Skip to content

March 8, 2011

4

Understanding Apple’s Approach to Security

With Apple’s growing market share in desktop computers, and relative dominance in mobile computing, the security of Mac OS X and iOS are increasingly becoming talking points. Apple continues to tout the security of OSX, whilst the iOS hacker community keeps looking for (and finding) exploits that will allow them to jailbreak iPhones and iPads. This article is my own look into Apple’s history and strategy, and how this translates into the company’s focus on security today.

Market Share

When we try to understand Apple’s approach to security, it’s important to see things through Apple’s eyes. To do so I must digress slightly into the history of Apple and its strategy (as I see it). Since the release of Mac OS X 10.0 in 2001, through to 10.7 in 2011 (probably this summer), Apple will have released nearly one major operating system upgrade per year. That’s a fairly aggressive development roadmap. These were not just standard updates either, with each release providing improvements and innovation over the last. I didn’t really consider OSX to be ‘stable’ until the release of 10.2 “Jaguar”, but since 10.4 “Tiger” and 10.5 “Leopard” the OS has, in my opinion, far outstripped the competition. During this time Apple’s had one thing in mind: market share. Not just any market share, mind you, but home users and students. Apple knows that by spending as much attention on features that allow people to do things more easily on their computer, the more attractive their systems will be to the majority of users within their target demographic.

Apple is not interested in corporate market share, yet. Why not? Apple has placed a focus on the ‘lifestyle’ use of their products. Easily listen to your music, easily make music and movies, easily organise your photos, and anything else that allows users to easily use their computers. This kind of focus is not at all in line with the corporate use of computers where importance is placed on the ability to highly configure systems, enforce policies, interoperability and, most importantly, cost. Companies like to buy cheap hardware and run Windows on it, because Windows has adapted very well to the corporate environment over the years. This is not to say that Apple hasn’t catered to the corporate market; Mac OS X Server, Xserve servers and XSAN (storage devices) have been around for years. But while these are great products, in reality these have served as a sort of corporate ‘beta test’ for Apple and for companies interested as running an OSX-based environment.

So far this strategy has worked very well, and Apple is making huge inroads into the home and student markets. In 2002, when I went to university, I was the only one studying computer science with a Mac. Fast forward to 2011, I’d hazard to say that the majority of my friends have now switched over, and the Mac has become fairly well-respected as a development platform. Apple knows that once they have people choosing to use Macs for their personal use today, the employees and IT directors of tomorrow will bring Macs into the mainstream corporate environment with them. When that day comes Apple will have something ready.

Security Landscape

To bring things back on track, what has Apple actually done with regards to security? All of the security features built into Mac OS X have been designed to be either invisible or easy to use because, let’s face it, security is always more of an inhibitor than an enabler. It’s hard to describe some of the security features Apple has incorporated over the years, but these include easy security settings, firewall, disk encryption with FileVault, Address Space Layout Randomization (albeit flawed), and basic anti-malware detection. Apple doesn’t want security to be in the user’s face, and went as far as to mock Microsoft for Vista’s frequent “Allow or Deny” alerts. I’ll give credit where it’s due however; Microsoft have done a good job of improving security, and Windows 7 is definitely the most usable yet.

Although there hasn’t yet been much in the way of dedicated attention into Mac OS X security research, as one can expect there have been vulnerabilities discovered  in the system and its applications. QuickTime in particular has been plagued with security bugs. In 2010 there was a definite increase in the attention that Mac OS X was getting from researchers and hackers. In the last few years Apple has been criticized for not releasing security updates to users quickly or regularly enough. Whilst I agree that Apple should be more responsive to security, I also have to say that I’ve seen a distinct improvement in Apple’s releasing of security updates in the past two years.

The flipside of the ‘market share’ argument is that it is also the reasoning behind why we haven’t yet seen hackers take a real stab at Mac OS X yet. I concede that point. But if we look at the current state of things, I would argue that you are still far more secure using an unpatched Mac OS X 10.6 box with no antivirus, than using an unpatched Windows 7 box with no antivirus. Puritans will argue, as I would, that this doesn’t prove the security of something – and I would simply point out that at this moment in time it’s simply the case. We have yet to see a real threat to the OSX platform, such as an attack that is reliably used to remotely compromise a large number of Macs, one which does not require user interaction. Granted, this may very well change in the near future… but it hasn’t yet.

Apple’s Rationale

So when we try to understand why Apple continues to plow forward with its development and innovation, whilst being sluggish patching cycle, one simply needs to look at the above points. Apple is targeting home users, students, and to some extent new-age geeks, most of whom have far less concerns about security than companies who are constantly under attack. They’re putting in the investment and effort where it currently counts, growing the market share. Apple also sees that the current threat profile to OSX is relatively low, and that doesn’t appear like it’s going to change within the year. So from a business perspective, they’re doing the right thing. It’s frustrating for those of us in the security industry to see, what with defense in depth and proactive security and all.

