Apple’s software engineering head Craig Federighi had a difficult task within the Epic v. Apple trial: explaining why the Mac’s security wasn’t ok for the iPhone.
Mac computers have an official Apple App Store, but they also allow downloading software from the web or a third-party store. Apple has never opened iOS in this manner, but it’s long touted the privacy and security of both platforms. Then Epic Games sued Apple to force its hand, saying that if an open model is sweet enough for macOS, Apple’s claims about iOS ring hollow. On the stand yesterday, Federighi tried to resolve this problem by portraying iPhones and Macs as dramatically different devices — and in the process, threw macOS under the bus.
Federighi outlined three main differences between iOS and macOS. the primary is scale. Many more people use iPhones than Macs, and therefore the more users a platform gets, the more enticing that audience becomes to malware developers. Federighi argued iOS users also are far more casual about downloading software, giving attackers better odds of luring them into a download. “iOS users are just familiar with getting apps all the time,” he said, citing Apple’s old catchphrase: “There’s an app for that.”
The second difference is data sensitivity. “iPhones are very attractive targets. they’re very personal devices that are with you all the time. they need a number of your most personal information — in fact your contacts, your photos, but also other things,” he said. Mobile devices put a camera, microphone, and GPS tracker in your pocket. “All of these things make access or control of these devices potentially incredibly valuable to an attacker.
That may undersell private interactions with Macs; Epic’s counsel Yonatan Even noted that a lot of telemedicine calls and other virtual interactions happen on desktop. Still, it’s fair to mention phones became many people’s all-purpose digital lockboxes.
The third difference is more conceptual. Federighi basically says iOS users have to be more protected because the Mac may be a specialist tool for people that skills to navigate the complexities of a strong system, while the iPhone and iPad are — literally — for babies.
As Federighi put it:
The Mac from the beginning has been part of a generation of systems where the expectation is you can get software from wherever — you can hand it to your friend on a floppy disk and run it, that’s part of the expectation. But Mac users also expect a degree of flexibility that is useful to what they do. Some of them are software developers, some of them are pros running their unique tools, and having that power is part of it.
I think of it is as if the Mac is a car — that you can take it off-road if you want, you can drive wherever you want. And that comes with as a driver, you gotta be trained, there’s a certain level of responsibility in doing that, but that’s what you wanted to buy. You wanted to buy a car. With iOS, we were able to create something where children — heck, even infants — can operate an iOS device, and be safe in doing so. So it’s a really different product.
Federighi expanded on the metaphor a little later, when Apple’s counsel asked if macOS was “safe.”
Safe if operated correctly, much like that car. If you know how to operate a car, and you obey the rules of the road and are very cautious, yes. If you’re not — I’ve had a couple of family members who’ve gotten some malware on their Mac. But ultimately, I think the Mac can be operated safely.
I find the image of slowly, cautiously “driving” a Mac round the internet hilarious, because cars are deadly two-ton metal boxes that crush obstacles at superhuman speeds, while my MacBook starts losing keys if I type thereon too hard.
If you pair these comments with some earlier statements about macOS, though, it’s a touch less funny. Federighi was bluntly critical of macOS security, saying Apple saw “a level of malware on the Mac that we don’t find acceptable.” If you used Mac’s security model on the iPhone, “with all those devices, all that value, it would get run over to a degree dramatically worse than is already happening on the Mac,” Federighi said. “iOS has established a dramatically higher bar for customer protection. The Mac is not meeting that bar today.” It’s a distinctly negative evaluation of open computing systems, implying only a comparatively small platform could afford that openness without disaster.
Federighi took a far broader view of security than Epic’s own witness James Mickens. Mickens testified earlier that iOS wasn’t meaningfully safer than Android, but he analyzed mostly technical threats to the platforms. Federighi focused on scams, phishing, and other apps that focus on human psychology rather than code — many of which pose serious dangers.
Sometimes, though, the protectiveness felt patronizing. When Federighi explained Apple’s restrictions on cloud gaming, he focused partly on tangible security issues, like the way to grant device permissions for various titles on one gaming app. But he slipped seamlessly into discussing how the concept would be just too confusing — that iPhone and iPad owners would be befuddled by the notion of launching a separate game catalog. Apple wants iOS devices to feel trustworthy, but sometimes like that, it seems more like Apple just doesn’t trust its own users.
Stay tuned for further updates here at Techexposed, and if you want, you can always support us by buying us a coffee.
