App Store security record unblemished after 2 years
- 21 July, 2010 03:49
While the rest of the world focuses on the perceived issues surrounding the iPhone 4's antenna reception, I thought I'd bring us back to something that really matters to iPhone users, namely, the security of Apple's App Store, which just marked its two-year birthday.
In my December 2009 column, I predicted that quite possibly there's an app store in the general computer consumer's future. That statement drew some quite heated opinions from my readers. I welcome intelligent debate, of course, and would like to draw your attention back to the app store in a different light.
Apple's App Store contains over 225,000 applications for the iPhone, the iPod Touch and now the iPad, which have been downloaded over 5 billion times. To date, we've had zero virus or worm incidents in the wild. I say that's a pretty darned successful run so far.
Now, there have been several published reports of vulnerabilities in the iPhone (now called iOS) operating system. There also continue to be mechanisms available for folks to "jail-break" their phones and install non-approved (by Apple) software. Indeed, the jail-breaking and underground app community thrives, by most reasonable measures.
We've even seen a couple of malware incidents that successfully targeted jail-broken iPhones. One involved a worm program that spread from one jail-broken iPhone to another by way of an ssh daemon (network service) that was installed with a default root password. But I argue that doesn't illustrate any weakness in the Apple App Store mechanism, which remains untarnished from the perspective of the security of the apps themselves.
Now, Apple has come under some pretty concerted pressure over its app approval process, perhaps rightly so in at least some of the cases, but the fact remains that we haven't seen a single virus/worm/malware outbreak on the platform.
Windows sysadmins can no doubt well remember malware outbreaks like slammer, sasser. These worms spread with violent effect across vulnerable Windows systems, leaving behind all sorts of disruption in their wakes. Nothing like this has happened on the iPhone and the App Store in two years.
Of course, that doesn't mean that it can't or won't happen, but I do feel strongly that it's a credit to the concept. And with tens of millions of iPhones and iPads in use today, I for one am utterly convinced that the miscreants of the world would have attacked them if they had the opportunity.
Apple reviews every app that gets submitted to the App Store. It publishes certain guidelines that app developers are required to follow. From a security standpoint, perhaps the most important guideline is that apps are prohibited from making use of any unpublished APIs (application program interfaces). That is, they must play by the rules.
Even though this policy has caused more than its share of consternation among the developers as well as the users, it is also largely to credit for two years of untarnished success.
Recently though, there have been numerous calls for Apple to loosen its app review policies. If it succumbs to that pressure and lowers its guard too much -- or if government regulators force it to -- I'm not convinced that the next two years will be as untarnished as the first two years have been.
And at the same time, the platform itself has grown in its capabilities. With the iPhone 4 and the new iOS 4, apps are able to do some (limited) multitasking and such. Perhaps these new complexities and capabilities will lead to security problems in the future. Time will certainly tell.
Without a doubt, iOS 4 isn't perfectly secure. With its Unix-derived kernel and underlying architecture, I'm confident we'll continue to learn of security weak points, both in the design as well as its implementation. That much is as predictable as the phases of the moon.
But with a strong application screening process at the front end, hopefully we can continue to keep the real nasty stuff out of our sandbox.
When you combine that with the consumer-related benefits of the App Store, it makes a compelling argument that app stores have succeeded and are here to stay.
Consider that while you're reading the latest rant about the iPhone 4's antenna issues. As for me, I learned as a kid that human hands make poor antennas. I'm not sure why this revelation comes as a shock to anyone in 2010. But I'll just put a bumper on my i4 and refrain from complaining, thank you very much.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Department of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.