No, Apple doesn't need to 'open up' to malware fear-mongers

Earlier this week the CEO of an anti-virus company wrote a "guest editorial" on a popular technology website, saying it was time for Apple to "open up" and — wait for it — allow anti-virus software on the iPhone and iPad. The premise is self-serving and the headline spit-take inducing, and it's absolutely not worth rewarding negative attention seeking with attention. However, it is important to address the fear, uncertainty, and doubt (FUD) the "guest editorial" is trying to spread.

The CEO starts off by bringing up a Xsser as an example of why we should be concerned about the security of iOS. Xsser is a type of spyware that can steal data from iPhones and iPads — if the owner first jailbreaks them and then downloads something like an infected Debian package.

The CEO chooses not to mention that and, even though it's immediately mentioned in the comment, the "guest editorial" hasn't been updated to correct the omission.

Next, the CEO claims that BYOD, the bring-your-own-device trend that's helped the iPhone and iPad gain a growing presence in enterprise, will turn into a disaster because Apple won't give "security professionals" the cooperation and system-level access they need to protect our devices.

iOS is already so well protected, however, that exploits typically require explicit user overrides — jailbreak, the downloading of pirated apps, the acceptance of untrusted certificates — to get any access to our data at all.

Just like Xsser can only infect a jailbroken device, the type of system-level access the CEO is asking for under the guise of "openness" would only make us more vulnerable to malware, not less.

If security were the real agenda here, the CEO would ask for Apple to increase their own, already impressive anti-malware efforts on iOS. That way we'd get all the benefits but none of the risks.

Instead, the agenda here appears to be spreading misinformation in a deliberate attempt to make both direct customers and IT departments afraid so, presumably, Apple somehow feel pressured to change.

Well, Apple won't. They're smarter than that, and we are too. We know that misinformation is simply another form of malware. Just like we know this "guest editorial" isn't trying to protect us, it's trying to exploit us.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

71 Comments
  • Well said, Rene! (Surprised no Rene/Apple haters have mouthed off yet.....wait for it...)
  • It's okay, I've arrived to fulfill what you're asking for. Wait.... This time I actually agree with him. iOS is do secure and doesn't need third party help to make it better. The fact that iOS 8(. Fill in the blank) has yet to be jail broken is proof of this dedication to cracking down on exploits in the system. But to be fair, once there is a jailbreak available I'm hoping on it. I like being able to do weird things to make my iPhone feel like it's mine. (when I bother to use it mind you) Posted from the amazing whatever device I can afford because I'm a broke college kid.
  • You do realize their had been a jailbreak for months for iOS 8-8.1. So your statement of no jailbreak being avaible is false. I've had my iPad air jailbroken for weeks and my iTouch 5. Their isn't a jail broken yet for the new iOS 8.1.1 but it's only a matter of time by Pangu Posted via the iMore App for Android
  • How did I miss that?? So much wut right now. Thanks for informing me.. Posted from the amazing whatever device I can afford because I'm a broke college kid.
  • Yup from Pangu haha. Works flawlessly. Posted via the iMore App for Android
  • You mean "jailbroken" college kid?
  • Autocorrect did it, I didn't care to fix it Posted from the amazing whatever device I can afford because I'm a broke college kid.
  • The article is self-serving, but that does not mean more open scrutiny would be a bad things. The phrase "..so well protected" is meaningless, especially when paired with a qualifier that "most attacks require" and an OS history that includes, in addition to the aforementioned WireLurker: - An OS compromisable by a crafted text message ( http://www.cnet.com/news/researchers-attack-my-iphone-via-sms/ ) - SMS system easier to spoof than even Androids ( http://www.cnet.com/news/iphone-sms-vulnerability-not-present-in-other-o... ). Not awful in and of itself, though it opens the doorway for easier phishing attacks. - Siphoning of personal data after trusting a computer/charging station, without a way to remove the trust ( http://www.infotransec.com/news/juice-jacking-vulnerability-ios ) - Apps being transparently replaced on devices that use enterprise bundling ( http://www.cnet.com/news/apple-ios-bug-lets-fake-apps-sneak-onto-iphones... ) None of those require a jailbroken device. Some do require user interaction, but, then again, so do virtually all Windows attacks. If we are going to count jailbreaks, then we may wish to mention that jailbreaking itself is a root level attack, defeating Apple's security measures, and usually out weeks, if not days, after each software release. Some of those exploits - excuse me, jailbreaks - have not even required tethering. The point is not that Apple is bad at security; they are usually pretty damn good, and have corrected some of the above already. However, they do not catch everything, because, no matter how good they are, no one party *can* catch everything. Asking Apple to step up their own efforts is fruitless, because those efforts still come from the same opaque single entity under the same corporate guidance. Another 40 people inside Apple may not uncover what a Charlie Miller might, because Miller, in addition to being talented, is operating under a completely independent set of motivations. The benefit of having multiple parties with *multiple different agendas* combing for vulnerabilities is that each party has different interests, tactics, and people, so each party might catch something another party might miss. So yes, this article may be penned by a self-interested clown, but that does not mean Apple has no problem lurking here with a single-source security setup.
  • His point wasn't that Apple needed third-party scrutiny (which in and of itself is fallacious, because plenty of exploits affect open source code that anyone could have scrutinized — including some of the biggest in history), but that it needed third-party protection. An argument could be made for some of what you said, but he came nowhere close to making it.
  • The point is not that open source code is bug free, but that the more eyes looking at the code, the more likely those bugs are to be found. Sent from the iMore App
  • You'd think Linux would be 100% bug-free by now.
    All those eyes.
  • No argument. But as Renegade points out, that wasn't the argument made. Sent from the iMore App
  • And by Renegade, I obviously meant Rene. But maybe that should be your new nick name. Renegade Rene Ritche. Sent from the iMore App
  • Yup...I thought I was careful enough with "but that does not mean.." was expanding the discussion to a related, but distinct, issue. I suppose next time I will have to preface it with a <meta name="description" content="Related topic"/> tag, unless of course I can get a cool (autocorrect derived?) nickname like Renegade :)
  • RE: "but that the more eyes looking at the code, the more likely those bugs are to be found." That only works if all those eyes know what to look for. Personally, if I were auditing for security, I'd rather take ten OpenBSD devs over a hundred Linux or Mac devs.
  • Depends on the bug, really. Apple's embarrassing "goto fail" SSL bug ( https://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apple... ) was a security hole, but it would not take a security expert to find it, just a fresh set of eyes whose incentives are not tied to the annual release schedule. Of course, that does not mean other eyes would be guaranteed to catch or, otherwise OSS projects would be bug free, and they obviously are not. The extra scrutiny is not about guarantees; it's about increasing the probability that inevitable human mistakes are caught. Sent from the iMore App
  • I may be remembering wrong, but wasn't goto fail in one of the open components? Sent from the iMore App
  • No...gotofail was an Apple thing. Heartbleed, another serious SSL vulnerability that surfaced around the same time, was in OpenSSL, in large part because there were a shockingly low number of active committees for such a crucial piece of infrastructure. Open source is no guarantee of bug-free code. Which is kind of my my only point here - not that OSS is intrinsically superior, but any development process where humans do the coding is vulnerable to mistakes creeping in, having more people with different incentives look through the code is a good strategy to catch mistakes, and that Apple would be well served by adopting more of that approach during development.
  • So consider the number of mind blowingly horrible viruses on the windows platform compared to those on the mac platform. It seems to me that they are doing something right. Only as the mac has gotten popular over the last few years have most hackers even taken notice.
  • If you read your own comment carefully, you'll realize the explanation to your first two sentences is contained in the third.
