Apple's first security talk at Black Hat disappoints

Security experts who crowded into Apple's presentation at the Black Hat security conferenced walked away disappointed in how little they learned that was new.

Dallas De Atley, manager of Apple's platform security team, provided little more on Thursday than a review of what Apple had already published in a white paper in May. His talk is said to have covered topics from the low-level functions of the boot loader and kernel to the code-signing requirements and app permissions.

For some security pros, De Atley's talk was like attending a college freshman course on locking down iOS, the iPhone and iPad's operating system. "I was hoping for more, but it was a bird's-eye overview of what Apple does to secure iOS," Kevin Mitnick, founder of Mitnick Security Consulting, told CSO Online by email.

Michael Price, chief architect for iOS at mobile security vendor Appthority, agreed that Apple's presentation was too shallow and left unanswered questions about security in the company's overall mobile application platform. "We hope that they will release additional whitepapers, or return to BlackHat next year, to discuss other areas related to the security of their products," he said.

Nevertheless, the fact that Apple discussed product security at all was a welcomed sign that Apple's relationship with the security industry was changing. "It shows that they are concerned about reaching out to the security community, as well as to their users, with regards to security," Price said.

[See also: Companies slow to react to mobile security threat]

Before releasing the iOS white paper this year, Apple was nearly silent about security in the iPhone and iPad.

Atley's appearance was the first time Apple has made a presentation at a Black Hat conference, organizers said. Apple was scheduled to appear at Black Hat in 2008, but the company's marketing department cancelled at the last minute. "Bottom line -- no one at Apple speaks without marketing approval," Trey Ford, general manager of Black Hat, said.

Apple's silence does not mean it has ignored security. The company has implemented sandboxing and has required third-party app developers to sign their code with an Apple-issued certificate. In addition, only apps vetted by Apple are sold through the company's App Store, which is the only outlet for iPhone and iPad software.

"Our attitude is that security is architecture," De Atley told the Black Hat gathering, the Kaspersky Lab blog reported. "You have to build it in from the very beginning. It's not something you can sprinkle over the code at the end."

Apple has more coming on the security front for its mobile devices. The company announced Friday the $356 million acquisition of AuthenTec, which develops and sells security software and hardware for mobile phones, PCs and networks. AuthenTec's products include fingerprint sensors that are integrated into mobile phones.

"Consumers want to be able to secure their online identity, whether it be their online banking information or social networking profile, and business users must be able to effectively secure their digital assets and network," Richard Martinez, an analyst for consulting firm Frost & Sullivan, said by email. "AuthenTec offers Apple the ability to add biometric security and identity management software to their devices to accomplish this."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place