Apple Security Update: Is It All Set for an Enterprise?

Over the past years, security experts have announced that Apple is not as concerned about security features as its prominent competitors are! In 2012, Kaspersky Lab’ s CEO, Eugene Kaspersky, who was worried about security, stated that Apple’s security features lag behind Microsoft Corporation’s as much as ten years. He expressed his apprehension for the growing malware threats and slow response after a critical Java update that made customers’ systems susceptible to the Flashback Trojan. However, Apple has been acclaimed for smart security decisions, such as alleviating the usage of endangered Java versions on its devices. In March 2013, added support for two-step verification on Apple IDs was also initiated. So the question remains the same—does Apple offers you a model of robust security, or is it simply being more attentive to safety to dodge backlash? Another criticism that it faced is the lack of transparency! Apple has never come out with honesty about malware threats and weaknesses in its products. Although the effects of this lapse are never too hard to measure, some people follow the perspective that is closed and secretive is advantageous in security terms. Therefore, better to focus on the available security features, the vulnerabilities that have been exploited and how Apple changed its practices concerning the adverse response to events.

THE INHERENT SECURITY OF PRODUCTS

Today, there is no quantitative way to measure the security features of the dissimilar systems. Therefore, keeping the history of vulnerabilities and functionalities from a comparative perspective is the only way out. Earlier, Mac OS X systems have lagged on centralized security management features if compared to Windows PCs. Every cellphone device, including the Apple iPhone that runs on the iOS mobile operating system, lagged behind Research in Motion’s Blackberry handsets, which offered much stronger storage encryption technologies. However, Apple’s recent releases of Mac OS X and iOS have raised the standards. Changes to iOS and Mac OS X have assisted the centralized security management of Apple devices from the Mac OS X server. The company complained about the security of Mac OS X Lion v10.7, e.g., extending encryption of FileVault full disk to external hard drives, with XTS-AES 128. After the release of OS X Mountain Lion v10.8 in July 2012, Apple introduced a Gatekeeper feature for blacklisting and whitelisting applications. The tools that assist software updates in regularly checking Apple security updates became part of the Mac App Store. In 2011, the App Store for Apple added a bunch of purchasing programs for businesses, including B2b apps for iPhones, iPads, and mini-iPads. These devices are reviewed by using the company’s rigorous process for approvals. However, developers are held responsible for acquiring the data safely in B2B apps. In terms of security, Apple’s app store is way ahead of its competitors as it performs stringent screening of the third-party apps. The latest discovery disclosed that Apple’s app store never consistently used Hypertext Transfer Protocol Secure (HTTPS) to safeguard web communications and transactions, which resulted in another big security blunder. The company has since fixed the issue. Also, Apple was the first company to include the concept of downloading apps from an authorized App store. Even though the iPhone 5 possessed much vulnerability, nearly 200 vulnerabilities were fixed with the initial release of iOS 6, except for jailbroken phones. Other iOS vulnerabilities have enabled hackers to access iPhones physically to sidestep the users’ passcodes. Even if the chances of Mac OS X and iOS being vulnerable to exploitation are minimal, and keeping its reputation in mind, there is a misconception about security among many Apple users who think that their systems are invincible to malware.

REACTION TO SECURITY PROBLEMS

Apple confronted the two biggest security problems that involved Java. In 2012, the first problem occurred where Apple was providing its version of Java with Mac OS X. A set of significant vulnerabilities was discovered in Java across different platforms. For this, Apple offered its own patch rather than using the Java Security update that Oracle provides to outside vendors. However, other platforms were fixed in a few weeks; Apple almost took three months to create a Java security update on Mac OS X. During that prolonged vulnerability period, a fake Adobe Flash installer, Flashback Trojan, attempted to entrap passwords and other information. It infected Mac OS X systems, compromising more than 60,000 systems damaging Apple’s security reputation. Eventually, Apple released a security update that removed Flashback Trojan’s variant from infected Mac OS X systems. For many Apple users, Mac Flashback was a wake-up call that made clear that Apple is also prone to malware infections. Then, Apple decided to cease updating Java and rely on the version supplied by Oracle. Consequently, the fixes would be available for all the platforms when in need. Further, Apple stopped hustling Java with Mac OS x 10.7 Lion; users still have the privilege of downloading and installing Java for free. However, Apple decided to disable Java in Web browsers unless the users exclusively turned on Java. Apple got into a better position when it discovered the faults with Java in late 2012. Additionally, Apple used Xprotect, a scanner that has a blacklisting capability built into Mac OS X to prevent weaker versions of Java from running. Consequently, Java users were forced to upgrade to patched versions, thereby preventing potential exploitation.

TARGETING OF PRODUCTS

Earlier, the malware community completely ignored Apple’s devices because back then, Windows PCs were predominant in the market. But Apple OS X and iOS are now a large share of the operating systems; the exploits are just not appearing. If the reports by malware records from McAfee are to be believed, then Apple devices have rarely been the particular target of malware. For some people, it might be a matter of time until a significant iOS vulnerability is being discovered and exploited via malware. Others take the positive attitude that Mac and iOS devices are less likely to be infected by any malware as they are built on strong security principles. For example, Mac OS X is founded on FreeBSD Unix, which is a tested technology. iOS uses the significant benefits of sandboxing technologies to extract malicious processes from trusted ones. For this, only the attackers know for sure why they attack the platform they are attacking. But it is worth noting that security problems today are irrelevant for a platform. And looking into the malware history, it is not the platform that attackers want to hack but the people. Security features such as authentication and full disk encryption are available but are not allowed to the users on many platforms. Open Wi-Fi networks that expose all network communications to the eavesdroppers are a universal problem. Hence, it can be concluded that the attackers follow different exploitation forms that are not specifically platform-specific.

EVALUATING THE SECURITY RISKS

It is tough to announce that Apple security tops the game in the business, but it is also hard to consider it even inferior. The advantages and disadvantages of Apple security need close discernment. Organizations that evaluate the security risks of Apple technologies should consider the security features carefully. These features are often offered by the relevant versions of the Mac and iOS operating systems. Older versions may be supported by older devices only, which lack the major security features or require third-party add-on utilities to attain the necessary security. Here is an example: older versions of iPhones never erase sensitive data whenever the device is wiped. Newer iPhones, on the other hand, support secure data encryption by using a hardware encryption key that is deleted whenever the phone is wiped. This feature makes it impossible to recover the stored data. Organizations should make use of later models of hardware to get the benefit of the latest operating system versions and their conforming security features. In architectural terms, both Mac OS X and iOS offer cutting-edge security features. OS X makes use of some of the same memory management techniques as the current Windows version. These techniques are mainly designed to make the exploitation of the operating system and the applications harder and limit the potential damage that could ever be inflicted on the system. But other security decisions can be complicated, e.g., iOS and Mac OS X requirements that are needed by the administrator to authenticate the privileges before updates are allowed. It consequently slows down the patching process and significantly leads to longer windows of vulnerability. It, therefore, increases the chances of compromising systems. Apple products seemingly lag behind other sellers in the market in terms of built-in support for automated and centralized security management. Many organizations either purchase third-party management tools, or they don’t manage their Apple devices centrally. Hence, the burden on a local system administrator increases and makes it more vulnerable, such as security settings not being appropriately configured, or patches not being installed. However, organizations should be well aware that Apple is determined to add on significant capabilities for centralized management and maintenance of Mac OS X and iOS settings for passwords policies and other policies for security.

VERDICT:

Apple has undoubtedly made the advances, but only time will be the judge whether adopting the security update is worthwhile or not!