Apple needs wakeup call on security

[UPDATE] Apple and its users are failing to recognize security risks on the Macintosh and iOS, according to a Sophos executive, who adds such issues cannot be ignored even if malware on its mobile platform is still not widespread yet.

James Lyne, director of technology strategy for the IT security vendor, said "Apple has its head in the sand" when it comes to security. "Their attitude to security leaves much to be desired," he said in a phone interview today.

There continues to be a "culture of denial" about malware among Mac OS users, Lyne added, noting malware on the Apple platform does exist even if the amount currently is small compared to the PC.

"I still walk into Apple stores and ask, 'Do I need antivirus for my Mac', and am told, 'No, you don't'... Fake geniuses." the executive said in a report by Malaysia-based Digital News Asia, referring to Apple's in-store technical support "Genius" staff. He was speaking to reporters in Kuala Lumpur, Malaysia.

As for Apple's mobile iOS platform, Lyne told ZDNet Asia while there had not been widespread malware on iPad, security issues on the tablet cannot be ignored.

He said security researchers had been able to demonstrate "nasty apps" were being distributed in the App Store, so claims of Apple's walled garden--filled only with safe apps--"may not be as good as it sounds".

More transparency needed on Apple security

According to Lyne, Apple is the sole security provider for its iOS because it prohibits security vendors from releasing products on the platform.

"We're not saying there's a huge amount of malware for iOS, but there are unanswered questions here [whether] Apple is doing the right thing.

"Perhaps we should ask for more transparency on what practices Apple is using to ensure applications are safe [or] if Apple should provide vendors more access to offer security," Lyne said, adding that these should include not just antivirus products, but also other security tools such as encryption or DLP (data loss protection).

Currently, the majority of malicious mobile apps are targeted at Google's Android platform, but this does not mean Apple or its users should not be concerned about iPad security, he pointed out.

Compared to Apple, Google also has been more proactive in addressing security vulnerabilities, Lyne said during the briefing in Malaysia. "Android has more security issues, but at least Google is trying to fix the problem. It is providing APIs (application programming interfaces), it is working with vendors, it has been cooperating with the security community," he said.

Sophos is not the first security vendor to highlight this lack of security awareness. Kaspersky Labs also shared similar views when it revealed Apple denied its bid to develop antivirus tools for the iOS, and said Cupertino was "10 years behind Microsoft" in terms of security.

Trend Micro last month said mobile malware apps grew five-fold in the second quarter of 2012 over the previous quarter.

In April, the Flashback malware attacked more than 600,000 Mac computers, after a similar attack last year by the MacDefender malware.

On its part, Apple is making investments in security. Last month, it announced plans to acquire AuthenTec for US$356 million, which develops identity management software and embedded security devices such as fingerprint readers.

[EDITOR's NOTE: This story was updated with additional comments from Sophos' James Lyne who spoke to ZDNet to clarify that during the discussion in Malaysia, he was referring to malware on the Mac platform, not iOS.]