Apple & Security; the Java debacle

While I have become more of a fan of Apple’s products in recent years, I have never been a fan of their security disclosure policy.  Apple has traditionally been very secretive, sometimes out of necessity.  Back when Steve Jobs retook the company, Apple was near death.  The company had run into a brick wall with it’s legacy operating system.  The latest version, OS8 had been so long in development that it was now technologically far behind it’s competitors.  When Jobs shook things up with OS X (10) he had a reason to be secretive.  Apple had been successful with their new products, but was still fragile.  If any of their competitors could peek inside what was going on, they might be able to stop Apple’s progress before the company could become healthy again.

Today, Jobs legacy is an Apple with a $98B war chest made largely on the success of the iPod, iPhone and iPad.  These are all benefactors of the technology Jobs brought over from NEXT that helped to form what we now know as OS X.  The problem is with all that success, Apple’s share of the desktop PC market has grown.  Apple is now big enough that’s it’s clearly visible on the radar of a lot of people including potential attackers.

To Apple’s credit, OS X was designed with security in mind from day one.  Most of the vulnerabilities that have effected the OS over the years have required a social engineering element to get users to unwittingly install malware.  For a long time, Apple’s policy, (of withholding details about security flaws until a patch is available) worked for them.  However, a recent vulnerability in Java managed to scratch a large unsightly gash in that previously pristine, brushed aluminum finish.

The component that most recently exposed this weakness in Apple’s approach is ironically a third party product, Oracle’s Java platform.  It’s a little more complicated in Apple’s case because the company repackages and builds their own custom version of Java. Because of this, it always takes longer to get Java on Macs because the software has to be separately modified, tested and blessed by Apple.  The people behind the Flashback trojan saw this opportunity and modified their malware to take advantage of the Java vulnerability.  In the 2 months it took for Apple to produce their version and publicly acknowledge the flaw over 600,000 Apple computers were infected.  The fact that most Apple customers think they’re immune to viruses didn’t help the problem either.

This should be a wake-up call to Tim Cook and the OS X security team.  Apple may not agree with full disclosure, but they can’t continue to put their collective heads in the sand and think nothing will happen.  Had even limited disclosure been made to Apple customers earlier, it would have been possible to mitigate much of the threat posed by this vulnerability.  Instead, Apple customers were exposed to this vulnerability for 2 months.

Apple’s just the latest punching bag…

It seems everywhere I go online, there’s another person spouting off on what’s now been dubbed Antennagate.  Most of the commentary is uninformed drivel regurgitated from the myriad sloppy reporting circulating the net.  Some are the usual malcontents looking for something to gripe about, while others are just having a good time making fun of what they see as a big corporate snafu.

All of the fuss has centered on what is being commonly referred to as the “death grip” where a user covers a large portion of the phone while gripping it tightly.  The weak spot, in the case of the iPhone 4 is a gap between the phone’s two antennas.  What’s known is that the conductivity of the average human hand is enough to have an effect on reception when this gap is bridged. (especially when that hand is moist)  Brian Klug and Anand Lal Shimpi of AnandTech.com explained it best in an article published on June 30th.  That was a full 2 weeks before Bloomberg’s July, 15th article that claimed Apple was warned about the antenna design by senior engineer Ruben Caballero.  Apple CEO Steve Jobs called the Bloomberg article “a crock” and “total [BS].”  (Caballero has not come forward publicly to either confirm or deny the accusations.)

The article on AnandTech.com clearly backs up several claims made by Apple at their recent press conference (July 16th):

  • The iPhone 4 isn’t perfect
    • signal can be affected by bridging the gap (worst case -24dB)
  • Other phones experience the same kind of signal attenuation when gripped in certain ways
  • The worst case signal loss doesn’t occur in normal use even in poor coverage areas.  Exceptions to this are solved by using a case.

So what does all this mean.  Yes, Apple made a design decision that affected the performance of the iPhone 4 antenna.  Does it matter? No.  The new design is more sensitive and generally makes up for the possibility of attenuation.  I’ve confirmed Apple’s claims myself.  When you’re in an area with good coverage, it’s nearly impossible to disrupt the signal. It’s only in areas of strong interference or poor coverage that the so-called death grip has any effect.  (the same goes for the single finger bridging technique.)  There is a problem here, but it’s not as big or important as some in the media want it to be.  Nothing to see here folks… move along.

Apple drops DRM, but fair use is just an afterthought

Apple’s Steve Jobs wrote an open letter almost 2 years ago where he advocated the death of DRM. As he put it, (albeit in a much longer form) the 4 major music companies (Universal, Sony BMG, Warner and EMI) own 70 percent of the worlds music, yet only require the 10 percent sold online to be locked with DRM. (compared with the other 90 percent sold on CDs) Jobs’s open letter was taken by many to be a huge show of support for fair use rights. While his letter did make a lot of good points, and did eventually lead to removal of DRM from the entire iTunes catalog, it was more about good business than fair use. Apple spent a lot of money developing their FairPlay DRM system, and even more protecting it from attacks that would seek to undo it’s encryption scheme. During that time the music industry was distributing DRM-free music on CDs, so why should Apple have to shell out all this money to keep FairPlay afloat?  Apple is touting the advent of DRM-free music for its entire catalog in the form of iTunes plus, only there’s one thing they’re not telling you. While the songs aren’t encrypted and can be moved to any device you choose, they can still be traced back to their original owner. This is because Apple watermarks each file with the name and e-mail address of the purchaser. For most of us, this doesn’t seem like a big deal. If you don’t share your music, why should you be worried? Well, suppose a thief steals your iPod, copies the tracks and uploads them to a peer to peer network. Are you liable? Some people are understandably concerned about this possibility.  If you’re one of those concerned individuals, there are a couple of ways to scrub the personally identifiable information from your files.  One way may be the Hymn/JHymn project software.  Hynm has been around for a while and works to liberate the decrypted music from iTunes and convert it to a DRM-free file with no loss in sound quality.  It has historically preserved the personal information, but even in 2005 one of the maintainers admitted this feature might change if Apple were to use the information against its customers.  Another way is to resave the files without re-encoding them with software such as Amoeba’s Fission audio editing software.  As explained on MacWorld, Fission is only accidentally capable of removing the identifiers because of it’s rigid adherence to standards.  I can’t imagine the RIAA will be able to resist prosecuting people whose iTunes files are discovered on P2P sites.  While it’s unclear whether or not this will hold up in court, why risk it.  Personally, it shouldn’t be a huge deal.  I’ve only purchased a small handful of albums and tracks from iTunes and I don’t share my music.  (besides which, if somebody tries to steal my ipod they’d better be able to run like the wind…)  However, if the RIAA starts actively pursuing iTunes customers, I might just have to reconsider my options.