Apple Security Talk Suggests iOS Limits
Apple rightly earned plaudits for delivering a presentation on iOS security at Black Hat. But what was left unsaid may have revealed new details about its hush-hush app-review process.
Over the preceding hour, De Atley delivered an overview of the security mechanisms--including secure boot chain and app code signing--that are built into the iOS operating system that runs recent generations of Apple's iPhone, iPad, and iPod Touch, and which help keep the devices malware-free.
But in terms of imparting knowledge, the session didn't break any new ground. It essentially recapped the contents of an iOS security whitepaper Apple released in May. Furthermore, Apple hackers have been hard at work since the first iPhone appeared, and books such as the iOS Hacker's Handbook, released in May, cover everything De Atley detailed, and more.
Did Apple miss an opportunity by failing to engage with attendees in the near-capacity conference room? For some security experts, simply showing up is a start. "While the presentation lacked the details usually seen in BH talks, it definitely showed Apple is trying to open up," noted Kaspersky Lab senior antivirus researcher Roel Schouwenberg in a blog post. "Being (more) communicative is vital to doing security response right. This is of particular importance for Apple as there were quite a few talks focusing on Apple's security ... ranging from attacks on iOS to Mac-oriented EFI [extensible firmware interface] rootkits."
[ Check out security best practices in 5 Black Hat Security Lessons For CIOs. ]
Indeed, running at the same time as De Atley's presentation was an applied workshop on The Dark Art of iOS Application Hacking. As Apple was providing a philosophical take on iOS security, Black Hat instructors were helping attendees get their hands dirty. As the Flashback malware outbreak proved, Apple's products aren't immune to malware, never mind the legions of devoted hardware hackers who populate Black Hat.
Might Apple have come to Vegas simply to atone for past sins? Perhaps, but if so, some conference attendees criticized Apple for not going far enough, as well as for its security spin, such as the "Apple designed the iOS platform with security at its core" assertion De Atley made during his talk. "I think he meant in theory," said Charlie Miller, a computer security researcher with consulting firm Accuvant and co-author of the iOS Hacker's Handbook, in an interview at Black Hat. "When the first iPhone came out, nothing that he talked about was on it. So it sucked, and then it got slowly better, and then about a year ago, it got to where it is now, and it's pretty good."
What had iOS security aficionados such as Miller been hoping for from the presentation? Miller said he would have liked the opportunity to ask about the iOS "secret sauce," such as how the development team audits code, whether it looks for malware, and whether it kicks out developers that it sees repeatedly submitting malicious code. "No one knows," he said. "They don't explain how the review process works."
Still, what the presentation didn't detail did provide food for thought. "When I talk about iOS security, I say one of the reasons you don't get malware on iOS is because of the malware-review processes," Miller said. "For me, that's a fundamental part of malware prevention in iOS, but [De Atley] didn't even mention it. So it made me think, maybe ... it's purely that they check that developers are using approved APIs, rather than checking to see if something is malicious."
"If only there was someone we could have asked these questions," said Miller, as our interview at Black Hat concluded. "If only there was someone here from Apple."
Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)