Apple is "entering a whack-a-mole era" when it comes to enterprise security, according to Marble Security, a company that — wait for it! — wants to sell enterprise on additional security products. Sadly, their marketing-masquerading-as-threat-assessment is being passed along as reporting, and that does a profound disservice to people who need to be informed and empowered, not manipulated and scared. So, what's really going on with Apple and security?
The security vendor uses both Wirelurker and Masque attacks as the basis for their claims that Apple is leaving enterprises vulnerable to exploits. Both Wirelurker and Masque attacks use enterprise certificates — the system setup by Apple to enable companies to distribute their own custom apps to their own employees — to try and get their malware on the iPhone and iPad. Both rely on things like users downloading pirated apps from pirated app stores in China, and actively dismissing Apple's explicit warning that the software can't be trusted so they can install it anyway.
The crux of the security vendor's argument is that we, humans, can't be trusted, and will inevitably be tricked or tempted into overriding Apple's security.
The reality is that it is impossible to educate millions of iPhone and iPad users to avoid clicking on emails, web pages, or popup dialog boxes. The situation is further complicated by the propagation of malicious enterprise and developer certificates through emails, text messages, and web pages. We also cannot trust that children or other users of shared iOS devices and BYOD devices have not been tricked into clicking onto such a lure.
Not only is this complete and utter bullshit, but by infantilizing adults and demonizing children to pray on the fears of IT administrators, it tells us pretty much all we need to know about the motivations behind this "report". (Can I be educated not to hand my phone over to a crying student who claims they desperately need to call their parents?)
Marble proposes several solutions, including:
App publisher reputation services to detect if apps on employee devices are from unknown or non-trusted publishers, or if apps have been installed using non-trusted enterprise provisioning certificates
Which is exactly what Apple already does. It's exactly how they killed apps infected by Wirelurker.
Some of Marble's other proposals aren't terrible, but even they would be better implemented at the system level, not at the third-party level. We're long past the age of anti-virus parasite-ware. Security is now, as it should be, a core function of the operating system. It's something that needs to be, and is, built into the stack from top to bottom.
That's the greater point being missed here — that what Apple has done isn't all they'll ever do. Even a casual glance at the evolution of Apple's security model over the last couple of years would suggest it's something they spend an incredible amount of time and resources on. It's something that's getting better version after version.
That doesn't help security vendors sell their "solutions", of course. Fear, uncertainty, and doubt does. In that context, Wirelurker, Masque Attack, and the incredibly poor reporting on both that permeated the media, no doubt has their marketing departments salivating.
But it's what everyone, IT departments included, should consider when really thinking about the future of of their security, enterprise and otherwise.
