Understanding Apple’s Approach to Security
With Apple’s growing market share in desktop computers, and relative dominance in mobile computing, the security of Mac OS X and iOS are increasingly becoming talking points. Apple continues to tout the security of OSX, whilst the iOS hacker community keeps looking for (and finding) exploits that will allow them to jailbreak iPhones and iPads. This article is my own look into Apple’s history and strategy, and how this translates into the company’s focus on security today.
When we try to understand Apple’s approach to security, it’s important to see things through Apple’s eyes. To do so I must digress slightly into the history of Apple and its strategy (as I see it). Since the release of Mac OS X 10.0 in 2001, through to 10.7 in 2011 (probably this summer), Apple will have released nearly one major operating system upgrade per year. That’s a fairly aggressive development roadmap. These were not just standard updates either, with each release providing improvements and innovation over the last. I didn’t really consider OSX to be ‘stable’ until the release of 10.2 “Jaguar”, but since 10.4 “Tiger” and 10.5 “Leopard” the OS has, in my opinion, far outstripped the competition. During this time Apple’s had one thing in mind: market share. Not just any market share, mind you, but home users and students. Apple knows that by spending as much attention on features that allow people to do things more easily on their computer, the more attractive their systems will be to the majority of users within their target demographic.
Apple is not interested in corporate market share, yet. Why not? Apple has placed a focus on the ‘lifestyle’ use of their products. Easily listen to your music, easily make music and movies, easily organise your photos, and anything else that allows users to easily use their computers. This kind of focus is not at all in line with the corporate use of computers where importance is placed on the ability to highly configure systems, enforce policies, interoperability and, most importantly, cost. Companies like to buy cheap hardware and run Windows on it, because Windows has adapted very well to the corporate environment over the years. This is not to say that Apple hasn’t catered to the corporate market; Mac OS X Server, Xserve servers and XSAN (storage devices) have been around for years. But while these are great products, in reality these have served as a sort of corporate ‘beta test’ for Apple and for companies interested as running an OSX-based environment.
So far this strategy has worked very well, and Apple is making huge inroads into the home and student markets. In 2002, when I went to university, I was the only one studying computer science with a Mac. Fast forward to 2011, I’d hazard to say that the majority of my friends have now switched over, and the Mac has become fairly well-respected as a development platform. Apple knows that once they have people choosing to use Macs for their personal use today, the employees and IT directors of tomorrow will bring Macs into the mainstream corporate environment with them. When that day comes Apple will have something ready.
To bring things back on track, what has Apple actually done with regards to security? All of the security features built into Mac OS X have been designed to be either invisible or easy to use because, let’s face it, security is always more of an inhibitor than an enabler. It’s hard to describe some of the security features Apple has incorporated over the years, but these include easy security settings, firewall, disk encryption with FileVault, Address Space Layout Randomization (albeit flawed), and basic anti-malware detection. Apple doesn’t want security to be in the user’s face, and went as far as to mock Microsoft for Vista’s frequent “Allow or Deny” alerts. I’ll give credit where it’s due however; Microsoft have done a good job of improving security, and Windows 7 is definitely the most usable yet.
Although there hasn’t yet been much in the way of dedicated attention into Mac OS X security research, as one can expect there have been vulnerabilities discovered in the system and its applications. QuickTime in particular has been plagued with security bugs. In 2010 there was a definite increase in the attention that Mac OS X was getting from researchers and hackers. In the last few years Apple has been criticized for not releasing security updates to users quickly or regularly enough. Whilst I agree that Apple should be more responsive to security, I also have to say that I’ve seen a distinct improvement in Apple’s releasing of security updates in the past two years.
The flipside of the ‘market share’ argument is that it is also the reasoning behind why we haven’t yet seen hackers take a real stab at Mac OS X yet. I concede that point. But if we look at the current state of things, I would argue that you are still far more secure using an unpatched Mac OS X 10.6 box with no antivirus, than using an unpatched Windows 7 box with no antivirus. Puritans will argue, as I would, that this doesn’t prove the security of something – and I would simply point out that at this moment in time it’s simply the case. We have yet to see a real threat to the OSX platform, such as an attack that is reliably used to remotely compromise a large number of Macs, one which does not require user interaction. Granted, this may very well change in the near future… but it hasn’t yet.
So when we try to understand why Apple continues to plow forward with its development and innovation, whilst being sluggish patching cycle, one simply needs to look at the above points. Apple is targeting home users, students, and to some extent new-age geeks, most of whom have far less concerns about security than companies who are constantly under attack. They’re putting in the investment and effort where it currently counts, growing the market share. Apple also sees that the current threat profile to OSX is relatively low, and that doesn’t appear like it’s going to change within the year. So from a business perspective, they’re doing the right thing. It’s frustrating for those of us in the security industry to see, what with defense in depth and proactive security and all.
Apple isn’t completely uninterested in security mind you. They’ve improved their responsiveness in patching, and for the first time ever they’ve invited security researchers to have a first-glance look at Mac OS X 10.7 “Lion”, presumably with the aim of eliminating as many significant vulnerabilities before the update launches. They’ve also been hiring several significant names in the security space, showing that they’re clearly aware of the road ahead and preparing for it. The day will come when Apple has its Microsoft-style push into securing its operating system, and my guess it will happen well before Mac OS X is ripped to shred as Windows was.
I’m not saying that Mac OS X is bullet proof, or even that it’s significantly more secure than Windows at this point in time. I’m simply pointing out that at this point in time you’re actually safer out on the big bad internet or other hostile network using a Mac than a Windows PC. To all the Linux/Unix geeks, you guys rule too ;)