Hey Apple, Help Developers Write Secure iPhone Software
By David Worthington | Tuesday, March 17, 2009 at 3:21 pm
iPhone users have groaned and moaned about the device’s lack of basic copy-and-paste functionality, but Apple held off on delivering the feature until it got the security right. Kudos to Apple for making security a requirement, and designing its software correctly. Third-party iPhone developers should be designing software the same way.
It has become increasingly important for developers to treat security as they would any other software severe defect–stamping out problems at the very beginning of an application’s lifecycle. It’s less expensive for software makers to address security issues before an application ships, and the security and privacy of end users is safeguarded better that way.
That’s the rationale behind Apple’s decision to delay copy-and-paste. During Appple’s press conference today, Scott Forstall, senior vice president of iPhone software, explained that the company opted to address resolve security issues that arise when information is copied between applications.
I think that is of particular importance in a smartphone’s operating system–after all, users store important information on their phones that could be compromised by malware. Clearly, Apple is thinking security, but it should be empowering its developers to do the same. As far as I know, it has not invested the resources to make that happen.
In fact, no big vendor has invested in a major security push with developers–except for Microsoft. Microsoft has published its Security Development Lifecycle (tools and processes that the company uses to build security into its software), has released free threat assessment tools for developers, and set up training programs for sharing security-related knowledge and experiences.
Over the past several weeks, I spoke with Microsoft about the future of the Security Development Lifecycle. While the SDL is not a cure-all, security vulnerabilities in Microsoft software have dropped marked since it was adopted. It would not surprise me if there were security tools incorporated into the next version of the company’s Visual Studio development environment.
Apple would be smart to take a similar approach with the iPhone, sharing its internal principles for writing secure software with third-party developers whose applications also need to be as rock-solid as possible. For that matter, so should Palm, and every other smartphone software producer.
At today’s event, Harry asked the last question, concerning the App Store approval process, and Apple marketing chief Phil Schiller pointed to security checks as one reason why giving third-party apps the go-ahead takes time. Overall, I’m encouraged by Apple’s commitment to security, but today’s iPhone 3.0 announcement didn’t answer the broader question: What is it doing to make certain that iPhone developers know how to write applications that are safe, period?
8 Comments
Read more:
6 Comments For This Post
2 Trackbacks For This Post
-
Facebook 3.0 App Delay: Apple’s Whitewater? | Technologizer Says:
August 28th, 2009 at 3:55 pm[…] company has said that every app undergo a security review. That’s great–I’d like to hear more about it and other steps that Apple takes to […]
-
According to one security provider, Apple has had the most reported vulnerabilities for its platforms during the first half of 2010. :Dauren Kaiynbayev Says:
July 25th, 2010 at 1:49 pm[…] year, I called on Apple to help its partners write more secure applications through providing its best practices and tools. […]
March 17th, 2009 at 6:15 pm
Huh! This is the same Microsoft that is the only major operating system that routinely gets Viruses and has their systems get taken over and enslaved into Botnets, right?
Microsoft is all talk – Windows running Anti-Virus software is WAY more likely to get a virus than a Mac or Linux box.
March 17th, 2009 at 6:37 pm
@sfmitch It may fly in the face of what people think about Microsoft, but read what some of the top security folks in the industry are saying about the SDL.
http://www.sdtimes.com/link/33340
A Microsoft product team cannot ship a product until they clear SDL requirements. Who else in the industry does that, and is willing to share how they do it with their developers? Other companies are in fact COPYING Microsoft on this.
March 17th, 2009 at 6:47 pm
Sorry, that article didn’t sway my opinion.
1. It is written by the same person who wrote this blog post.
2. The main source is a Microsoft employee running the program being described. It is more of Microsoft telling us how much good work they are doing.
3. The other source is someone from Microsoft’s largest business partner (I think HP would be MS largest partner since they are the largest PC producer). I have no reason to believe this person.
Microsoft has gotten better but since they were so pathetic to begin with, I am not sure that is saying that much.
March 17th, 2009 at 6:51 pm
Then I respectfully suggest that you didn’t read the entire article. I also quoted a Forrester analyst, and Rex Black, who is very highly regarded in the industry.
So is Caleb (the guy that you defamed for working at HP). Sometimes our preconceptions get in the way of today’s reality. Microsoft has a long way to go, but the SDL toward securing its products is an industry leading effort.
March 17th, 2009 at 6:58 pm
David, you clearly have spent more time and brain power on the subject. I hope you are right and we will one day look to Microsoft for the the safest and most secure software.
Well, I didn’t mean to defame anybody. I don’t think I actually defamed Caleb, in fact I didn’t say anything bad about him at all or his opinion.
I’ll get back to removing viruses and/or spyware off my client’s PC.
March 17th, 2009 at 7:06 pm
stop by any time.. defame was prob too strong a word. have a good evening.