Apple needs wakeup call on security

Apple needs wakeup call on security

Summary: [UPDATE] Cupertino has "head in the sand" in perceiving its platforms are secure and don't need external protection, says Sophos exec, who notes Google is more proactive in addressing security vulnerabilities.

SHARE:
38

[UPDATE] Apple and its users are failing to recognize security risks on the Macintosh and iOS, according to a Sophos executive, who adds such issues cannot be ignored even if malware on its mobile platform is still not widespread yet.

James Lyne, director of technology strategy for the IT security vendor, said "Apple has its head in the sand" when it comes to security. "Their attitude to security leaves much to be desired," he said in a phone interview today.

There continues to be a "culture of denial" about malware among Mac OS users, Lyne added, noting malware on the Apple platform does exist even if the amount currently is small compared to the PC.

"I still walk into Apple stores and ask, 'Do I need antivirus for my Mac', and am told, 'No, you don't'... Fake geniuses." the executive said in a report by Malaysia-based Digital News Asia, referring to Apple's in-store technical support "Genius" staff. He was speaking to reporters in Kuala Lumpur, Malaysia.

As for Apple's mobile iOS platform, Lyne told ZDNet Asia while there had not been widespread malware on iPad, security issues on the tablet cannot be ignored.

He said security researchers had been able to demonstrate "nasty apps" were being distributed in the App Store, so claims of Apple's walled garden--filled only with safe apps--"may not be as good as it sounds".

More transparency needed on Apple security

According to Lyne, Apple is the sole security provider for its iOS because it prohibits security vendors from releasing products on the platform.

"We're not saying there's a huge amount of malware for iOS, but there are unanswered questions here [whether] Apple is doing the right thing.

"Perhaps we should ask for more transparency on what practices Apple is using to ensure applications are safe [or] if Apple should provide vendors more access to offer security," Lyne said, adding that these should include not just antivirus products, but also other security tools such as encryption or DLP (data loss protection).

Currently, the majority of malicious mobile apps are targeted at Google's Android platform, but this does not mean Apple or its users should not be concerned about iPad security, he pointed out.

Compared to Apple, Google also has been more proactive in addressing security vulnerabilities, Lyne said during the briefing in Malaysia. "Android has more security issues, but at least Google is trying to fix the problem. It is providing APIs (application programming interfaces), it is working with vendors, it has been cooperating with the security community," he said.

Sophos is not the first security vendor to highlight this lack of security awareness. Kaspersky Labs also shared similar views when it revealed Apple denied its bid to develop antivirus tools for the iOS, and said Cupertino was "10 years behind Microsoft" in terms of security.

Trend Micro last month said mobile malware apps grew five-fold in the second quarter of 2012 over the previous quarter.

In April, the Flashback malware attacked more than 600,000 Mac computers, after a similar attack last year by the MacDefender malware.

On its part, Apple is making investments in security. Last month, it announced plans to acquire AuthenTec for US$356 million, which develops identity management software and embedded security devices such as fingerprint readers.

[EDITOR's NOTE: This story was updated with additional comments from Sophos' James Lyne who spoke to ZDNet to clarify that during the discussion in Malaysia, he was referring to malware on the Mac platform, not iOS.]

Topics: Security, Apple, Mobile OS

Jamie Yap

About Jamie Yap

Jamie writes about technology, business and the most obvious intersection of the two that is software. Other variegated topics include--in one form or other--cloud, Web 2.0, apps, data, analytics, mobile, services, and the three Es: enterprises, executives and entrepreneurs. In a previous life, she was a writer covering a different but equally serious business called show business.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

38 comments
Log in or register to join the discussion
  • So.. why wait?

    If Apple does need someone to prove that their platform is not secure then where is it?
    cootified
    • PWN2OWN &

      Charlie Miller say hello. :)
      vinnyboombatz
      • With physical access is anything possible

        Here we're talking mainly about online threats, those things that Kaspersy, Sophos et al. claim to be able to protect from. The problem is that it's only Microsoft Windows which is so badly built that it desperately needs, no requires this kind of protection.
        The only thing all the platforms are vulnerable to is trojans with which the OS can't do much about because the human allows the malware to be installed.

        Don't be fooled! Articles like this one are just ads in disguise.
        Mikael_z
        • Oh, you mean like...

          This blurb from the 2010 P20 contest:

          "Charlie Miller, principal security analyst at Independent Security Evaluators, won $10,000 after hacking Safari on a MacBook Pro *******without having physical access to the machine.*******"

          Maybe you should re-read the last line of that paragraph.

          (Source: http://news.cnet.com/8301-27080_3-20001126-245.html)
          vinnyboombatz
          • Are you seriously

            Using a source from March 2008? Here's a link to 2012's Pwn2Own with the result that Apple's Safari browser is still standing.

            http://technoose.com/the-results-of-pwn2own-2012/

            I'm not saying Macs are not vulnerable to malware but both you and the author of this article need some ore up to date info.
            athynz
          • Try re-reading the article,

            champ.

