In the countdown to iPhone 3.0, users were not just waiting for the ability to cut and paste: Apple was sitting on a slew of critical security fixes. CNET is reporting that the iPhone 3.0 software update fixes 46 security vulnerabilities, and I’m not the least bit surprised.
While some teams at Apple may have security expertise, the company lacks a holistic company-wide approach to secure development. The company practices security through obscurity, hoping that hackers will not exploit bugs if that do not know about them, which is not security at all.
Earlier this month, Security expert Rich Mogull sharply criticized Apple for falling short on protecting its customers. He recommended that Apple adopt a security development life cycle (SDL) process that a handful of companies, including Microsoft, implemented several years ago, and share with third party developers.
The number of security vulnerabilities found in Microsoft’s product have dropped markedly, because it changed how it makes its software. No code can be shipped out of Redmond unless it has gone through the SDL process. Apple is another story.
If left unpatched, the iPhone is as exposed as the broad side of a mountain. Twelve iPhone components are exploitable ranging from its Mail application and Safari browser down to lower level graphics and telephony stacks.
Apple’s saving grace is that it controls the iPhone’s application ecosystem, and it’s harder for malware to reach users . It has said that it evaluates apps against security criteria, but I wonder how comprehensive that process is in light of its disjointed vetting process. Maybe it has just been lucky.
In March I called for Apple to assist its developers to write secure Apps for the iPhone. I repeat that call, and am upping the ante by challenging Apple to share its internal processes for secure development (if those processes are even mature enough to share).
I love my iPhone, and own several Apple computers, but I’m not in love with Apple’s halfhearted approach to security.