Is Apple’s security slipping?
A series of bugs and patches suggests that the tech giant’s quality control isn’t what it used to be
APPLE’S SELF-PROCLAIMED reputation for cast-iron security is faltering after tracts of the company’s all-important source code were posted online.
Apple has frequently boasted of how secure its operating systems are compared to Windows and Android, but a series of recent embarrassments have tarnished its image.
The company admitted that a key part of the source code for iOS has been posted online after an intern managed to steal the code. Although Apple forced GitHub to remove the post, it’s understood to have been widely distributed.
The leak involved iBoot, the part of iOS that’s responsible for ensuring a trusted boot of the operating system. Although the code is two years old and from iOS 9, experts believe it could still offer hackers an insight into how phones could be compromised.
“It’s an embarrassment for Apple – your code is the crown jewels so to have it leaked is bad news,” said Alan Woodward, a security specialist at the University of Surrey’s Department of Computer Science. “It gives an insight into the code and might help you work around security aimed at locking the code, rather than providing something such as malware.”
Woodward said the publication of sensitive code might not result in an immediate security breach, but could lead to problems further down the line. “It obviously gives hackers a chance to see more than they might otherwise do and if there is a way of abusing some existing feature, say, they might find it,” he said.
“I suspect the real issue is more to do with writing code that might simulate the real code in some way – the big disadvantage hackers have is they don’t (as I understand it) have Apple’s digital certificates.”
Long-term leak
The leak actually took place at least two years ago, but remained in limited circulation among a small group of jailbreakers before being posted anonymously on GitHub. Apple claims that the age of the leaked code and the company’s aggressive update release cycle should minimise threats.
“By design, the security of our products doesn’t depend on the secrecy of our source code,” Apple said in a statement. “There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections.”
However, because software is developed incrementally, old code could still be in use in the latest versions of iOS. “The code might be ‘old’, but code evolves rather than being a completely new set of code each time there is an update,” said Woodward. “Old code can reveal quite a lot about the way in which features are typically implemented.”
Bug bombs
The news comes as Apple deals with a slew of embarrassing software problems, including “bug bombs” that crashed phones and Macs when a certain character, link or symbol was included in messages to devices. The latest, the “Telugu text bomb”, caused devices to freeze when sent a message containing an unsupported character from the Indian language. Word spread and people started to include the character to crash other devices.
Apple has moved to fix the issue (with iOS version 11.2.6 and macOS version 10.13.3), but the fact that so many problem are emerging within active systems is a concern.
In the first seven weeks of 2018, Apple has had to release 14 security updates across its stable of products
At the end of December, the company was alerted to a critical security vulnerability for macOS High Sierra that allowed anyone with physical access to a Mac to gain system administration privileges without even having to enter a password. In the first seven weeks of 2018, the company has been forced to release 14 security updates across its stable of products.
“There is definitely a growing impression that Apple seems to have had a few quality issues,” said Woodward. “The volume of updates is quite surprising.
“You would imagine that some of these things would be picked up in simple testing, which is what makes them all the more surprising. This isn’t about deliberate attacks by hackers per se, more an indication that Apple is letting things slip through the net into the wild.”