You’re not wrong about the impossibility of perfect security.
But Apple is praising and promising to support independent security research in this press release. Meanwhile they have a reputation among independent security researchers for being standoffish, opaque, slow to respond, and even outright hostile in suing Corellium. They settled that suit but the reputation remains.
Apple is the most valuable company in the world. They do not appear to have the best security program in the world. Whatever Citizen Lab can do, Apple should be able to do better; they have a lot more resources and expertise.
I’m not doubting that Apple puts a lot of effort into securing their products. But it seems like they still have significant room for improvement.
Seconded. There are many, many low hanging fruits that would substantially improve Apple users' security that Apple has not yet implemented, for example delivering Safari updates independently from macOS updates and having a seamless auto-update mechanism equivalent to every other modern browser. Apple repeatedly claims that most malware targets Android, which is true, but it includes Play Store adware and side-loaded malware; if you only take RCE exploits, which are the relevant class of malware here, one could argue Android is as secure, or more secure than iOS. I would argue the latter, given that Safari and iMessage (as well as integrated WebKit webviews, like Apple Music) seem like the primary attack vectors, and the ones used by NSO; and that security updates to those components, unlike the Android equivalents, are delayed to match Apple's preferred iOS release schedule, instead of being autoupdated separately and transparently to the user.
One could also argue, that as Apple is commonly branded as "secure" alternative, and therefore high profile targets are potentially using their products. This might mean that interest is much higher for attackers on that side. They might not care so much about Android. Increased interest and effort means that more likely something is found.
Also, Apple's sandboxing settings and permission managing makes the most malware pretty useless with App store policies (no sideloading), so only RCE exploits are kinda useful.
What it comes to iMessages, that is the most interesting channel with Safari to deliver exploits, iMessage without user interaction and Safari with some. All you need to know is that target is using iPhone. Other non-default applications as target introduces new challenges. iMessage and Safaring being part of OS updates might indicate, that they are handled differently compared to other apps - is security policy same, worse or better? Is there larger attack interface to system by using these apps?
> They do not appear to have the best security program in the world.
By what measure? That they don’t find all the security bugs? Have you seen what iOS exploit chains look like these days? They’re not exactly simple. I think there is literally no amount of money that could be spent that would eliminate all the security bugs in iOS, or Apple would be figuring out how to spend that much right now. So yes, you can always argue that they should spend more, and I’m sure they do spend more every time something like Pegasus happens, but it’s not some grand revelation. This is just how things are.
> Whatever Citizen Lab can do, Apple should be able to do better; they have a lot more resources and expertise.
At the tail, this doesn’t matter. Other people find bugs because there are always more bugs to be found. There will never be a situation where only Apple can find more bugs in its operating system.
But Apple is praising and promising to support independent security research in this press release. Meanwhile they have a reputation among independent security researchers for being standoffish, opaque, slow to respond, and even outright hostile in suing Corellium. They settled that suit but the reputation remains.
Apple is the most valuable company in the world. They do not appear to have the best security program in the world. Whatever Citizen Lab can do, Apple should be able to do better; they have a lot more resources and expertise.
I’m not doubting that Apple puts a lot of effort into securing their products. But it seems like they still have significant room for improvement.