“At Apple, with every new release of hardware and software, we advance the safety, security, and data protection features in our products.” That’s Apple’s top lawyer Bruce Sewell, testifying before Congress in April, at the height of the company’s showdown with the FBI. With a new software release coming at WWDC on Monday, it’s time to take a look at what the future of Apple security might entail.
For what it’s worth, Apple’s security practices are already plenty robust, and its track record is laudable. It added end-to-end encryption to the iOS in 2011, years before other popular messaging apps did (in fact, Google only introduced it this year in a new chat product, not enabled by default). The company offered various levels of iOS encryption for years, but with iOS 8 made device-wide encryption the default, making it much harder for law enforcement to extract data. It’s had its share of bugs and bruises, but Apple’s unquestionably willing to go further, faster with security than most of its counterparts.
“On the iOS side they have done an incredible job, and it is now the most secure personal computing platform available,” says Rich Mogull, CEO of security firm Securosis. “There are still vulnerabilities that crop up, but at the core iOS is rock solid.”
Still, not even Cupertino would say the job is done, especially in the wake of such a public fracas with the FBI. “We work hard to improve security with every software release because the threats are becoming more frequent and more sophisticated all the time,” wrote CEO Tim Cook in an email to employees in late February.
So what improvements are left, both for iOS 10 and beyond? Here are a few good places to start. Will we see these announced at WWDC this week? We can't say. But you can follow our live blog of the event to see what happens.
One detail of Apple’s confrontation with the FBI that often gets lost? The company, as it often does, actually did hand over data to law enforcement when asked. Specifically, it gave the feds whatever it could find on San Bernardino shooter Syed Farook’s iCloud account. This is in stark contrast to what the feds later asked Apple to do: break into Farook's iPhone, despite Apple having no way to do so.
Apple was able to comply with the iCloud request, though, because while iCloud backups are encrypted, Apple maintains a copy of the keys. That creates a potential point of vulnerability, one that, according to a March Wall Street Journal report, Apple is actively interested in removing. Unfortunately, it’s not quite as simple as it seems.
“Encrypting iCloud backups is pretty easy, provided Apple holds the keys. The idea, though, is for Apple to not hold the keys,” says Matthew Green, a cryptography expert at Johns Hopkins University. “This is a challenging problem given that users don’t pick strong passwords---and tend to forget them---and they also can’t rely on having phones to store keys, since the whole point of a backup is to deal with losing your phone.“
An iCloud backup that Apple can’t access, then, would also mean that a lifetime of photos and other files could be lost forever if the account were compromised, or if you track of your password. While fully encrypting iCloud backups is relatively easy, dealing with the potential fallout for customers would be anything but. It’s the classic trade-off of security and convenience, with extraordinarily high stakes.
Apple recently rehired security expert Jon Callas---he’d done a stretch at the company prior to pursuing his own encrypted phone projects---to help tackle these thorny questions. “He’s the right person to make a lot of these problems better,” says Green. But since he was only just hired, the likelihood that any of his work will be seen on Monday at WWDC is low.
OK, yes, iMessage was the first end-to-end encrypted messaging system available at its scale. That’s good! But like any well-worn furniture, it’s showing some holes.
“iMessage definitely needs an upgrade,” says Green, who just this spring exposed vulnerabilities in iMessage encryption that let he and his research team decrypt photos and videos in messages under specific circumstances. iMessage has been a particular focus of Green’s for some time, in part because of its importance and widespread usage, but also because of how it’s set up. As Green explained in March, iMessage uses a centralized key server, which means that it’s at least theoretically susceptible to man in the middle attacks. On iMessage, it is at least possible for a sophisticated hacker to intercept a communication, and pretend to be someone they’re not.
That’s one big concern; there are plenty of narrower ones that have been raised by Green and others. Apple certainly seems committed to patching up iMessage. In February it brought on Frederic Jacobs, a lead developer of widely praised secure messaging app Signal, for an internship. “He’s certainly the person I’d hire to upgrade a messaging system,” says Green.
Then again, back in March, Green also suggested that Apple “should drop iMessage like a hot rock.” His suggestion, instead? Move people over to Signal.
It's important to remember there’s more to Apple security than iPhones, especially given how interconnected the devices in its ecosystem are, and WWDC deals with all Apple platforms.
“Macs still lag iOS devices, and likely always will since they need to be more open and flexible,” says Mogull. But there are plenty of ways they could start catching up.
“On the software side there is definitely room for improvement in sandboxing, adopting more advanced anti-exploitation measures, and improving some of the security defaults,” says Mogull. Requiring user approval for any new startup items, for instance, would help build on what Apple started with Gatekeeper, which helps OS X users to download only apps that have been vetted by Apple. Gatekeeper itself could also stand to be “more rigorous,” Mogull says, in its code-signing checks, which would help prevent either malicious software from being installed, or existing software from being surreptitiously altered.
Then there are the improvements to the hardware itself, which could range from introducing Touch ID to MacBooks (Windows PCs have used biometric security for some time, though there’s no indication Apple has any plans to introduce it to its laptops and desktops), to enhanced chip-level security, the potential for which is limited by Apple’s reliance on Intel for its processors.
However far down the roadmap those may be---if they’re even on it at all---they’d decidedly complement Apple’s existing security, and help give the company’s computers an overdue boost.
Apple introduced two-step authentication for Apple IDs in 2013, but it wasn’t until last year that it announced an improved two-factor system for iOS and OS X, and not until a few months ago that it went into effect. Now, when two-factor is enabled, authentication with an Apple ID on a new device needs to be confirmed on a trusted device. A new MacBook, for instance, would have to be verified with a secret code sent to an iPhone.
It’s an improvement over the old system, but it’s not very well advertised. It may be too much to ask to make two-factor mandatory, but anything Apple can do to prompt its customers to take advantage of one extra layer of protection would be welcome. A better feature isn’t much good, after all, if people aren’t using it.
“That’s the single best control to protect iCloud content and devices,” says Mogull about two-factor. More than ever, it’s something people need to protect themselves.
Again, we're not likely to see all of this show up on Monday. Some sort of iCloud enhancement wouldn't be out of the question, but good security takes time to do right. The important thing is that while Apple's better than just about anyone, it's still got plenty of room for improvement.
