Apple, the world’s most valuable company, was the recipient of both praise and tut-tutting over the past day, lauded for its protection of customers’ data by the Electronic Frontier Foundation, a long-standing web watchdog. On the other hand, a massive trove of security vulnerabilities on Apple’s Mac OS X and iOS systems was discovered by a team of computer scholars.
“It has adopted every best practice we’ve identified as part of this report,” wrote the EFF in its report, which awarded the company five stars, the highest rating, for its protection of consumer data. The EFF concentrates on many post-Snowden sensitivities, looking at company policies for evidence of how it deals with government data requests, backdoors, and more. Seven other companies, out of 24, were given five stars by the organization.
Less rosy are the conclusions drawn in the (very dense) research paper “Unauthorized Cross-App Resource Access on Mac OS X and iOS,” written by Luyi Xing, Xiaolong Bai, Kai Chen and XiaoFeng Wang of Indiana University, as well as Xiaojing Liao of the Georgia Institute of Technology and Tongxin Li of Peking University.
“Our research leads to the discovery of a series of high-impact security weaknesses,” the team writes, “which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps’ sensitive data.” The thirteen-page paper is a dense technical document — see here and here. Translated, it means essentially that the same way Apple dictates fences be built around and between each app on users’ computers — ostensibly to protect users — allows malicious apps access to the data that’s supposed to be secured by those very same fences.
Making matters worse, “all our attack apps were uploaded to the Apple App Stores and passed their inspections.”
Essentially, Apple (and Android, which gets passing mention in the paper) need to build higher fences in order to protect its users’ personal app-fiefdoms.
Users of Apple’s products can count on the company to quickly address the security vulnerabilities outlined by the researchers. At least the government isn’t looking over your digital shoulder… or at least, you’d know if they were.