Apple's first security talk at Black Hat disappoints

Security experts who crowded into Apple's presentation at the Black Hat security conferenced walked away disappointed in how little they learned that was new.

Dallas De Atley, manager of Apple's platform security team, provided little more on Thursday than a review of what Apple had already published in a white paper in May. His talk is said to have covered topics from the low-level functions of the boot loader and kernel to the code-signing requirements and app permissions.

For some security pros, De Atley's talk was like attending a college freshman course on locking down iOS, the iPhone and iPad's operating system. "I was hoping for more, but it was a bird's-eye overview of what Apple does to secure iOS," Kevin Mitnick, founder of Mitnick Security Consulting, told CSO Online by email.

Michael Price, chief architect for iOS at mobile security vendor Appthority, agreed that Apple's presentation was too shallow and left unanswered questions about security in the company's overall mobile application platform. "We hope that they will release additional whitepapers, or return to BlackHat next year, to discuss other areas related to the security of their products," he said.

Nevertheless, the fact that Apple discussed product security at all was a welcomed sign that Apple's relationship with the security industry was changing. "It shows that they are concerned about reaching out to the security community, as well as to their users, with regards to security," Price said.

[See also: Companies slow to react to mobile security threat]

Before releasing the iOS white paper this year, Apple was nearly silent about security in the iPhone and iPad.

Atley's appearance was the first time Apple has made a presentation at a Black Hat conference, organizers said. Apple was scheduled to appear at Black Hat in 2008, but the company's marketing department cancelled at the last minute. "Bottom line -- no one at Apple speaks without marketing approval," Trey Ford, general manager of Black Hat, said.

Apple's silence does not mean it has ignored security. The company has implemented sandboxing and has required third-party app developers to sign their code with an Apple-issued certificate. In addition, only apps vetted by Apple are sold through the company's App Store, which is the only outlet for iPhone and iPad software.

"Our attitude is that security is architecture," De Atley told the Black Hat gathering, the Kaspersky Lab blog reported. "You have to build it in from the very beginning. It's not something you can sprinkle over the code at the end."

Apple has more coming on the security front for its mobile devices. The company announced Friday the $356 million acquisition of AuthenTec, which develops and sells security software and hardware for mobile phones, PCs and networks. AuthenTec's products include fingerprint sensors that are integrated into mobile phones.

"Consumers want to be able to secure their online identity, whether it be their online banking information or social networking profile, and business users must be able to effectively secure their digital assets and network," