Expert Analysis

02:14 PM
50%
50%

Apple Security Talk Suggests iOS Limits

Apple rightly earned plaudits for delivering a presentation on iOS security at Black Hat. But what was left unsaid may have revealed new details about its hush-hush app-review process.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
At the end of Apple's first-ever Black Hat security presentation in Las Vegas last week, presenter Dallas De Atley, who manages Apple's platform security team, quickly packed up his belongings and made a beeline for the side door, declining to answer any questions.

Over the preceding hour, De Atley delivered an overview of the security mechanisms--including secure boot chain and app code signing--that are built into the iOS operating system that runs recent generations of Apple's iPhone, iPad, and iPod Touch, and which help keep the devices malware-free.

But in terms of imparting knowledge, the session didn't break any new ground. It essentially recapped the contents of an iOS security whitepaper Apple released in May. Furthermore, Apple hackers have been hard at work since the first iPhone appeared, and books such as the iOS Hacker's Handbook, released in May, cover everything De Atley detailed, and more.

Did Apple miss an opportunity by failing to engage with attendees in the near-capacity conference room? For some security experts, simply showing up is a start. "While the presentation lacked the details usually seen in BH talks, it definitely showed Apple is trying to open up," noted Kaspersky Lab senior antivirus researcher Roel Schouwenberg in a blog post. "Being (more) communicative is vital to doing security response right. This is of particular importance for Apple as there were quite a few talks focusing on Apple's security ... ranging from attacks on iOS to Mac-oriented EFI [extensible firmware interface] rootkits."

[ Check out security best practices in 5 Black Hat Security Lessons For CIOs. ]

Indeed, running at the same time as De Atley's presentation was an applied workshop on The Dark Art of iOS Application Hacking. As Apple was providing a philosophical take on iOS security, Black Hat instructors were helping attendees get their hands dirty. As the Flashback malware outbreak proved, Apple's products aren't immune to malware, never mind the legions of devoted hardware hackers who populate Black Hat.

Might Apple have come to Vegas simply to atone for past sins? Perhaps, but if so, some conference attendees criticized Apple for not going far enough, as well as for its security spin, such as the "Apple designed the iOS platform with security at its core" assertion De Atley made during his talk. "I think he meant in theory," said Charlie Miller, a computer security researcher with consulting firm Accuvant and co-author of the iOS Hacker's Handbook, in an interview at Black Hat. "When the first iPhone came out, nothing that he talked about was on it. So it sucked, and then it got slowly better, and then about a year ago, it got to where it is now, and it's pretty good."

What had iOS security aficionados such as Miller been hoping for from the presentation? Miller said he would have liked the opportunity to ask about the iOS "secret sauce," such as how the development team audits code, whether it looks for malware, and whether it kicks out developers that it sees repeatedly submitting malicious code. "No one knows," he said. "They don't explain how the review process works."

Still, what the presentation didn't detail did provide food for thought. "When I talk about iOS security, I say one of the reasons you don't get malware on iOS is because of the malware-review processes," Miller said. "For me, that's a fundamental part of malware prevention in iOS, but [De Atley] didn't even mention it. So it made me think, maybe ... it's purely that they check that developers are using approved APIs, rather than checking to see if something is malicious."

"If only there was someone we could have asked these questions," said Miller, as our interview at Black Hat concluded. "If only there was someone here from Apple."

Comment  | 
Print  | 
More Insights
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 State of Unified Communications
2014 State of Unified Communications
If you thought consumerization killed UC, think again: 70% of our 488 respondents have or plan to put systems in place. Of those, 34% will roll UC out to 76% or more of their user base. And there’s some good news for UCaaS providers.
Video
Twitter Feed