Apple entering era of security fear-mongering... from security vendors

Apple is "entering a whack-a-mole era" when it comes to enterprise security, according to Marble Security, a company that — wait for it! — wants to sell enterprise on additional security products. Sadly, their marketing-masquerading-as-threat-assessment is being passed along as reporting, and that does a profound disservice to people who need to be informed and empowered, not manipulated and scared. So, what's really going on with Apple and security?

The security vendor uses both Wirelurker and Masque attacks as the basis for their claims that Apple is leaving enterprises vulnerable to exploits. Both Wirelurker and Masque attacks use enterprise certificates — the system setup by Apple to enable companies to distribute their own custom apps to their own employees — to try and get their malware on the iPhone and iPad. Both rely on things like users downloading pirated apps from pirated app stores in China, and actively dismissing Apple's explicit warning that the software can't be trusted so they can install it anyway.

The crux of the security vendor's argument is that we, humans, can't be trusted, and will inevitably be tricked or tempted into overriding Apple's security.

The reality is that it is impossible to educate millions of iPhone and iPad users to avoid clicking on emails, web pages, or popup dialog boxes. The situation is further complicated by the propagation of malicious enterprise and developer certificates through emails, text messages, and web pages. We also cannot trust that children or other users of shared iOS devices and BYOD devices have not been tricked into clicking onto such a lure.

Not only is this complete and utter bullshit, but by infantilizing adults and demonizing children to pray on the fears of IT administrators, it tells us pretty much all we need to know about the motivations behind this "report". (Can I be educated not to hand my phone over to a crying student who claims they desperately need to call their parents?)

Marble proposes several solutions, including:

App publisher reputation services to detect if apps on employee devices are from unknown or non-trusted publishers, or if apps have been installed using non-trusted enterprise provisioning certificates

Which is exactly what Apple already does. It's exactly how they killed apps infected by Wirelurker.

Some of Marble's other proposals aren't terrible, but even they would be better implemented at the system level, not at the third-party level. We're long past the age of anti-virus parasite-ware. Security is now, as it should be, a core function of the operating system. It's something that needs to be, and is, built into the stack from top to bottom.

That's the greater point being missed here — that what Apple has done isn't all they'll ever do. Even a casual glance at the evolution of Apple's security model over the last couple of years would suggest it's something they spend an incredible amount of time and resources on. It's something that's getting better version after version.

That doesn't help security vendors sell their "solutions", of course. Fear, uncertainty, and doubt does. In that context, Wirelurker, Masque Attack, and the incredibly poor reporting on both that permeated the media, no doubt has their marketing departments salivating.

But it's what everyone, IT departments included, should consider when really thinking about the future of of their security, enterprise and otherwise.

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • Being as successful as apple is tough indeed. There are lot of reporters/youtubers who use Apple's success for a living. Not all are ethical though.
  • Nice, in one hand you have these assholes screaming, "Apple devices are insecure and vulnerable so buy our software to fix it!" Meanwhile, the dipshits at the the NSA, CIA, and wherever else are trying to muscle tech companies into making devices less secure in the interests of public safety. Makes perfect sense in this screwed up world. I would love it if someone at iMore could write a comparison story on this >>>cough, cough<<<< Peter Cohen! Maybe good NSFW material for this week?
  • +1 Sent from the iMore App
  • I couldn't agree more.
  • If Apple minded corporate users' -- or any users' -- security, they would backport Safari security patches to the iOS7-running iPhone 4 devices that that enterprises and consumers bought last year on two-yea (or longer) contracts. When our IT-dept was marketed Windows Phone recently, the sales representative did not fail to point this fact out. Microsoft, he assured, unlike Apple, supports the products throughout their entire lifespan. They will not leave enterprises hanging in a loose rope, susceptible to simple wrb-based security threats. This is of course true. Apple has plenty to do still to match that. Security of course costs money, and on this score different companies have different priorities. I doubt Apple under Cook will ever become a security-first branded company, since that would cut too deep into their profit margins. Both Google and Apple have admitted that segment to Microdoft. I do not agree with that business strategy for the long term, but Cook has always been all about short-term prifit over long term benefits. This is evidenced in Apple Maps quality (or its arrant lack of), iOS development quality control , the strategy of keeping selling obsolete hardware years after the launch to cut down r&d costs, etc.Apple is nowadays ever ready to rrade security, quality and brand impression for cost savings.
  • Well, sir, riddle me this... if any of what you have just postulated about Google and (mainly) Apple mobile device security vis-à-vis Microsoft's is anything other than sheer marketing conjecture pitched to your IT Department, kindly explain why the Security establishments of so many nation states (e.g. FBI, NSA and various Federal and State Police departments in the USA alone) have been so vocal in the expression of their unease at the high level of security and encryption present in the latest iterations of Google and Apple's mobile OS'es, Android Lollipop and iOS8, and desire their deprecation in furtherance of their interests? Or why the Banking, Credit Merchants and Retail payments systems are so confident in Google Wallet and pretty ecstatic about Apple Pay as to unanimously accept to roll out these features on a nationwide basis, to be followed by a global implementation? Or why certain retail outlets with upcoming, competing payment systems have turned off their NFC POS counter devices to thwart the same? Can't have it both ways, can we? They are either more secure or not, and the above facts constitute pretty much ringing endorsements of the new security models of the big 2 handset OS players.
  • I am not following you. So iOS7-running vulnerable Safari is secure in the enterprise setting because a locked device cannot be decrypted under cetain conditions? Of course the three-letter governmental bodies will oppose any improvements in end-user security. That is their job in the US. At the same time, they will gladly accept all the *neglected* security issues which Apple by design are leaving in a very large number of devices -- especially those sold to enterprise users. That was the sales pitch's point, that MS, in contrast to Google and Apple, concerned about the enterprise market of which it depends and which it owns unlike anyone else, cannot afford to compromise security in the corporate market and is not playing along. They *do* patch IE. They *do* offer enterprise settings centralised device management, security controls etc.
  • (Windows) IT administrators love all the security FUD whipped up around Apple, as they try to keep Apple at bay. But it's not going to help them very much in the long run, is it?
  • I didn't read who wrote the article and saw: "Complete and utter bullshit" And assumed Peter wrote it. I swiped back and, holy crap, it was Rene. Sent from the iMore App
  • This isn't the first time he's used profanity to convey his emotions on people attacking Apple products. Posted from the amazing whatever device I can afford because I'm a broke college kid.
  • Right on dude. Couldn't have said it better myself. Sent from the iMore App
  • Honestly I think these anti virus companies are becoming less and less relevant. Even windows now has security and anti virus built in
  • After 14 years of being with Windows, I *just* made the switch to a Mac (MacBook Pro), and I still have in the back of my mind that "need" for an anti-virus program. It feels rather strange not having one running all the time :p (I do have ClamXav for occasional scans though).