Craig Federighi blasts Mac security to prop up iOS App Store

Posted:
in macOS edited May 2021
Craig Federighi, Apple's head of software engineering, said that the Mac is not currently meeting the bar for customer security set by iOS and that the platform has an unacceptable level of malware.

Credit: Apple
Credit: Apple


Federighi took the stand on Wednesday in the ongoing Epic Games v. Apple trial, and offered details about the security of Apple products and some of the differences between the Mac and the iPhone.

For example, when asked by Judge Yvonne Gonzalez Rogers about why macOS can support multiple app stores -- something Epic wants on iOS -- Federighi used it as an opportunity to tout the security of the iOS platform by contrasting it with the Mac.

Multiple app stores are "regularly exploited on the Mac," Federighi said. He added that there's a "level of malware on the Mac that we don't find acceptable."

"iOS has established a dramatically higher bar for customer protection. The Mac is not meeting that bar today," he said.

The Apple engineering chief also used Android as an example of the dangers of third-party app stores. He pointed out that "it's well understood in the security community that Android has a malware problem." By comparison, "iOS has succeeded so far in staying ahead" of the problem.

Federighi said that there are 130 types of Mac malware that have affected at least 300,000 systems since last May. However, Federighi took the opportunity to defend the Mac as a different product with different users in mind.

"The Mac is a car. You can take it off road if you want and you can drive wherever you want. That's what you wanted to buy. There's a certain level of responsibility required. With iOS, you wanted to buy something where children can operate an iOS device and feel safe doing so. It's really a different product," he said.

Compared to other personal computers, Federighi said, the Mac is still "the safest possible" if operated correctly. "I've had a couple of family members who have gotten malware on their Macs, but ultimately, I believe a Mac can be operated safely," he said.

At other points during his testimony, Federighi explained and defended the thinking before iOS's walled garden approach.

If iOS was opened up, for example, "it would become commonplace for users to be directed to download misrepresented software from untrusted sources where they'd be subject to malware."

Federighi also contrasted the iPhone with the Mac by saying that the smartphone is much more personal, typically contains sensitive data, and has features like a camera and a microphone. All of these factors make iPhones "very attractive targets."

Similarly, the Apple executive said that Mac users are "typically much more wary of downloading software." By comparison, iOS users are accustomed "to getting apps all the time." Attackers, then, could find a much easier audience to exploit.

Federighi was also asked about the enterprise certificate program, which lets companies distribute apps on iOS outside of App Store review purview if they sign up for the initiative. Federighi says that the endeavor relies on a "specific trust relationship" between a company and its employees.

However, he said that Apple has seen "all manners of attack" through the enterprise program, and even called it "an area of significant abuse." The Apple executive added that the company has seen a "pattern" of bad actors signing up with fake companies and setting up app stores that are "absolutely full" of malware.

Epic's lawyer fired back during cross-examination, noting that Apple markets Mac as being suitable for use by children and does not position iOS as a safer, more secure alternative to Mac.

At another point, Epic's lawyers attempted to argue that features like App Notarization and the Mac Gatekeeper could be ported to iOS as a way of allowing outside app stores. Federighi disagreed, and said that the solution would not be practical.
«1345

Comments

  • Reply 1 of 93
    BeatsBeats Posts: 3,073member
    I’m disappointed Apple didn’t roll out an App Store like iOS.

    People called me different names for suggesting the new M1 Mac software should be treated like iPhones App Store and said “PCs have always allowed software via web” as if moving forward was a bad idea.
    mcdaveradarthekatkillroy
  • Reply 2 of 93
    genovellegenovelle Posts: 1,481member
    AppleInsider said:
    [edit: removed entire article from this comment]
    My Son has an IPad that I trust him using independently as a 7 year old. When he was on virtual on a chrome book from his school, the kids were easily find a way around the security, and accessing outside sites. Not an issue I have at all on his iPad. 
    edited May 2021 Beatsaderuttermcdavejony0blastdoorkillroywelshdogwatto_cobra
  • Reply 3 of 93
    thttht Posts: 5,619member
    Yes, if I were him, I’d still be pissed that iOS developers decided to download Trojanified Xcode packages from non Apple servers, which resulted iOS apps with malware making it into the App Store. 

    It’s like people are forgetting news of ransomware, malware, cryptoware, adware, extortion ware, so on and so forth that regularly hit every entity from large institutions to John Doe’s laptop.

    macOS is still very much at risk from a user turning off Gatekeeper and installing an app from who knows where. 
    Beatsmcdavejony0FileMakerFellerPezawatto_cobra
  • Reply 4 of 93
    sflocalsflocal Posts: 6,123member
    Beats said:
    I’m disappointed Apple didn’t roll out an App Store like iOS.