            Perhaps you missed this little nugget:

            "Charlie Miller, principal security analyst at Independent Security Evaluators, won $10,000 after hacking Safari on a MacBook Pro without having physical access to the machine. "


            Since the date of the article is 3/2010, the next line:


            "Miller won $5,000 last year by exploiting a hole in Safari,"

            Implies it is referring to 2009, not the year the article was published, especially since the next (not to mention the LAST) line:

            "and in 2008 nabbed $10,000 hacking a MacBook Air, all on the same computer."

            Specifically mentions 2008.

            Thanks for playing though...your consolation prize is down the hall behind door number 2.
            vinnyboombatz
          • Do you seriously expect Charlie Miller to hack my Mac?

            That's just plain stupid, and a bad debating tactic. :(
            Mikael_z
        • None of the Pwn2Own exploits required physical access

          They were all exploited by the browser viewing a maliciously crafted website. That's kind of the whole point.
          Bonesnap
        • You're part of the reason why the Apple user base is so vulnerable.

          The reason Windows has historically needed tougher security measures is because that's where virus devs aim their big guns, and they aim them at Windows because that's where they can do the most damage.

          Macs on the other hand barely have any of the global market, and so it's been a waste of time.

          However, now with the advent of iPads and more Macs in the marketplace, that's starting to change, as can be seen by the latest security holes widely reported to be compromised.

          As long as people like you keep believing that Apple products have no security holes by evidence of the relative amount of malware/viruses/trojans reported there, the more prolonged your naivete, and the higher probabilty that you'll get your ass handed to you in the near future.

          TL;DR: Apple products have lots of security vulnerabilities, but nobody cares enough yet to discover and exploit them fully.....today.
          milo ducillo
      • With physical access is anything possible

        Here we're talking mainly about online threats, those things that Kaspersy, Sophos et al. claim to be able to protect from. The problem is that it's only Microsoft Windows which is so badly built that it desperately needs, no requires this kind of protection.
        The only thing all the platforms are vulnerable to is trojans with which the OS can't do much about because the human allows the malware to be installed.

        Don't be fooled! Articles like this one are just ads in disguise.
        Mikael_z
  • lol

    too funny. Security companies are mad that millions of devices are sold that they cannot profit off of, so they have to try to go around scaring everyone to try to drum up some business. It must be scary for them to think that there could be a future where they lose half or more of their current business because they become outdated.
    doh123
    • For now there is no need for antivirus software for iOS devices indeed

      Not only applications are curated in iOS platform, the OS itself supported Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) quite a while before Android did. (OS X became supporting it later.)
      DDERSSS
      • If I were you, I would not use the following web search keyword terms:

        "iTunes hacked"
        "unjailbroken iphone hacked"

        Since "for now" has become "should have become 'now' long before yesterday".

        It's a proverbial powder keg, also proving that unjailbroken phones are not as solid as claimed. Or the walled garden is porous, at least for malware.
        HypnoToad72
        • True Apple does need to be more proactive

          However the first real "in the wild" malware for stock (i.e. non jailbroken) iPhones is fairly new...

          http://www.bgr.com/2012/07/05/iphone-malware-spam-app-store/

          And even with jailbroken iPhones malware is few and far between.

          Their desktops are a bit more prone to malware but not by much.

          So no the walled garden is not as porous to malware as you think... at least not yet.
          athynz
    • They don't have to try

      It's starting to happen on it's own accord, as can be seen by the recent ramp up of Mac virus and malware reports.
      Even Apple no longer misinforms the public that they're not susceptible to viruses.

      The times, they are a-changin'......
      milo ducillo
  • Apple's negligence

    Apple's attitude is not merely complacency; it's negligent, as well as arrogant.
    Tim Acheson
    • Sad but true

      They have no excuse now in giving this issue far more priority with all the loot they've been able to bag in recent years.
      klumper
  • If it is such a big problem...

    As others have pointed said, where are these security flaws? Where are the viruses that target the iPad and forward your login information? where's the bug that'll wipe all your contact data from your iPhone because some kid thought it'd be funny? Where are the keyloggers that track what you type into your iPod touch?

    Because all of those are things that you have to be weary off on an Android phone, but I've yet to encounter on and apple mobile device. However that's simply personal accounts, if there are cases of any of the above happening on an Apple device I'd love to be directed to the report.
    KeijiMiashin
    • Also good point

      See my comment above re Mac vs iOS. Additionally it is absolutely accurate that Android Malware today is the lead in mobile malware, very true!
      Jameslynesp
    • Google this:

      "SMS iphone hacked unjailbroken"

      I wouldn't remain so complacent.

      For ANY platform.
      HypnoToad72