Apple’s software engineering chief Craig Federighi recently told us that Macs aren’t yet as secure as iOS devices, but does this mean Mac users need to worry?
What Federighi said
Apple’s software lead was appearing as part of the interminable Epic v Apple trial (which today involves Apple CEO Tim Cook taking the stand). Federighi was arguing that by maintaining a highly controlled third-party app environment on iOS, Apple has been able to build an extremely secure platform.
But it’s what he had to say concerning Mac security that generated consternation. “iOS has established a dramatically higher bar for customer protection,” he said. “The Mac is not meeting that bar today.”
Federighi observed that the level of malware on the Mac is something the company sees as “unacceptable,” warning that if iOS worked in a similar way its security would be deeply compromised.
Given that more than 1 billion people use iOS, any kind of decline in security protection would be a pretty bad thing, particularly for government, enterprise, and healthcare providers — many of whom have coalesced around iPhones, iPads and Macs.
What Federighi means
The comments generated a raft of headlines suggesting Apple doesn’t really think its Macs are secure, which isn’t what Federighi was saying at all. The scale of the Mac malware challenge is growing fast; Federighi told the court that 130 different items of Mac malware have affected more than 300,000 systems.
That’s borne out by third-party research. The Malwarebytes 2020 State of Malware Report claimed to have identified 30 million examples of Mac malware. A recent Atlas VPN investigation claimed 670,273 new malware samples were identified in 2020 compared to 56,556 in 2019.
Apple takes steps, of course. Its more restrictive about the sources users can get and install applications. Macs are also built to prioritize good user experiences, including the provision of the curated App Store. The company’s Gatekeeper software also helps keep Macs secure. The effect? New users are less likely to make security mistakes because the system is set up to minimize reasons to do so.
All the same, the scale of the threat is growing and, as every security related article I’ve written or read now warns, the most insecure point in any technology is the user.
What happens next?
Federighi describes the current security environment as being like a game of “whack a mole,” with new threats springing up fast. That’s not platform unique, of course — since the invention of computing, it’s driven OS developers to continue to develop security protection.
To me, Federighi’s comments suggest only that Apple has ambitions to make the Mac more secure, and that it is looking at iOS security as an inspiration for doing so. This makes it inevitable that Apple will continue to place additional restrictions on the sideloading of applications on Macs, something I think has been in the cards since Mac OS X Lion.
While I don’t believe the company intends to make it impossible to install software from sources outside the App Store, I can see it developing multiple layers of approval to enhance user awareness of security risk.
The evolution of the Mac is also prompting third-party innovation around security, such as NXLog’s introduction of a tool to let IT admins aggregate security logs from across their Mac fleet. It’s driving mergers and acquisitions, too: leading Apple-in-the-enterprise company, Jamf, recently added zero-trust Mac security with a shrewd acquisition, for example.
In the future, it’s plausible to anticipate on-device machine intelligence on a platform basis being used to identify anomalous traffic usually symptomatic of an attack, for example.
Beyond the headlines
However, while the optics of Federighi’s admission seem bad, particularly to headline writers who’ve been seeking a way to deny the innate security of Apple’s platforms for decades, he’s only stating an incontrovertible truth: Locked-down platforms are more secure.
That Apple thinks malware on Macs is “unacceptable” is just yet another argument against the popular myth that when it comes to operating systems, “open beats closed.” It doesn’t, as the sheer scale of malware on the Android platform proves.
It’s also an unspoken warning that if nation-states and legal systems require platform security be compromised, then the subsequent wave of malware and ransomware attacks will make the Colonial Pipeline attack look like a day trip to Disneyworld.
Only hackers and those with the ethics of hackers benefit from reduced platform security — well, them and a tiny handful of other “entrepreneurs” (cf: “privacy“).