    People called me different names for suggesting the new M1 Mac software should be treated like iPhones App Store and said “PCs have always allowed software via web” as if moving forward was a bad idea.
    I believe if MacOS had an App Store similar to iOS and only software from that App Store can be installed, it would have meant the death of MacOS for sure.  

    I hate Android, I love iOS.  MacOS has to balance that line between user safety, and flexibility.  There are tons of apps that aren't on the Mac App Store, and it will always be that way.  I the user accept responsibility for downloading/installing software that could infect it.  When I need to install software, I look first at the Mac App Store, but most of the time it's from the developer's website.

    iOS is completely a different animal.  It's a toaster.  Treat it as such.
    asdasdjony0FileMakerFellershareef777muthuk_vanalingamwilliamlondonbyronlkillroyelijahglamboaudi4
  • Reply 5 of 93
    thedbathedba Posts: 776member
    Beats said:
    I’m disappointed Apple didn’t roll out an App Store like iOS.

    People called me different names for suggesting the new M1 Mac software should be treated like iPhones App Store and said “PCs have always allowed software via web” as if moving forward was a bad idea.
    Actually they did, with the Mac App Store. Not very successful as many apps outside of Apple’s own, weren’t  there for various reasons, the main one being Apple’s 30% cut. 
    shareef777Peza
  • Reply 6 of 93
    physguyphysguy Posts: 920member
    I read his testimony and he didn’t ‘blast’ anything. He told a very factual state of things. iOS is a higher bar. macOS is not as good. Apple wants both to be better but macOS has farther to go. 

    He doesn’t  say macOS is bad just not as good on security as iOS.  What is being proposed would take iOS backwards WRT security, with which I agree strongly based on available evidence such as the state of Android. 

    Unbelievably sensational clickbait headline. 
    thtaderuttermacplusplusjony0FileMakerFellerflydogpscooter63dangermouse2EsquireCatsforegoneconclusion
  • Reply 7 of 93
    BeatsBeats Posts: 3,073member
    sflocal said:
    Beats said:
    I’m disappointed Apple didn’t roll out an App Store like iOS.

    People called me different names for suggesting the new M1 Mac software should be treated like iPhones App Store and said “PCs have always allowed software via web” as if moving forward was a bad idea.
    I believe if MacOS had an App Store similar to iOS and only software from that App Store can be installed, it would have meant the death of MacOS for sure.  

    I hate Android, I love iOS.  MacOS has to balance that line between user safety, and flexibility.  There are tons of apps that aren't on the Mac App Store, and it will always be that way.  I the user accept responsibility for downloading/installing software that could infect it.  When I need to install software, I look first at the Mac App Store, but most of the time it's from the developer's website.

    iOS is completely a different animal.  It's a toaster.  Treat it as such.

    It’s called moving forward. Just like how developers are migrating to M1.

    The irony is that the judge is questioning why they allow multiple app stores on Mac. Had Mac had one iOS-like App Store the argument wouldn’t have arose.
    aderutter
  • Reply 8 of 93
    BeatsBeats Posts: 3,073member

    thedba said:
    Beats said:
    I’m disappointed Apple didn’t roll out an App Store like iOS.

    People called me different names for suggesting the new M1 Mac software should be treated like iPhones App Store and said “PCs have always allowed software via web” as if moving forward was a bad idea.
    Actually they did, with the Mac App Store. Not very successful as many apps outside of Apple’s own, weren’t  there for various reasons, the main one being Apple’s 30% cut. 

    MacOS allows multiple app stores.

    I would love if Apple gave more incentive to support the Mac App Store exclusively so we can have one giant pot to choose safe apps from. Apple dropped the ball on having one safe App Store with the M1 launch which would have been a huge incentive. Now that developers are in Apple’s new process, it’s too late.
    edited May 2021 aderutterwilliamlondon
  • Reply 9 of 93
    Epic walked into that one, didn’t they? 

    Macs are less secure than iOS devices. Epic’s genius strategy is to argue that is not true, contrary to the evidence and common sense. Good luck with that! 

