Slashdot Mirror
Google Bug Hunter Urges Apple To Change Its iOS Security Culture; Asks Tim Cook To Donate $2.45 Million To Amnesty For His Unpaid iPhone Bug Bounties (threatpost.com)
secwatcher writes: Prolific Google bug hunter Ian Beer ripped into Apple on Wednesday, urging the iPhone maker to change its culture when it comes to iOS security. The Verge: "Their focus is on the design of the system and not on exploitation. Please, we need to stop just spot-fixing bugs and learn from them, and act on that," he told a packed audience. Per Beer, Apple researchers are not trying to find the root cause of the problems. "Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could [have] found it earlier? Who had access to this code and reviewed it and why, for whatever reason, didn't they report it?" He said the company suffers from an all-too-common affliction of patching an iOS bug, but not fixing the systemic roots that contribute to the vulnerability. In a provocative call to Apple's CEO Tim Cook, Beer directly challenged him to donate $2.45 million to Amnesty International -- roughly the equivalence of bug bounty earnings for Beer's 30-plus discovered iOS vulnerabilities.
Apple does have a well-thought-out security design. Maybe there are things wrong with it, but to say they 'just fix bugs' and don't think about overall security ignores the truth. But I suppose that's what you get when you're click-seeking. See: https://www.apple.com/business... Can we find holes in that? I'm sure. But they do have a plan. And that's the public one. I'd wager there's an even more detailed internal one.
You have software that took months/years to plan and develop.
A problem is found.
You need to Fix it Fast, before it goes out to the wild.
It will need to be tested to make sure it doesn't break compatibility or break something else.
If asked to change the infrastructure for every time there is a bug. The fix will take years to get out, and a new infrastructure will introduce new flaws untested.
A security first design of software made in the 1980's would just have a password login and permissions on what the user could see and do.
1990's Memory checking and limitation to prevent buffer overflow
2000's Memory randomization and removing from an ask to allow to don't allow, and you will need to do extra work to allow.
2010's Application Sand-boxing, Full Encryption, tiered design, redundant checking...
iOS being a product of the 2000's Is actually stronger then some other systems, but it has a lot of once good practices which are now bad practices in-place. But there hasn't been a massive iOS outbreak of security issues. Like with Windows a decade ago. Makes me figure that the current patching routine is still good enough.
Will they need an architectural redesign in the future. Probably. Like when Apple moved from MacOS (Classic) to OS X. They will need to upgrade iOS to a new system at some point just to stay current.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
You can buy a device that unlocks the supposedly super secure iPhone. Every time they update the iPhone software and hardware, the device gets updated very quickly. That strongly suggests that he is right, Apple just fix each bug as they find it and don't fix the underlying flaws.
On the other hand, no such box exists for Google Pixel phones, for example.
No.
It strongly suggests that that device maker is being helped with Industrial Espionage.