A new report highlights how despite Apple’s increasingly high walled garden ecosystem, hackers are finding more ways inside.
According to a new exposé from MIT Technology Review, Apple’s effort to increase security in both hardware and software is experiencing a downside — the Cupertino company’s walled garden approach is making it easier for hackers to hide.
“It’s a double-edged sword,” says Bill Marczak, a senior researcher at the cybersecurity watchdog Citizen Lab. “You’re going to keep out a lot of the riffraff by making it harder to break iPhones. But the 1% of top hackers are going to find a way in and, once they’re inside, the impenetrable fortress of the iPhone protects them.”
Marczak’s primary concern is that as Apple builds increasingly locked-down devices, it’s becoming more difficult for security researchers to discover hacking activity:
He argues that while the iPhone’s security is getting tighter as Apple invests millions to raise the wall, the best hackers have their own millions to buy or develop zero-click exploits that let them take over iPhones invisibly. These allow attackers to burrow into the restricted parts of the phone without ever giving the target any indication of having been compromised. And once they’re that deep inside, the security becomes a barrier that keeps investigators from spotting or understanding nefarious behavior—to the point where Marczak suspects they’re missing all but a small fraction of attacks because they cannot see behind the curtain.
And while Apple regularly updates its devices with software that fixes security flaws, these same updates can also hinder the various tools used by security researchers:
Sometimes the locked-down system can backfire even more directly. When Apple released a new version of iOS last summer in the middle of Marczak’s investigation, the phone’s new security features killed an unauthorized “jailbreak” tool Citizen Lab used to open up the iPhone. The update locked him out of the private areas of the phone, including a folder for new updates—which turned out to be exactly where hackers were hiding.
Faced with these blocks, “we just kind of threw our hands up,” says Marczak. “We can’t get anything from this—there’s just no way.”
While there are issues with the walled garden approach, most security researchers still believe it to be the best practice moving forward for Apple. For example, the new Apple Silicon M1 Macs are the safest computers the company has ever developed:
“iOS is incredibly secure. Apple saw the benefits and has been moving them over to the Mac for a long time, and the M1 chip is a huge step in that direction,” says security researcher Patrick Wardle.
Macs were moving in this direction for years before the new hardware, Wardle adds. For example, Apple doesn’t allow Mac security tools to analyze the memory of other processes—preventing apps from checking any room in the castle aside from their own.
As such, it’s expected that many other companies plan to follow Apple’s lead:
It’s just not Apple, says Aaron Cockerill, chief strategy officer at the mobile security firm Lookout: “Android is increasingly locked down. We expect both Macs and ultimately Windows will increasingly look like the opaque iPhone model.”
Ryan Stortz from Trail of Bits concludes that we’re currently shifting to average users sticking with walled garden mobile devices.
“We are going to a place where only outliers will have computers — people who need them, like developers,” he explains. “The general population will have mobile devices which are already in the walled-garden paradigm. That will expand. You’ll be an outlier if you’re not in the walled garden.”
Check out the entire, worthwhile read over at MIT Technology Review.
