Apple in 2019: Naughty or Nice?
It’s that time of year again, when Santa makes his list, checks it twice and, well, you know the rest. So in the spirit of the season, we’re going to take a look at some of the top Apple stories of 2019 to see if the company was naughty or nice this year.
Will it be sugar plums and presents for Cupertino…or a big, fat lump of coal? Let’s find out.
Naughty: Playing scrooge with bug bounties
Earlier in the year, Apple’s lack of a macOS bug bounty program led teenage security researcher Linus Henze to publicly announce a 0-day vulnerability affecting Mac users’ passwords — without sharing the details with Apple. Henze wrote an exploit for the vulnerability to demonstrate that the problem was indeed serious. The exploit, called KeySteal, was capable of accessing a user’s Keychain and thereby compromising passwords, keys, and tokens. So how is Apple the naughty one here? Because Henze’s dramatic gesture had one aim: To get Apple to finally include macOS bugs in their bounty program — something security researchers had been complaining about for years. Cupertino came out of this one looking a bit tight-fisted and stubbornly closed-off to the security community.
Nice: Real privacy at last?
Apple announced a number of privacy enhancements at the Worldwide Developers Conference in June, but one that really generated a lot of attention was Sign in with Apple. Presented as a privacy-focused alternative to Sign in with Facebook or Sign in with Google, Apple’s new sign-in service will allow users to interact with apps relatively anonymously, and give them the ability to create random, unique email addresses to communicate with apps and services (instead of disclosing their real email address to app companies and developers). All in all, Sign in with Apple appears to be an excellent way to quickly, easily, and securely sign in to various services without giving up your privacy. Very nice!
Naughty: Dating apps for kids
Apple has faced criticism in the past for their inadequate policing of App Store apps. An incident this summer really drove home the critics’ point: Several iOS dating apps were being used by kids as young as 12 to communicate with grown adults. Aside from being, well, gross, the story demonstrates that Apple needs to do more to improve their app approval process and make it more robust. The bottom line is that these apps never should have been usable by the children in question. Why were dating apps ever available to underage users? Why didn’t social apps require parental consent for young users? Apple has much to answer for here.
Nice: Root for the rest of us
For years, third-party iOS researchers had complained that their work was hampered by a lack of access to the kind of root, or administrative, permissions that Apple developers had. Without this access, they were often unable to see what was happening “under the hood” on an iPhone — and thus unable to help make the platform more secure. At this year’s Black Hat conference, Apple announced that it would be offering special “developer devices” — iPhones with root access — to external security researchers in order to help them with their work. That’s good news for researchers, but also for everyday iOS users, as more eyes on the platform will likely result in better overall security.
Naughty: Siri gets nosy
It took a whistleblower to let the world know what was going on — and that alone earns this one a place in the naughty column. It turns out that Apple had been sending recordings of Siri users’ interactions with the digital assistant to a third-party team. The motivation was benign: The team was simply tasked with improving Siri’s performance. But unfortunately, part of their job was to investigate accidental activations, which meant they were privy to a lot of extremely sensitive recordings (conversations with physicians, possible criminal activity, and even sex). Apple apologized and suspended the program, but it was not a good look for a company which touts its commitment to user privacy.
Nice: Catalina — a more secure macOS
Apple announced macOS 10.15 (Catalina) this year, rolling out the new operating system in October. The latest macOS included a number of security enhancements, a signal that Apple is taking steps to make Macs and Mac users safer. Catalina formally deprecates kernel extensions, instead offering app developers alternative ways to add functionality to their software which don’t involve accessing the core of the operating system. In addition, Catalina expands data protection to include more system areas than before, strengthens Gatekeeper, and enforces app notarization for developers — all of which means that there’s less likelihood of apps accessing things they shouldn’t or harboring malicious code.
Naughty: The un-update update
Apple had egg on its face in August when an iOS 12 update accidentally reintroduced a jailbreak which had previously been patched. Jailbreaks give users a level of access to their iPhones’ operating systems that they shouldn’t ordinarily have — and which shouldn’t even be possible to obtain. For this reason, jailbreaks are considered security risks, because a malicious actor could conceivably use a jailbreak to gain administrative privileges and meddle with users’ devices. Apple had to scramble to release an update for their “update”, leaving many iPhone users wondering what exactly was going on at Apple (and more eager than before for the release of iOS 13).
Nice: iOS 13 and location privacy
The newest mobile operating system from Apple, iOS 13, contained a number of cool new features, including some powerful new privacy protections aimed at apps which attempt to access device location data. Users will now be notified by pop-up whenever an app is requesting location information in the background, giving them the option to either share their data with the app or deny it access to their whereabouts. This protection extends to requests for Bluetooth data, which can be used by apps to infer a user’s location without getting their explicit permission to do so. While these new features may not sit well with the likes of Facebook, it’s definitely a big win for user privacy, and deserving of a spot in the “Nice” column.
Naughty: Apple’s China problem
Apple faced some deserved criticism for its ties to China this year, underscoring the problematic relationship between the tech giant and the Asian superpower. In October, the public learned that Apple was processing data for a Safari security feature with the help of Tencent, a company with deep ties to the Chinese government. While Tencent was only being used to handle data processing for mainland Chinese users, this was still concerning, giving the obvious privacy issues faced by this demographic. Cupertino also took heat for its decision to pull an iOS app which was being used by Hong Kong protesters to avoid police checkpoints and tear gas deployments. The Hong Kong Police Force had complained that the app was actually being used to ambush police officers, but US lawmakers and international observers were skeptical of these claims — and critical of Apple for taking the authorities’ accusations at face value and capitulating to Beijing.
Nice: Apple grows up
Despite Apple’s issues with third-party researchers earlier in the year, the company turned things around at the end of summer when they announced a long-awaited bug bounty program for macOS. The new program is definitely nice for security researchers, who can now be paid for their work ethically, without having to resort to exploit brokers. But it’s also very good news for Mac users, as Apple seems at long last to be harnessing the full power of the wider macOS security community to help secure the platform. The move represents a philosophical shift, as well: In the words of prominent Mac security expert Patrick Wardle, Apple seems to be “growing up a little bit in terms of their security posture” and “awakening to a more transparent, interactive model of security”. That bodes well for the future, and is extremely encouraging for those of us who care where Apple is headed.
All in all, it’s been a mixed year for Apple, with some successes, some failures, and one or two embarrassments. But on the whole, the company seems to be moving in the right direction: Prioritizing privacy over profit, enhancing security across its platforms, empowering users with information about app activity on their systems, and opening up to the security research community.
Apple isn’t a perfect company by any means. But they’re better than a lot of the alternatives, and they seem to be staying true to Steve Jobs’s vision of privacy: “Privacy means that people know what they’re signing up for. In plain English, and repeatedly”. Perhaps even more importantly, the core of the company is still its security and development teams — along with the robust third-party security research community which supports them — and these folks’ hearts seem to be very much in the right place.
Santa’s verdict? Apple was mostly nice, with a touch of naughty. They can do better, and those of us who love Mac and iOS devices should definitely continue to watch the company and hold them accountable when they fall short. But on the whole, Apple has shown itself to be committed to its principles, responsive to criticism, and capable of change — which is saying a lot for a trillion dollar corporation.