  • Couldn't have said it better. It's true the article was indeed self-serving, but Rene's knee jerk reaction is equally myopic. Security through obscurity is no security. If a system is not open to public scrutiny and auditing, any assumption of security is purely conjecture.
  • The security isn't obscure, the system simply isn't accessible. "NORAD isn't secure because I can't sell my anti-virus to them!"
  • You keep replying as if I am arguing that Apple needs to allow virus scanners. Reread the comment carefully. Nowhere have I (or anybody else who has replied) said or even implied that.
  • It's not surprising that a security company is insinuating iOS is insecure because they want to peddle their crap on the platform. I guess the Android landscape is saturated and they're desperate to expand their horizons. But that's besides the point. iOS shouldn't be blindly accepted as secure, because Apple says so. In fact, over the past months we've seen that Apple has a lot of work to do when it comes to security. My point is in other to test the validity that a system is secure, it has to be open to public scrutiny and auditing by security researchers. In this sense, the author of the article has a point. Android's openness, for example, allows independent security researchers to expose exploits in public that Google can later fix. Yes, it's embarrassing. Yes, it's bad PR. Yes, Google takes lumps for it. But the resultant effect is that their platform becomes more resilient to exploits because of public exposure. This doesn't happen in closed systems. Hiding your security exploits from the public doesn't mean those exploits don't exist, or won't be taken advantage off. And using PR campaigns to paint the picture of security doesn't change reality. When it comes to security, there's no substitute for openness, transparency, and peer review.
  • Apart from well-known security confabs like Pwn2Own with their well-publicised, expert exploits of vulnerabilities on all the known mobile platforms, there is an established reporting procedure for discovered and in-the-wild security holes on all platforms that has stood the likes of Apple and Google etc quite well without all the public "washing of dirty linen". The "security by obscurity" mantra has been repeated often over the years, even as Apple's device market share has exploded upwards spectacularly on both IOS and OS X, and yet, and yet, this unstoppable proliferation of malware has yet to materialise - year after year, it's "just you wait till next year", etc. Apple's measures for dealing with platform security are still standing it in good stead without the need for open debate, which in itself does not imply that no meaningful debate, consultation or countermeasure take place - were that the case, we would be hearing several "Swiss-cheese"-like epithets being bandied about in connection with their platforms. The mobile platforms that bear the brunt, the highest percentage of real-world instances of malware infestations are well-known to all and sundry, and no amount of PR, peer review or transparency can alter the hard, immutable facts of the matter.
  • OSX market share has NOT exploded. Bear in mind also that a proportion of those Macs will be running windows. Some exclusively.
  • I see the point of you're comment, but Android isn't as open as people think. Unless I'm wrong, only the AOSP is open all of Google's apps are not and having all these "eyes" watching the code hasn't helped android and its many many many bugs (not to mention security holes). Openning iOS up to be seen is not going to help it more open it up worse as most will spend their time trying to exploit the OS for jailbreaking. Right now having it controlled by Apple has kept it secured. Maybe something needs to be don't, but your answer to that to just open the OS up is hardly the best answer to that question. Sure, Apple has had some holes that were called out, but I've yet to see any malware on iOS besides the one mentioned in this article. Many large companies trust Apple when it comes to their iOS, but not so much the other way around when it comes to android.
  • You seem to not know much about Android to say many many bugs and security holes. Most security holes come from downloading apps from outside the Play Store.
  • Ladies & Gents, introducing Internet latest Einstein: CoreyMeetsWorld! "MOST security holes come from downloading apps from OUTSIDE the play store" .... the REST?? Come from google itself!
  • So Apple releases their code (which they won't) what stops those wishing to exploit it from going over it with a fine tooth comb? All of you OPEN guys seem to think that everyone is altruistic and out for good. As we all know, some people suck and won't be reporting all of the bugs but will simply exploit them. If openness was such a great thing, the Heartbleed / SSL bugs would have been squashed years ago. You can't tell me that no-one found it and if your point is that no-one found it, then there goes your argument and so much for public scrutiny.
  • Are you even following your own logic? The reason Heartbleed was found and squashed was because the source code was available for public scrutiny and independent audit. Flaws like Goto Fail exist in proprietary software that are being exploited today that nobody knows about. Windows was, and is still, notorious for security flaws that were exploited by hackers for decades that Microsoft refused to fix because they thought nobody knew about these bugs. No software is secure unless it can be publicly scrutinized and verified to be secure, period. Why do you think despite the bugs found in OpenSSL and GNUTLS, the vast majority of people will still use it over any proprietary security solution? It's because these open solutions have undergone decades of independent audits by scholars, academics, experts, corporations and governments. That level of scrutiny is something closed solutions almost never get. Open systems will always be more secure in the long-term.
  • This is an excellent post, excellent.
    Points very well made.
  • It's just that the "antivirus and computer security industry" has an agenda that's focuses squarely on scaring people into buying needlessly complex and shittily crafted junkware that they claim protects against the vague threats. That agenda is diametrically opposed to Apple's which is to keep the thing as tightly shut as possible, thus not allowing hijinks to start with. Remember that the simple fact this trash can insinuate itself into MS Windows the way an isopod eats a fish's tongue and replaces it simply proves that Windows still has holes that need to be patched. If McAfee can't run anymore, then Windows won't need McAfee :) That's why iOS doesn't need questionable security cruft.
  • How do you comments address the premise made by the writer? This guy is out to make bucks not make you safer.
  • The problem with anti-malware "protection" is that it provides a false sense of security. Where I work, we use your typical corporate Windows 7/Outlook environment and we've been hit from time to time despite having (probably expensive) enterprise anti-malware software installed on every computer. And despite this all it takes is a user opening the wrong email attachment for all of the investment in "protection" to be worth absolutely nothing.
