Apple is doing enough

Pros & Cons: is Apple doing enough for security?

Lately there have been reports of security vulnerabilities in macOS and iOS. Is Apple's commitment enough to keep its systems secure?

Article from Mac & i issue 1/2018, page 7

Per

With all the excitement about major and minor security loopholes, you should keep your distance and look at the big picture. Apple has been on the subject for a long time and is making the right strategic decisions. With macOS, FileVault, XProtect, App-Sandboxes and System Integrity Protection prove the commitment to a stable, resilient Mac.

iOS as a younger operating system was built around a strong security concept. It was so strong that certain innovations (such as a cross-app file browser) only reached the platform late - but were stable and secure.

People write software, and people make mistakes. Powerful and convenient functions always mean new factors of uncertainty. Apple employs skilled security experts so that gaps do not arise or are closed quickly, but also needs the help of users. Apple rewards those who search for iOS bugs on their own with two beta programs, named after those who discovered bugs in the security messages and the well-endowed bug bounty program.

By hiring hackers like Jonathan Zdziarski, the company also increases its competence in detecting security leaks within the company.

The really serious loophole in macOS, where users without password knowledge could grant themselves root rights, was fixed by Apple within two days. More complex problems like Meltdown and Specter take longer to fix, but Cupertino was almost done when the hole in almost all processor architectures became public in December. The developments of the last few months in particular show that security is not just lip service for Apple. (imj)

Contra

Only recently, a user in High Sierra was able to miss out on admin rights due to an incorrect password check in the system settings - a disaster. The Fruitfly malware was allowed to wreak havoc for 13 years, transferring screenshots, keystrokes and webcam photos from the Mac.

The integrated firewall, which prevents external access, is deactivated by default. Gatekeeper and XProtect can handle developer certificates, which even bad guys can get from Apple far too easily. A ransomware that wants to encrypt a lot of files in a short time in order to then demand a ransom cannot be recognized by macOS. Why isn't Apple hiring security expert Patrick Wardle, along with his countless helpful - and free - tools?

It may be that Apple brought High Sierra and iOS 11 patches against Meltdown and Specter quickly, but [Update:] Why did the security updates for macOS Sierra and El Capitan come so late? [/ Update] It remains unclear whether there will also be updates for older iOS systems. A bug bounty program for the public search for security vulnerabilities does not yet exist for macOS, but only for iOS, and there, too, there is - comparatively little - money only if one can prove particularly blatant weaknesses. Microsoft, Google & Co. are less strict and much more generous. A program for macOS would be more important because its open structure makes it more vulnerable than the isolated iOS.

For security gurus, it pays off in the end to work with commercial firms, law enforcement agencies, or intelligence agencies - or worse, sell their knowledge to criminal organizations. (thk)

Who is right? Discuss with us!

Previously on the pros and cons: Was the Touch Bar a good idea?

(thk)

Read comments (69 posts) https://heise.de/-3949013Drucken