Ok, I have to admit this @Apple vs. @CorelliumHQ business just doesn’t sit right with me. Let me @ @tim_cook and pretend to have some meaningful engagement regarding Apple’s larger security dilemma. #Thread
Everyone knows I’m a huge Apple fanboy. Until the cheese grater Mac Pro came out, I more or less had one of every apple product in my house (with some wiggle room). While I may gripe about missing function keys, there’s no system I’d rather use than MacOS and iOS.
I’ve also, at diverse points in my career, had the privilege to report ongoing APT campaigns directly to Apple alongside colleagues (h/t @craiu) and was treated kindly by folks invested in securing the Apple ecosystem within the means available to them.
I might’ve considered joining but I wasn’t enough of an engineer and they weren’t enough of a threat intel company. Latter point is the crux of my concern with the Apple I’ve gotten to know. Despite best intentions, ‘head in the sand’ is the default approach to product security.
Magical security engineering @ Apple is top notch and deployed with amazing zeal. But when it comes to knowing the reality of what’s out there, extent of malicious activity affecting customers, or vulns actively exploited itw, a concern for ‘privacy’ is an excuse for not knowing.
For those bawled over by the concern for privacy, it’s admirable were it not hollow. In other words, the presumption of privacy is unfounded. I’m not saying go full handsy with customer data, but device/software introspection and telemetry are vital for defense.
While I’ve lost hope for threat intelligence at scale in the Apple ecosystem, the vuln issue is somethjng else, and here’s where we return to Apple vs Corellium.
Corporate underhandedness aside (attempt to buy then bully lawsuit), Corellium has created for vuln hunting what no AV/IR company has been enabled to build for threat hunting. And working to destroy that is unacceptable for a growing ecosystem.
For iOS, Apple is betting the house on the walled garden / code signing / dev verification approach. Meaning exploits are that much more important in the attack chain. Once past initial checks, Apple’s unwillingness to actively check device integrity means attackers are king.
Corellium’s product is a way to jog this side of the market closer to the light. It’s an enabler. It isn’t the only enabler. Exploit devs were using physical devices and doing just fine. And Apple clearly appreciates the tech if they intended to buy it at one point.
Claiming Corellium enables attackers undermines the fact that most defenders are being barred from researching this space while attackers have been doing just fine. Need is huge. Research enablers must be embraced and emboldened precisely to entice defenders to look.
Apple is an inch away from going the way of Sony with the PS4/geohot saga (jailbreaks should be illegal!). More importantly, it’s in desperate need of a ‘Bill Gates security memo’ moment. It’s simply unaware of the extent of the threats. And it’s making sure we too are unaware.
I’m all for Apple succeeding + gaining greater market share. But it can’t be a future where we can’t inspect devices; we have no security telemetry; and are being afforded no active defense (first- or third-party) beyond some paltry gatekeeping and low-hanging malware removal.
/End thread. Thanks for reading, Tim 🍎. And apologies to all my kind and thoughtful friends who work at Apple. You do great work and I hope you’re further enabled to succeed.
