Although Apple has long had a reputation for superior data security and protection of its customers’ privacy, there have been some cracks in the facade this year. First, there was the “gotofail” bug, caused by a basic C coding mistake, that compromised proper validation of Secure Sockets Layer certificates on its the company’s iOS and OS X operating systems. Then there was the recent breach of iCloud via Find My iPhone, resulting in the exposure of photos from some celebrities.
These incidents are useful reminders that Apple’s dearth of cyber security troubles could stem from the low market share of its platforms compared to competitors such as Microsoft Windows on desktop and Android on mobile. For example, at this year’s Worldwide Developers Conference, Apple CEO Tim Cook announced the shipment of 800 million iOS devices since the OS emerged alongside the first iPhone in 2007. But according to Gartner, more than 1 billion Android devices will be shipped this year alone. On sheer numbers, Android also accounted for 85 percent of the market in the second quarter of 2014.
Market share isn’t everything, but it’s a pretty good guide when trying to understand how malware authors choose their targets. Apple’s products and services are often passed over since they encompass fewer users than others do, not because they are inherently that much more secure (although iOS may have a firmer advantage over Android in this respect than OS X does over Windows). However, the shortcomings highlighted in iCloud and Find My iPhone show that the growing Apple user base coupled with several security oversights is putting more pressure on user data.
With new iPhones and the Apple Watch on the horizon, it’s worth looking at what has not worked with Apple’s approach to security so far and what might shore up its weaknesses. The firm’s planned entry into the payments and health/fitness tracking spaces illustrate the heightened stakes for ensuring comprehensive protection. Plus, for CIOs, there’s the long term trend of more Apple devices being introduced into the enterprise. Statistics from Good Technology indicated that iOS accounted for 88 percent of enterprise app activations in Q2 2014.
The troubled history of Find My iPhone and Find My Mac
Going into every theoretical and actual vulnerability in the Apple ecosystem is beyond our scope here, so we’ll just look mostly at two device management services: Find My iPhone and Find My Mac, both part of iCloud. Like many features pushed by Apple, both also have good intentions (i.e., find your missing device quickly and securely via location tracking) but haven’t always been fully secured.
Find My Mac and authentication
Wired writer Mat Honan made headlines two years ago after he lost control over many of his personal Internet accounts, from Twitter to Gmail, thanks to flaws in Apple and Amazon security mechanisms. While he praised Find My iPhone, he traced many of his issues back to Find My Mac.
He pointed out that at the time, the service required a 4-digit PIN to perform remote hard drive wipes, but that the code wouldn’t have to be entered if the associated iCloud account had been broken into. He proposed another means of authentication in addition to the PIN.
As of March 2014, though, there were still loopholes. One GitHub user posted a solution that could bypass Find My Mac, including its waiting periods between failed login attempts, in just over a minute. Though Apple is worthy of some blame here, it’s worth noting that PINs in general are subpar means of authentication. Half can be cracked within 426 guesses, and the most straightforward combo – “1234” – accounts for 10 percent of all PINs.
Find my iPhone and the August 2014 photo leaks
In lieu of contextual information, brute-forcing is usually the best way to crack a password. This technique is basically high-tech trial and error – instead of manually re-entering a bunch of different combinations until the right one is found, a script and/or powerful supporting infrastructure is used to quickly power through the possibilities.
Fortunately, many Web services already guard against this hacking methodology. After a certain number of unsuccessful tries, the entrant may be locked out indefinitely and required to recover account information by supplying additional details (e.g., the answer to a security question or an SMS code).
Initial reports about the iCloud photo leak, however, contended that Find My iPhone lacked such protections. In that case, any user whose account was secured by a weak password could have had data compromised in short order by a brute-force tool like the one published to GitHub by the group Hackapp. After that, the attackers would have access to iCloud accounts.
The flaw was quickly patched and Apple denied that there was any breach, only that a “targeted attack” had scraped the photos. There’s a clear trend here, though, of authentication troubles involving services (namely iCloud) that are essentially proxies for users’ digital identities.
Two-factor authentication, iCloud and Near-Field Communications payments
To its credit, Apple has usually worked quickly to stay on top of security lapses. But the long term issue is implementing mechanisms that prevent incidents such as the photo leak from ever taking place.
Two-factor authentication is a good start. So far, it covers signing in, purchasing content from new devices and Apple ID support. Ideally, it would be extended to cover documents, photo backups and other iCloud backups.
There’s also cause for optimism in the company’s experimentation with Near-Field Communications. Often used to make payments, the technology is included in the iPhone 6 and iPhone 6 Plus as well as the Apple Watch. It can provide contextual information by, for example, cross-referencing where a purchase was made with where the consumer usually hangs out.
For enterprises, Apple’s stance to security is more relevant than ever. Organizations are moving away from homogenized device fleets and instead incorporating iPhones, iPads and other gadgets alongside traditional PCs. CIOs must act with care and ensure that they have an endpoint security strategy that accounts for risks from within and without.