    What is the simplest way to ensure your Mac is secure? Only install software from the App Store! See how that works? I doubt it’s a turning point, but it doesn’t hurt Apple’s defense.
    BeatsFileMakerFellerspock1234pscooter63GeorgeBMacwatto_cobra
  • Reply 10 of 93
    sdw2001sdw2001 Posts: 18,027member
    I feel like Epic’s argument is “we want you to change the product and system you created.  For us.  Your honor, make them do what we want! How dare they create a secure product people are happy with and is enormously successful?”  
    edited May 2021 aderutterthtjony0KTRradarthekatBeatsspock1234pscooter63Fidonet127williamlondon
  • Reply 11 of 93
    MplsPMplsP Posts: 4,004member
    Beats said:
    sflocal said:
    Beats said:
    I’m disappointed Apple didn’t roll out an App Store like iOS.

    People called me different names for suggesting the new M1 Mac software should be treated like iPhones App Store and said “PCs have always allowed software via web” as if moving forward was a bad idea.
    I believe if MacOS had an App Store similar to iOS and only software from that App Store can be installed, it would have meant the death of MacOS for sure.  

    I hate Android, I love iOS.  MacOS has to balance that line between user safety, and flexibility.  There are tons of apps that aren't on the Mac App Store, and it will always be that way.  I the user accept responsibility for downloading/installing software that could infect it.  When I need to install software, I look first at the Mac App Store, but most of the time it's from the developer's website.

    iOS is completely a different animal.  It's a toaster.  Treat it as such.

    It’s called moving forward. Just like how developers are migrating to M1.

    The irony is that the judge is questioning why they allow multiple app stores on Mac. Had Mac had one iOS-like App Store the argument wouldn’t have arose.
    Part of the problem is you can’t go back. Apple rolled out the Mac App Store after the iOS store but MacOs was obviously long established and they didn’t want it risk alienating developers (and users) by locking the system down and restricting Apps to the official App Store only. In contrast, iOS has always been a walled garden so it’s easier to maintain it that way. I hope Epic doesn’t ruin that. 
    muthuk_vanalingamwilliamlondonGeorgeBMacwatto_cobra
  • Reply 12 of 93
    Beats said:
    I’m disappointed Apple didn’t roll out an App Store like iOS.

    People called me different names for suggesting the new M1 Mac software should be treated like iPhones App Store and said “PCs have always allowed software via web” as if moving forward was a bad idea.
    So would you get rid of Terminal to prevent users from getting more detailed control than the macOS GUI allows?
    rcomeauelijahgPeza
  • Reply 13 of 93
    Indeed, if I were Apple I would be freaked out by the idea of iPhone users being able to be persuaded into downloading theftware or software that can bypass all of iOS's security mechanisms. Apple does have signing for Mac apps distributed outside of the Mac App Store, but you can turn that off and arguing that Apple must provide such a service to third parties trying to build their own App Store for iOS apps is basically demanding that another company implement what you want in order to enable your business. And Apple enabling third party App Stores for iOS without apple doing any fingerprinting of the apps themselves would be insane. 

    At least on the Mac the number of applications floating around isn't all that large, and the number people actually install is even smaller. 

    All that said, Apple could make a far better App Store experience, and could probably enable third parties to serve as App Store marketers by letting them take a cut. If Epic was operating as the marketer for apps that were available through the regular iOS App Store but took, say, a 40% cut of the 30% paid to Apple by the user then there would be better marketing of those apps but the security model would still be in place. 

    The way Apple currently operates, broad marketing can only be done by Apple. Revenue sharing could change that enormously, and for the better for everyone. Imagine a website dedicated to writers or developers or gamers being able to review and link to the iOS App Store, with revenue sharing. We could end up with better writing apps, or better apps for developers or gamers, because we would have better dedicated gatekeepers motivated to be the place that users go to find well reviewed apps fitting a target market. Apple's own App Store is so freakin huge and has to balance presented apps to ensure fairness that it literally can't solve the problem of filtering apps to only the best to serve a particular purpose. 

    Marketing revenue sharing is hardly a panacea as well. It could certainly be abused, and until some trusted websites really get going and figure out how to reliable show up first in google versus crappy sites just popping up to get a cut, it could just end up being a cost to Apple with little user benefit. But it should be doable and would go a long way toward ameliorating Apple's potential anti-trust issues related to the App Store. 
    DnykjpRfC6fnBs
  • Reply 14 of 93
    hexclockhexclock Posts: 1,305member
    Beats said:
    I’m disappointed Apple didn’t roll out an App Store like iOS.

    People called me different names for suggesting the new M1 Mac software should be treated like iPhones App Store and said “PCs have always allowed software via web” as if moving forward was a bad idea.
    So would you get rid of Terminal to prevent users from getting more detailed control than the macOS GUI allows?
    Especially since Terminal can be a lifesaver if something really goes wrong with your machine or a drive. 
    Or a million other things. 
    edited May 2021 FileMakerFellerwatto_cobra
  • Reply 15 of 93
    asdasdasdasd Posts: 5,686member
    Beats said:
    sflocal said:
    Beats said:
    I’m disappointed Apple didn’t roll out an App Store like iOS.

