Apple's performance here is inexcusable for a software company. It displays either a complete disregard or a complete lack of understanding of basic security.
There is a reputation of Apple being more secure, but it's largely unfounded. It just looks that way because the ecosystem is completely locked down and software isn't allowed to exist without apple's stamp of approval.
You're not entirely wrong. For a proprietary, closed-source, limited-access system that Apple has complete control of, it's surprisingly vulnerable and slow to be patched.
Apple has as many kernel exploits as any other, software is not perfect. macOS has a long history of many many security patches in point releases, sometimes the release notes run into the tens of pages.
The point of view you should take is that the company that doesn't issue security fixes (or issues very few comparatively) is the one you should be worried about: They are not better, they just don't fix anything and leave you vulnerable instead.
I do not know why anybody would believe any claim by Apple with respect to security without overwhelming empirical evidence supporting their claims. The default assumption in commercial software security, supported by literal decades of abject failure by every player, is that commercial software security is atrocious. To claim anything more than trivial security is a extraordinary claim and thus demands extraordinary evidence before being accepted.
Apple has demonstrated no such evidence. In fact, the opposite is the case. Despite decades of assurances that their systems provide meaningful security, every single year we see their security torn apart by individuals and small teams with budgets that do not even constitute rounding errors to a Fortune 500 company. There is exactly no reason to believe they have meaningfully superior technical expertise with respect to security relative to the default standard of the industry.
However, this should be no surprise to anyone as the security certifications that Apple advertises for iOS [1][2] are only “applicable where some confidence in correct operation is required, but the threats to security are not viewed as serious.” [3][4]. I mean, look at [4], the process used to certify their security is that their evaluators typed search terms into the internet and verified that every vulnerability that turned up was patched, that’s it. There is no requirement to even do a independent analysis that it protects against attackers with a basic attack potential, that is done at the next higher level of security that they could have chosen to certify against, but did not.
To be fair, Apple has historically demonstrated the ability to certify against AVA_VAN.3 which demonstrates resistance to attackers with a enhanced-basic attack potential, but they have failed every time they have ever attempted to certify against AVA_VAN.4 which demonstrates resistance to attackers with a moderate attack potential. It should be no wonder that they can not protect against moderate attack potential threats such as individuals or small teams, let alone high attack potential threats such as large organized crime and nations.
If Apple wants their security claims to be taken seriously, they should start by demonstrating their ability to protect against moderate attack potential threats via the internationally recognized security certification process they already use and advertise. Until then, the only thing we should trust is what they certify they can do (protect against script kiddies), not what they have failed to ever achieve in a auditable manner (protect against moderately skilled attackers).
I would argue that handling security problems in general has not been Apple's strength historically.
I agree that failing to fix a problem like this in a timely fashion is bad, but sins of omission are generally judged differently than sins of commission, for better or worse. Apple failing to apply proper prioritization to security holes isn't the same as Apple collecting data to be sold to the highest bidder.
So, again, Apple should not be treated as equivalent to Google and Facebook. Feel free to judge them harshly, but don't paint them with the same brush.
It really feels like the only thing that made Apple to be less prone to hacking and malware (and therefore more secure) than other OS is the lack of scrutiny by hackers and malware authors. This is a front door open kind of problem.
Apples security record is not better than say, Adobe
reply