Apple's security strategy: make it invisible
When I received an invitation to the keynote event at Apple’s Worldwide Developers Conference, my first reaction was, “Why?” I’m known as a security guy, which means my keynote invites are only when major security features are released. But as I watched the presentations, I began to understand why.
Among the many new features in iOS and OS X that the company discussed, two security-related ones received extended attention: iCloud Keychain and Activation Lock. And as I thought about the demos of those and other new features in the days that followed, I came to realize something about the company’s approach to security that I hadn’t thought about before.
The human factor
Apple is famously focused on design and human experience as their top guiding principles. When it comes to security, that focus created a conundrum. Security is all about placing obstacles in the way of attackers, but (despite the claims of security vendors) those same obstacles can get in the way of users, too.
Take passwords, for example: As essential as they are to protecting us and our devices, they are one of the most universally despised things about using technology. (I’ve ranted about passwords elsewhere).
For many years, Apple tended to choose good user experience at the expense of leaving users vulnerable to security risks. That strategy worked for a long time, in part because Apple’s comparatively low market share made its products less attractive targets. But as Apple products began to gain in popularity, many of us in the security business wondered how Apple would adjust its security strategies to its new position in the spotlight.
As it turns out, the company not only handled that change smoothly, it has embraced it. Despite a rocky start, Apple now applies its impressive design sensibilities to security, playing the game its own way and in the process changing our expectations for security and technology.
While Apple hasn’t said so explicitly, it’s clear that one key principle guides them when it comes to security: The more you impede a user’s ability to do something, the more likely that user is to circumvent security measures. There were three good examples in the company’s WWDC keynote:
iCloud Keychain: When Apple first announced iCloud Keychain, I was initially perplexed. Why add a password manager to the operating system and default browser when there are plenty of third-party applications that do this, and it isn’t among a feature users are screaming for?
Then I realized that Apple was tackling a real-world security issue by trying to make that issue simply go away for the average user. Apple certainly can’t stop the onslaught of phishing attacks. But it can add a built-in, cloud-based password manager that both reduces security risks and improves the user experience. That addition enables users to use complex, site-specific passwords, and those passwords will—with no user effort—synchronize across all of their devices and be available whenever they’re needed (assuming those users use Apple products only, of course).
With the deep browser integration demonstrated at WWDC, it appears users won’t have to manage plugins or even click extra buttons to decide when they need to use the tool; it seems to pop up exactly when they need it, making it easier to use a Keychain-created password than manually enter one. That’s applying human design principles to solve a security problem and improve the overall user experience.
No extra software to install, No plugins to manage. No buttons to remember to click. iCloud Keychain might not be good enough for power users, but it will bring the power of password management to the masses.
Activation Lock: The theft of iDevices is rampant throughout the world. While we might blame Apple for producing such desirable products, the company clearly doesn’t want people to have to hide their devices in fake Blackberry cases to use them in public without fear. Phone carriers could dramatically reduce theft by refusing to activate stolen phones (every cellular enabled device has a unique hardware ID), but so far they have been slow to act. Even if domestic carriers did create a registry, it’s unlikely all foreign carriers would and bad guys would simply ship phones overseas.
Activation Lock takes that decision out of carriers’ hands and instead applies a global solution. Barring new hacking techniques, phones tied to iCloud accounts will be unusable once stolen. Users don’t really need to do anything other than possess a free iCloud account. There’s no carrier lock-in, registration, paperwork, or other obstacles to using it. The feature has the potential to reduce device theft at no additional cost to consumers.
So, once again, Apple is tackling a real-world problem without sacrificing the user experience. (Only time will tell how effective it is).
Gatekeeper and the Mac App Store—As I’ve written previously, Gatekeeper combines sandboxing, the Mac App Store, and code-signing to dramatically reduce the chance a user can be tricked into installing malware. This is based on the success of the extreme sandboxing and reliance on the App Store for iOS that has prevented widespread malware from ever appearing on the iOS platform.
Again, Apple addressed the user side of the problem. It didn’t rely on deep security technologies that targets could be tricked into circumventing. Rather, by pushing users to rely on applications from the Mac App Store and by providing strong incentives (like easier updates and no additional cost per computer), the company reduced the need to manually download apps from different locations. Apple then added Gatekeeper so users wouldn’t accidentally install applications from untrusted sources.
This approach attacks the economics of malware while minimally impacting the user experience. A large percentage of users never need to think about where their software comes from or worry about being tricked into installing something bad.
Invisible and practical
You’ll see evidence of this same approach elsewhere in the Apple ecosystem.
With FileVault 2, Apple provided full disk encryption for users to protect lost laptops. But at the same time, the technology allows users to safely and freely recover their system if they accidentally lock themselves out (without giving the NSA a back door). XProtect provides invisible, basic antimalware protection to all Macs, without the intrusiveness or cost normally associated with antivirus tools. Java in the browser is automatically disabled unless a user explicitly needs it; this introduces a small hurdle, while again minimizing the biggest attack path against current Macs. iOS will soon strongly encrypt all app data, while continuing the tight app isolation that effectively eliminates most forms of attack.
These tight controls might frustrate some advanced technology users, and certainly frustrate security vendors. But they also provide a safe user experience that’s proven itself effective over the past five years.
The consistent thread through all these advances is Apple attempting, wherever possible, to use security to improve the user experience and make common security problems simply go away. By focusing so much on design, Apple increases the odds users will adopt these technologies and, so, stay safer.