Isn't Apple a Leader in Security?

I know I would be upset if nude photos of me leaked out, and the rest of you would be pretty disturbed too. It's reasonable for people to be mad at Apple over this, but watch out for hyperbole, such as this story in today's Wall Street Journal [sorry, paywall].

Author Christopher Mims asks "Why Isn't Apple a Leader in Security?" The fact is that they are, their poor handling of iCloud authentication notwithstanding. iCloud isn't everything.

I recently wrote about how security fails if it is not usable. This is the secret to Apple's security success, and an area where it really is a security leader. Usability also has something to do with the company's failures.

Consider two-factor authentication, a favorite feature of security folks like me, but eschewed by the general public for being too big a pain to use. People have been trying to make two-factor authentication usable for years, but Apple seems to have done it right with Touch ID. My 12 year old daughter and her friends can set up Touch ID on an iPhone all by themselves.

And now, in iOS 8, Apple has made Touch ID available to third parties for authentication. Password manager LastPass, for example, will now be able to use Touch ID as a second factor and has a Safari extension for web logins. It's almost enough to make me want an iPhone. (Well, no, actually it's not even close, but it's a really nice feature.)

I'm a LastPass user and happen to be in the process of strengthening my passwords, in part by turning on two-factor authentication. It's complicated to set up and the user experience can't compare to Touch ID. By making it easy to use, Apple has made two-factor authentication relevant to the masses (at least to those masses who can afford an iPhone). Incidentally, Apple has also begun to build password management into their operating systems, albeit in a closed manner.

But the biggest contribution to security Apple has made in recent years is the walled garden for iOS. It's been an absolutely smashing success in keeping malicious software out of their App Store. There certainly is bad and obnoxious software and rip-off software in the store, but the sort of abuse that Windows (and even Mac) users face is virtually unheard of on iOS. This is because the App Store is a fascist police state: Apple is completely in charge, exercises its authority vigorously and restricts what app developers can do. And unlike Android, iOS does not allow third-party stores, the home of nearly all Android malware. The garden wall is 100 feet tall, it's electrified and there are vicious guard dogs.

The dearth of malware on the Mac is fairly attributed to "flying under the radar," meaning that Macs are still insignificant enough in the market that it's not usually worth writing malware for them. But this argument doesn't wash with iOS, which is extremely popular, especially in the US and especially among those with money to spend. If it were possible to get malware into the hands of iOS users, malware writers would write it.

That's not all Apple has done for security on iOS. In iOS 7 Apple built better support for MDM/EMM solutions into the OS, and the limitations that EMM vendors faced are basically gone.

Even the poor security they provided for iCloud accounts was an attempt, a misguided one to be sure, at making things easier for users.

It's worth noting that iOS devices are not invulnerable. Apple patches serious vulnerabilities in the operating system fairly often, and these vulnerabilities could be used, most likely through web access, to take over iOS devices. I have no actual evidence of it, but I feel confident this sort of thing happens on a highly targeted basis and it just doesn't get reported. But this too is hardly a reason to criticize Apple. Everything has vulnerabilities and those vulnerabilities have to be patched and disclosed.

So I'm happy to cut Apple some slack on the naked photo scandal. If, as I suspect, Touch ID becomes popular, iOS users will be better protected than others and largely immune (where Touch ID is used) to account theft. How's that for security leadership?