  • To be honest I don't think antivirus software is needed on ANY modern smartphone OS. People like to talk about android malware, but you only get it if you either purposely try or install apps through the boot loader.
  • Remember your words in a year or so, Rene... Because I will. Posted via the iMore App for Android
  • Please do. Sent from the iMore App
  • Remember my words in a year or so, NadaAdict... Because I will. Here's my prediction: "By late 2015, iOS will have increased its already massive lead in corporate IT market share. In part because of the results of the Apple-IBM partnership. And in part because of the industry-leading hardware security enabled by the Ax chips' Secure Element and iPhone/iPad TouchID biometrics. All of which leverage iOS' power, security, and ease-of-use."
  • Why would I remember your words? You're a nobody. Posted via the iMore App for Android
  • Apart from SockRolid being, like all of us, "a Son of the Universe, no less than the trees and the stars, with a right to be here", I recall his well-known handle and his weighty, witty contributions to countless technical, ethical, anti-trust, political and philosophical debates from the earliest halcyon days of blogging and commenting on the desktop OS, application software, web browser and mobile platform "flame wars" of yore, times when you were probably still just a sperm-sprog sloshing around merrily in your dad's 'nads... I will certainly remember his words in a year's time as I have considered his words for nigh on a decade or more, you impertinent little whipper-snapper...
  • You, an expert on being a nobody, are fully qualified to weigh in on the subject. Thank you for your well-thought-out rebuttal, Johnnie Chochran. GTFO.
  • TouchID isn't secure. Never was, never will. Only easy to use, convenient lock process.
    Security isn't only about "technical hack". It's about real life. And security is like street fight ... the weaker will lose. Two bad guys, your touch enabled device (please note I don't care if it's an apple or anything) and you're the easiest target on the block. Instant access; they just have to press your finger by force. They don't even have to threat, they just do. In less than 10 seconds. Reason why this is not authentication but identification and nowhere in a (real) sensitive area you'll find it for anything else than a first level measure, requiring then another one, like a code or anything you have to proceed manually (physical & volunteer interaction). Sorry for the slightly OT. Edit: more on topic and to avoid expanding OT elsewhere, I believe the day devices won't be rootable I will start to believe and state they can be secure. Again, it's not apple exclusivity and same applies to many devices / software. I believe that's one of the main reasons they never got (despites huge and repeated attempts) the higher level of accreditation for DOD. The "rooted *aftewards* to hack" scenario (lost device for instance) is something that has to be considered. Rarely is.
  • Rene is right again.
  • No different to apple trying to scare monger users of or potential users of Android by over exaggerating and calling Android toxic health stew or whatever over the years. Of course these companies will say things to benefit themselves it's just the way it is. It's annoying for sure, have seen it done many times regarding Android but it is how it is. Posted via the iMore App for Android
  • Apple isn't a media outlet. They're a company competing with another company. Same as when Google trash-talks Apple. This was published by a popular tech site. Not by Apple or Google. If you want to get upset about "toxic hell stew", get upset about the tech site that published the statement. They're the ones who are supposed to be informing us.
  • Ha! "Toxic Hellstew" - Tim Cook's finest phrase to date... even if it waa just a quotation from an online blog site.
  • Never had anti-virus on any of my Apple products since 1984 and never once knowingly had a virus. I've had PCs in the meantime and rarely got a virus, the big one was from someone else's floppy disk. In general you have to be pretty stupid to get a virus.
  • Because viruses only effect people of low intelligence. Who knew. You heard it here first folks. If yah gots da virus yoose a stoopid hidjet.
    /s Sorry, my Tennessee came out. Posted from the amazing whatever device I can afford because I'm a broke college kid.
  • In strict tech parlance, viruses (or virii if you like) are a subset of malware that do NOT require user intervention at all; Trojans and phishing attacks, on the other hand, DO.
  • I know people who never get infected without using any virus protection and I know people who get frequently infected who use virus protection. Their behaviors are completely different along with their knowledge and apparent ability to learn what to and what not to do. I label the inability or the unwillingness to learn "stupidity". Anyone can potentially get hit, but the predilection is obvious.
  • CEO should be spelled CEA-Corporate Executive ASSHOLE!! Sent from the iMore App
  • As Apple gains in popularity and gets more attention, more and more people are going to write virii, and malware for their products. People on this site may think apple is already bigger than Microsoft, but that would be a massive mistake. If Apple thinks they alone can keep their software secure when people start writing hundreds of maladies a day with the sole purpose of gaining root and owning a machine and everything that's in it, Apple's own hubris will be their downfall. Mark MY words, Rene. Posted via the iMore App for Android
  • Someone above said something like "Why would I remember your words? You're a nobody." Wait...that was you.
  • Yes, it was.. Want me to repeat that text string to you? I ask because you're an amateur when it comes to trying to be witty... Posted via the iMore App for Android
  • You right Rene. In fact, if I was to write anything more to my comments it would easier to simply copy and past what you already wrote. Sent from the iMore App
  • Speaking of anti virus, I haven't paid anyone lately for such a program. Of course such a CEO will have things skewed a bit in his favor. Just as Apple will be careful with its PR or responses to have things skewed its way. It's the way of the world.
  • some antivirus companies are just business minded companies and the market for IOS is huge so scare off the public and sell your products. looks like this CEO of an anti-virus company who wrote this "guest editorial" has just done that.
    way better is that Apple hires real security experts to work with in creating a safer IOS IMHO.
  • What i don't understand (Android, Apple or WindowsPhone) is why there is no built-in antivirus / spyware software embedded in the system from start ? Should be at must-have this present day - or am I just a dumb dane ?
  • It's built into the store. Google play scans downloaded apps, a