    People called me different names for suggesting the new M1 Mac software should be treated like iPhones App Store and said “PCs have always allowed software via web” as if moving forward was a bad idea.
    I believe if MacOS had an App Store similar to iOS and only software from that App Store can be installed, it would have meant the death of MacOS for sure.  

    I hate Android, I love iOS.  MacOS has to balance that line between user safety, and flexibility.  There are tons of apps that aren't on the Mac App Store, and it will always be that way.  I the user accept responsibility for downloading/installing software that could infect it.  When I need to install software, I look first at the Mac App Store, but most of the time it's from the developer's website.

    iOS is completely a different animal.  It's a toaster.  Treat it as such.

    It’s called moving forward. Just like how developers are migrating to M1.

    The irony is that the judge is questioning why they allow multiple app stores on Mac. Had Mac had one iOS-like App Store the argument wouldn’t have arose.
    It would kill the Mac to stop downloads from third parties from the web. Craig was only dissing the Mac because he didn’t want to support the idea of app notarization on iOS. And the Mac is well protected for ordinary users anyway. 
  • Reply 16 of 93
    lkrupplkrupp Posts: 10,557member
    Federighi is right. if you spend any time on the Apple Discussion Forums the number of questions, complaints, and cries for help in the macOS threads about malware are large and strident. From search engine hijacking to a/v software, to performance issues. Dozens of these per day with volunteers suggesting EtreCheckPro to Malwarebytes to find and remove the offending adware, malware, etc. People are still downloading fake Adobe Flash installers and suffering the consequences. It’s an unending stream of problems caused by users downloading and installing evil software.
    edited May 2021 jony0Fidonet127williamlondonwatto_cobra
  • Reply 17 of 93
    aderutteraderutter Posts: 622member
    I do think Apple should lock MacOS down to a single Apple provided Mac app-store, but they would likely need to reduce the commission to a much lower figure to appease the big developers and not hurt the platform. Then again, they could even maybe not take a commission at all just like they don’t charge for MacOS upgrades nowadays. 
    KTR12Strangerswatto_cobra
  • Reply 18 of 93
    aderutter said:
    I do think Apple should lock MacOS down to a single Apple provided Mac app-store, but they would likely need to reduce the commission to a much lower figure to appease the big developers and not hurt the platform. Then again, they could even maybe not take a commission at all just like they don’t charge for MacOS upgrades nowadays. 
    That would be the death of the Mac as a viable alternative to PCs for all manner of things. Pros wouldn't use it anymore. I would probably have to abandon it as well. If nothing else, I run plenty of things that I get from Homebrew, to run in the Mac's Unix environment (something that is currently impossible on iPads). And, those apps, and many more, have access to pretty low level aspects of the computer. And I need that stuff. Why? Because I use my Mac as a general purpose computer for a large number of things that one uses a general purpose computer for. Whenever I use my iPad, it is abundantly clear that it is a far more limited device. And that's fine. I just do a heck of a lot less with it. 

    Apple could disallow non Mac App Store apps by default, and force you to go through some hoops to use apps not downloaded from there, which would be fine. Forcing Mac App Store as the only means of running stuff on the Mac would be platform suicide. 

    If you want an iPad, buy an iPad. It supports mice and trackpads well enough, with that support getting better with every iPadOS release. If you want a user experience limited by what is available on an Apple App Store, it works more than well enough. 

    And if you want a device you can safely give a parent or friend who you can't trust not to be talked into downloading crap (even with hurdles in place), buy them an iPad. Or, give them a non administrative account that is locked down from being able to install apps not from the Mac App Store. Just be prepared to be their IT person if they need to fix something that requires administrative access. 
    edited May 2021 robabashareef777elijahgkestralPezawatto_cobra
  • Reply 19 of 93
    22july201322july2013 Posts: 3,700member
    Would Epic's arguments even apply to macOS, if Apple decided to have a single App Store on macOS? 
  • Reply 20 of 93
    CheeseFreezeCheeseFreeze Posts: 1,331member
    Throwing macOS under the bus (“the most advanced OS in the world”!) to defend their monopolistic cash-cow, the App Store.
    What a douche.
    libertyforallBeatsshareef777asdasdmuthuk_vanalingamelijahgkestralPeza
Sign In or Register to comment.