Apple has long been seen as a champion of security and privacy in a tech industry consumed with vacuuming up consumer data. Two recent events, however, have raised questions about whether the iPhone maker’s reputation is losing its luster.
Earlier this month, Apple released an emergency patch to close holes in the operating systems powering its iPhones, iPads and Apple Watches that made them vulnerable to Pegasus spyware made by Israel’s NSO Group. The patch, rolled out a week before new versions of the operating systems were to be released, created unwanted attention that detracted from the company’s fall device launch.
In a separate walkback, Apple postponed an announced feature that would scan its devices for images of child exploitation. Privacy and security experts, as well as other critics, charged the approach to combating the illicit material was tantamount to creating a backdoor that could be exploited by governments intent on curbing free expression.
“How Apple handles this, and they’ve handled this reasonably poorly over the last few days, will affect how they’re able to preserve trust with their consumers,” said Richard Bird, chief customer information officer at the cybersecurity firm Ping Identity.
The Pegasus spyware discovery could constitute a “Cambridge Analytica moment,” he says, referring to Facebook’s headline-grabbing collection of data that was used for election campaigning.
The public criticism of Apple’s security and privacy mark a crossroads for a company that has used its commitment to its user-focused stance as a way to distinguish itself from its data-hungry rivals. The company won plaudits for pushing back against the FBI, which wanted Apple to crack the iPhone 5C of a terrorist who killed 14 people in 2015.
Apple used that steadfast position on privacy to flick its competitors. The company ran a billboard before the 2019 Consumer Electronics Show reading: “What happens on your iPhone, stays on your iPhone.”
Apple declined to comment for this story beyond its previously released statements about both issues.
Apple has long had a reputation for being relatively free from viruses, trojans and malware, all forms of malicious software that can foul up your machine. That’s largely because its Mac computers were niche machines rather than corporate workhorses, like those running Microsoft’s ubiquitous Windows operating system.
Cybersecurity experts say it just wasn’t worth the time and effort of cybercriminals to design malware to target them or look for vulnerabilities in their operations systems.
But the popularity of the iPhone has fueled interest in Macs. According to the research firm IDC, sales of Apple desktop and laptop computers jumped 29% in 2020 from the year before, giving the company a 7.6% share of the market.
That’s made Macs and the broader Apple ecosystem more enticing targets for the hackers who distribute malware. And the broad shift to mobile computing on phones and tablets has created a host of new targets in product classes that Apple leads.
For example, in March, Apple pushed out an update for iPhones, iPads and Apple Watches to fix a vulnerability in WebKit, which powers Apple’s Safari browser, that was discovered by security researchers at Google’s Project Zero. The researchers said at the time that it was possible that the vulnerability was being actively exploited.
And last fall, five hackers said they had discovered 55 Apple vulnerabilities, 11 of which were deemed critical, meaning that if exploited, there could be significant effects like the compromising of user data. The group found the trove of problems over a period of three months and as of October had received just under $300,000 in bug bounties from Apple for their work.
It makes sense that cybercriminals have moved to attack mobile devices because so many businesses and consumers have shifted their work to those platforms, says J.T. Keating, senior vice president of product strategy for the mobile security company Zimperium.
“The reason that this is newsworthy is that we don’t hear about these kinds of things a lot of the time,” Keating said. Apple and Citizen Lab, the research group that discovered the Pegasus vulnerability, appeared to have cooperated well on the fix, he said.
Not everyone is as complimentary. Ping’s Bird said Apple had failed to own up to the fact that the spyware was specifically designed to attack Apple devices.
According to the research firm Counterpoint, Apple had a 53% share of the US smartphone market as of the second quarter of this year, about twice as much as its nearest rival Samsung.
“They need to recognize publicly that we, as customers, are a target,” he said, adding that the company appeared to sweep the problem under the rug ahead of last week’s product event.
Blasted from the get-go
More worrying, perhaps, is Apple’s announcement last month of new technology designed to search for images of child exploitation on its users’ devices.
The new feature, originally planned to be built into the iOS 15, iPad OS 15, WatchOS 8 and MacOS Monterey software updates, is designed to detect whether people have child exploitation material stored on their device.
It would do this by converting each image into hashes, or bits of code that identify files. Those hashes are then checked against a database of known child exploitation content that’s managed by the National Center for Missing and Exploited Children. If a certain number of matches are found, Apple is then alerted and may further investigate.
The move was blasted from the get-go by security experts and privacy advocates. Groups including the Electronic Frontier Foundation and Fight for the Future organized protests outside of Apple Stores and delivered petitions signed by about 60,000 people to the company.
At a media event ahead of the protests, renowned technologist Bruce Schneier, who sits on the EFF’s board, said there’s nothing stopping governments from forcing Apple to use that same system to look for other things. (Apple argues that client-side scanning preserves security by keeping the process on the device.)
“We cannot put this on every single Apple user’s device safely, because it amounts to a surveillance system on every single Apple user’s device,” Schneier said. “It’s not targeted, it’s not proportionate and it doesn’t work.”