Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Apple's security strategy: make it invisible

Rich Mogull | June 17, 2013
When I received an invitation to the keynote event at Apple's Worldwide Developers Conference, my first reaction was, "Why?" I'm known as a security guy, which means my keynote invites are only when major security features are released. But as I watched the presentations, I began to understand why.

With the deep browser integration demonstrated at WWDC, it appears users won't have to manage plugins or even click extra buttons to decide when they need to use the tool; it seems to pop up exactly when they need it, making it easier to use a Keychain-created password than manually enter one. That's applying human design principles to solve a security problem and improve the overall user experience.

No extra software to install, No plugins to manage. No buttons to remember to click. iCloud Keychain might not be good enough for power users, but it will bring the power of password management to the masses.

Activation Lock: The theft of iDevices is rampant throughout the world. While we might blame Apple for producing such desirable products, the company clearly doesn't want people to have to hide their devices in fake Blackberry cases to use them in public without fear. Technically phone carriers could dramatically reduce theft by refusing to activate stolen phones (every cellular enabled device has a unique hardware ID), they have so far been slow to act. Even if domestic carriers did create a registry, it's unlikely all foreign carriers would and bad guys would simply ship phones overseas.

Activation Lock takes that decision out of carriers' hands and instead applies a global solution. Barring new hacking techniques, phones tied to iCloud accounts will be unusable once stolen. Users don't really need to do anything other than possess a free iCloud account. There's no carrier lock-in, registration, paperwork, or other obstacles to using it. The feature has the potential to reduce device theft at no additional cost to consumers.

So, once again, Apple is tackling a real-world problem without sacrificing the user experience. (Only time will tell how effective it is).

Gatekeeper and the Mac App Store--As I've written previously, Gatekeeper combines sandboxing, the Mac App Store, and code-signing to dramatically reduce the chances a user can be tricked into installing malware. This is based on the success of the extreme sandboxing and reliance on the App Store for iOS that has prevented widespread malware from ever appearing on the iOS platform.

Again, Apple addressed the user side of the problem. It didn't rely on deep security technologies that targets could be tricked into circumventing. Rather, by pushing users to rely on applications from the Mac App Store and by providing strong incentives (like easier updates and no additional cost per computer), the company reduced the need to manually download apps from different locations. Apple then added Gatekeeper so users wouldn't accidentally install applications from untrusted sources.

This approach attacks the economics of malware while minimally impacting the user experience. A large percentage of users never need to think about where their software comes from or worry about being tricked into installing something bad.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.