Apple isn’t completely uninterested in security mind you. They’ve improved their responsiveness in patching, and for the first time ever they’ve invited security researchers to have a first-glance look at Mac OS X 10.7 “Lion”, presumably with the aim of eliminating as many significant vulnerabilities before the update launches. They’ve also been hiring several significant names in the security space, showing that they’re clearly aware of the road ahead and preparing for it. The day will come when Apple has its Microsoft-style push into securing its operating system, and my guess it will happen well before Mac OS X is ripped to shred as Windows was.

I’m not saying that Mac OS X is bullet proof, or even that it’s significantly more secure than Windows at this point in time. I’m simply pointing out that at this point in time you’re actually safer out on the big bad internet or other hostile network using a Mac than a Windows PC. To all the Linux/Unix geeks, you guys rule too ;)

Related posts:

  1. Apple Drops iOS 4.3 and Safari 5.0.4 Security Updates Ahead of Pwn2Own Contest
  2. JailbreakMe and the PDF Exploit
  3. Apple Releases Slew of Security Updates (OSX, Safari, iTunes, iOS 5, aTV)
  4. Protecting and Recovering Your iPhone and iPad from Loss and Theft
  5. Browser and Smartphone Exploits Fly at Pwn2Own [Recap]
Read more from Security, Technology, Apple, Mac OS X, iPhone
, , , , , , , , , , , , , , , , ,
4 Comments Post a comment
  1. Bernard
    Mar 8 2011

    A question relative to Apple market share and exposure to security threats:
    In my opinion, the security breaches on Apple computers should be proportional to the total breaches in relation to the market share ratio. For example, if Apple market share has a 10% market share, Apple should be exposed to more or less 10 out of 100 viruses circulating on the Internet. But it is not the case. For what reason?

  2. SJ
    Mar 8 2011

    It’s not that directly proportional. There are many factors that come into play with regards to security. Many developers and hackers understand Windows, its code libraries, and how to make it do things. This knowledge does not translate directly into Mac OS X which is a different platform.

    As such, all of the people familiar with hacking Windows can not just hop on and hack Macs without re-learning some of how OSX functions and make it do stuff. At the moment there has been little incentive for mainstream hackers to start researching and developing skills in this platform.

    In business terms, imagine a company that makes a product, but in order to bring that product to a new market they’ll have to do some re-development. Whether or not the cost of that development warrants the potential return on investment will determine whether or not they’ll bother doing it. In this case the ‘cost’ is the time and effort researchers or hackers will have to put in to start hacking OSX.

    It may not be worth it to them to expend that time and effort for a measly 10%, when with the same time and effort they may be able to find significant vulnerabilities in Windows, or write a new piece of malware that will affect 90% of the market – a market which will allow them to attack most of the world’s businesses instead of just individuals.

    It’s Security Economics 101 ;)

  3. Bernard
    Mar 8 2011

    Yes, but there should at least be a couple of viruses around. Software companies develop software for the Mac platform because there is a market for it. Why not hackers? Apple Market share has more than doubled in the last few years and we are still waiting for a significant increase of viruses on Macs (I haven’t seen any so far).
    Cheers.

  4. SJ
    Mar 8 2011

    Indeed, you’d think there would be at least one real piece of malware by now. But software companies make real money for their software, with apps costing $5-30 on average. They cater to a need, and also to the Mac community to some extent. Malware writers make little-to-no money on each infected host, instead relying on bulk. Take a botnet-style malware as an example. With a really good vulnerability let’s say they manage to infect 20% of Windows’ 90% market share. Now compare that to infecting 20% of Mac OS X’s optimistic 10% market share.

    Market: 100,000,000 computers (example for simplicity)
    Windows share: 90,000,000
    Mac share: 10,000,000
    Infected Windows: 18,000,000
    Infected Macs: 2,000,000

    In reality OSX probably has more like 6-7% market share, so that would reduce the numbers further.

    The number of infected Macs is also optimistic. Because so many Macs are used by people as their home machines, Macs are left unpatched for far less time than some Windows systems that are not tended to as frequently. Apple has shown that Mac users are fairly quick at upgrading, and that the vast majority of users are using 10.5 or 10.6. That’s more or less the equivalent of having the majority of Windows users being on Windows 7, which is definitely not the case.

    This kind of rapid updating would help reduce the number of users that are ultimately affected by a piece of OSX malware. If a severe piece of malware comes out, Apple will probably release a patch within a day or two (at most), and I’d hazard to say that a good portion of Mac users will probably have patched within a few days after that.

Share your thoughts, post a comment.

(required)
(required)

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

css.php