Apples reputation for software security a 'myth': expert

A "scary" software flaw that has put users ofiPhones,iPadsand Mac computers at risk of being hacked has dealt a blow to the reputation of Apple, the worlds most valuable brand, say security researchers.

• Apple security flaw: what you need to know

Tech watchers say this bug which Apple quietly announced on Friday illustrates that the companys reputation for strong security may be overstated.

"People in general feel, 'It's Apple, so it's secure'," says Brian Bourne, co-founder of Toronto's annual SecTorcybersecurity conference.

Whereas the truth is that Apple operates within the same bounds as every other software provider, so theyre just as likely to have security vulnerabilities as anybody else.

JohannesUllrich, dean of research for the Internet StormCenter, which monitors online threats, goes even further: he calls Apples security reputation a myth.

Apples latest security flaw became public on Fridaywhen it releasediOS7.0.6, explaining that the newest version of its mobile operating system had fixed a bug pertaining to safe browsing.

In explaining the flaw, Apple said that "an attacker with a privileged network position may capture or modify data in sessions protected bySSL/TLS."

SSL/TLSis an encryption standard that enables a web browser to talk to a web server to verify that a site is not a fake set up by hackers to steal personal information on your computer orhand-helddevice. It'sused by banks, credit card companies and government agencies to keeptransactions secure.

TheiOSbug interfered with this process, making it difficult for applications such as Apples Safari browser to confirm that web sites were legitimate.

Popularity breeds vulnerability

In a blog post entitled Why Apple's Recent Security Flaw Is So Scary,Gizmodomanaging editor Brian Barrett said the bug makesApple users vulnerable to a so-called man in the middle attack.

That type of cryptographic attack involves an attacker eavesdropping on communicationsbetween your browser and a given website, including anythingfrom private conversations to financial information.

As a result of this bug, someone could trick you into connecting to a lookalike website and you wouldnt be able to tell by looking at theSSLinformation coming back from that website, saysUllrich.

SecTor's Bourne says that Apples reputation for security is largely due to the fact that its operating system is more restrictive in what it allows installed software programs to do.

But consumer fascination with mobile products such as the iPhone and the iPad has made Apple a more desirable target for hackers, saysUrsHengartner, an associate professor in the University of Waterloo's computer science department at the University of Waterloo.

Many of the [hacking] exploits are deployed and developed by criminals who make money, so they go after the popular platforms, he says.

When it comes to Apple products, we havent seen that many security flaws, at least not public ones," saysHengartner. But he echoes the feeling of many in the software community, who say that when Apple does identify a problem in its code, it is slow to respond with an update.

A turning point?

Bourneestimated that this recent, problematic version of ApplesiOShas been on the street since October," when the company introduced a patch to fix problems with the launch of its new operating system.

With the latestrelease ofiOS7.0.6, Apple said it had fixed the bug on mobile devices. On Tuesday, Apple released OS X 10.9.2, which addresses the SSL encryption issue for the operating system on Mac desktop and laptop computers.

Bourne notes that Apple does not have a sterling reputation in the cybersecurity community, whichcongregates on websites and online forums to report bugs and share proposed fixes.

I think most people who try to report [software] vulnerabilities to Apple have been frustrated, says Bourne. They dont engage in the security community in the same way as other companies, particularly Microsoft, which actively confers with the community to identify bugs and fix them quickly.

In terms of security, Microsoft has made great strides in the last decade, says Bourne. In the 1990s and early 2000s, Microsoft was issuing so many security patches to its operating systems that they gave it a name: Patch Tuesdays, which took place on the second Tuesday of every month.

Ulrich says that a key moment for Microsoft was the Blaster worm, a computer virus that infected machines running Windows XP and Windows 2000 in August 2003. The scope of the infection forced Microsoft to focus greater attention on the security of its operating systems, he says.

Hengartner thinks with the latest iOS security flaw, Apple may be reaching a similar point.

Theyre in the same situation that Microsoft was 10 to 15 years ago, he says.