTTPS (Hypertext Transfer Protocol Secure) consistently to protect Web communications and transactions resulted in another security blunder. The company has since fixed the issue.
Apple was the first company to require that its devices use apps from an authorized App Store. That strategy may be working. Even though iOS has contained numerous vulnerabilities—the initial release of iOS 6 fixed nearly 200 vulnerabilities from version 5—major malware exploitation, outside of a few reported instances on jailbroken iPhones, has yet to occur. Other vulnerabilities in iOS, however, have allowed hackers with physical access to iPhones to bypass users' passcodes. Two such incidents related to iOS 6.1 were reported in February and March of this year.
Readily exploitable vulnerabilities for both Mac OS X and iOS remain minimal, however. Whether Apple's reputation is deserved or not, there's a false sense of security among many Apple users, who think that their systems are invulnerable to malware.
Reaction to security problems
The two biggest security problems that Apple confronted in the past year involved Java. When the first problem happened, in early 2012, Apple had been providing its own version of Java with Mac OS X. When a set of major vulnerabilities (see Apple support article HT5228 for a full list) was found in Java across platforms, Apple had to issue its own patch instead of using the Java security update that Oracle provided to outside vendors. Although other platforms were patched in a few weeks, it took Apple almost three months to issue a Java security update on Mac OS X.
During that extended vulnerability window, the Flashback Trojan, a fake Adobe Flash installer that attempted to snare passwords and other information, infected Mac OS X systems, compromising as many as 600,000 systems and damaging Apple’s security reputation. Apple eventually released a security update that removed common variants of the Flashback Trojan from infected Mac OS X systems. Mac Flashback was a wakeup call for many Apple users leaving no doubt, that malware infections are possible on Apple platforms.
Contrast this serious gap in security with what happened next. Apple decided to stop updating Java and rely on Oracle’s version instead, so that patches would be available for all the platforms at the same time. Apple went even further and stopped bundling Java with Mac OS X 10.7 Lion by default; users are still free to download and install Java if they’d like to, of course. The company also chose to disable Java in Web browsers unless the user explicitly turns on Java. When a major Java vulnerability was discovered in late 2012, Apple was in a much better position to handle it, and customers’ devices were less vulnerable than they would have been six months earlier. In addition, Apple used XProtect, a signature-based scanner with malware blacklisting capability built into Mac OS X, to prevent vulnerable versions of Java from running. This forced Java users to upgrade to patched versions, thus avoiding possible exploitation.
Apple expected that there might be problems similar to Java’s with other popular third-party applications as well, and reacted accordingly. Older versions of Adobe Flash are rarely updated, leaving vulnerabilities that most users aren’t aware of. By utilizing its malware blacklisting technology, Apple has forced users to forgo older versions of Adobe Flash in lieu of acquiring newer updates. These Flash players not only don’t have the known vulnerabilities of the older versions, the software is self-updating, ensuring that future vulnerabilities will be addressed as soon as patches are available.
Targeting of products
Conventional wisdom has it that the malware community has largely ignored Apple because Windows PCs dominated the market. But with Apple OS X now accounting for 8.45% of operating systems, and iOS representing 9.5%, according to February 2013 Web analytics reported by W3counter, the exploits just aren’t appearing. According to malware records available from the McAfee Labs Threat Center and other sources, Apple devices have rarely been the specific targets of malware.
Some people think it’s only a matter of time before a major iOS vulnerability is discovered and exploited through malware. Others assert that Macs and iOS devices are rarely infected with malware because they are built on strong security principles. For example, Mac OS X is based on FreeBSD Unix, which is a tried and tested technology, and iOS takes major advantage of sandboxing technologies to isolate malicious processes from benign ones.
Who’s right? Well, only the attackers know for sure why they’ve done what they’ve done. But it is worth noting that an overwhelming number of today’s security problems are platform irrelevant. If you look at prevalent malware, it’s based on exploiting people—social engineering—not flaws or security configuration vulnerabilities in software. Security features, such as full disk encryption and authentication (as simple as a strong password) are available but often not enabled by users on many platforms. The use of open Wi-Fi networks, which potentially expose all network communications to eavesdropping, is a universal problem across all platforms. So it’s quite possible attackers pursue forms of exploitation that aren’t platform-specific. This could always change, of course.
Evaluating the security risks
It’s hard to declare Apple security as superior to its competitors, but it’s also hard to fault it as inferior. The pluses and minuses of Apple security need to be considered more granularly.
Organizations evaluating the security risks of Apple technologies should carefully consider the security features offered by the relevant versions of the Mac OS X and iOS operating systems. Older devices may only support older versions of the operating systems, which lack key security features, or require the use of third-party add-on utilities to achieve the necessary security. Here’s a great example: old iPhones (before the 3GS) don’t thoroughly erase sensitive data when the device is wiped. Newer iPhones strongly encrypt all stored data and use a hardware encryption key that is deleted when the phone is wiped, making it, essentially, impossible to recover the stored data. Organizations should use later models of hardware to take advantage of the latest operating system versions and their corresponding security features.
In terms of system architecture, both Mac OS X and iOS offer advanced security features. OS X uses some of the same memory management techniques as recent versions of Windows versions. These techniques are specifically designed to make it harder to exploit the operating system and applications, and to limit the possible damage that a successful exploit could inflict on a system. But other security decisions are puzzling, such as Mac OS X and iOS requirements to authenticate with administrator-type privileges before allowing updates to be installed. This slows the patching process and can lead to significantly longer windows of vulnerability, thus increasing the opportunities for compromising the systems.
Apple products tend to lag behind other vendors’ products in terms of built-in support for centralized and automated security management. Most organizations either buy third-party management tools or simply, don’t centrally manage their Apple devices. This increases the burden on local system administrators and makes it more likely that vulnerabilities will happen and persist, such as patches not being installed and security settings not being configured correctly. However, organizations should be aware that Apple has been adding some significant centralized management capabilities through its Mac OS X Server product, which allows the centralized establishment and maintenance of Mac OS X and iOS settings for password policies and many other forms of security policies.
The final verdict? The jury is still out; only time will tell for sure. Apple has made considerable advances in its security practices, especially over the past year.
About the author:
Karen Scarfone is the principal consultant for Scarfone Cybersecurity in Clifton, Va., providing cybersecurity publication consulting services. Karen was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST), and she has co-authored more than 50 NIST publications, including Special Publication 800-124, Guidelines for Managing and Securing Mobile Devices in the Enterprise.
Send comments on this column to email@example.com.
This was first published in May 2013