Insights For Success

Strategy, Innovation, Leadership and Security

IOS from the eyes of a security person

technologyEdward KiledjianComment
Image by Donald Lee Pardue under Creative Commons License

Image by Donald Lee Pardue under Creative Commons License

When I read Apple's 33 page IOS Security Paper I was blown away (link). Not because its perfect security but it is as close to perfect as it can get in a generally usable commercial product. This unprecedented look inside the Apple security hive mind answered many of my questions and reaffirmed my belief that Apple makes the most secure general use electronics around.

At WWDC, I had high hopes and Apple exceeded even my wildest expectations. First they clearly know their competition and are actively listening to their customer complains. The biggest, and most surprising revelation, was the new more open stance they are adopting with IOS 8 (translating to 4,000 new application programming interface calls (API)).

Developers will be able to write extensions to Notification center, build third-party keyboards (like Skwype or Swiftkey) and add inter-application data sharing. None of these are industry leading firsts but they are unexpected gifts Apple is bestowing on its adoring public.

But I'm not a regular user

Over the years, I have stayed with Apple smartphones (over Android and Windows Phone) not because I'm a fanboy but because it has always taken security more seriously. It has always allowed for more granular control of my device security settings which is a must with me.

This more open Apple, these new features are wonderful for users but as a security professional, I worry about the new attack vectors they will open up. Apple did say that they purposely waited to add these features (even though customers had been demanding them for some time) because they wanted to find secure ways of implementing them. They chose to start with extreme restrictions then slowly open the spigot as they found safe ways to get the job done.

One problem is the gold rush I expect to see shortly. This is where new and existing developers start writing apps and widgets for these newly opened services without paying attention to proper security controls. Many will want to be first hoping for a huge payday and couldn't care about ensuring their apps are secured. Did Apple implement enough controls to ensure this doesn't lead to new vulnerabilities?

The second problem is that Apple is launching cool new platforms for home automation control (Homekit) and healthcare (healthkit). These new additions will significantly increase the value of the information stored on your device thus motivating "more bad actors" to work harder at breaking into and stealing your information. Apple will become a bigger target and will have to react faster to security vulnerabilities and exploits. 

Additional protection in IOS 8

Apple has created a new programing language called Swift (link). Apple toutes that Swift:

Swift eliminates entire classes of unsafe code. Variables are always initialized before use, arrays and integers are checked for overflow, and memory is managed automatically. Syntax is tuned to make it easy to define your intent — for example, simple three-character keywords define a variable (var) or constant (let).

If Swift works as advertised, then it will definitely make future IOS applications more secure by automatically handling many of the situations that lead to vulnerabilities. Unfortunately developers will still be able to use the older  Objective-C which doesn't provide these better automatic control which could lead to vulnerabilities.

The major SSL Vulnerability IOS devices experienced due to a programming bug (the Go to fail bug.) This issue is fresh in many researchers minds and here's hoping Apple does what it has to do to keep protecting its users.

Verdict

Ultimately I believe Apple's IOS platform is still the most secure mobile operating system available today and I hope Apple continues investing to keep it that way. These new features are clearly a response by Apple to Android's growing popularity and they have to be careful not to fall into the quick response hastily planned vulnerable new feature trap.

I am eagerly waiting for an updated security whitepaper