“It dodged Heartbleed but was hit by the very embarrassing ‘goto fail’ bug. It was called out for not adequately documenting the uses of diagnostic tools that could have been used to collect data from user devices,” Panzarino writes. “Late last year researchers showed off a method for siphoning data via the charging port of iOS devices. A year ago a researcher went public with a method for accessing Apple IDs of developers after he says he got no response from Apple. And then there was this week’s celebrity photo hack, which may have been able to be prevented by making iCloud backups more secure.”
“In each of these cases, Apple fixed vulnerabilities, released support notes or patched bugs. But in almost all cases, and many others over the years, the company was as opaque as possible about explaining the details of security issues, reluctant to admit to them publicly and very unresponsive to independent security researchers. That leads to misunderstandings and FUD about the extent of the problems and the risks involved for users,” Panzarino writes. “This needs to change or it will continue to happen.”
Read more in the full article – recommended – here.
MacDailyNews Take: Apple should get out of the business of handing their adversaries the weapons of mass FUD via Cupertino’s culture of silence.
Panzarino’s idea that Apple should “compensate hackers and security researchers for finding and reporting bugs to Apple” is proven and sound.
For example, the “iBrute” hack that was able to rapid-fire passwords at one of Apple’s Find My iPhone login interfaces would likely have been found, reported and fixed long ago. (Actually, that one is something Apple should have never allowed in the first place; proper security audits should have caught that before launch.)
As Panzarino writes, Apple “could definitely afford to incentivize those researchers, or at the very least develop a way to communicate with them more openly and effectively.”
[Thanks to MacDailyNews Reader "Dan K." for the heads up.]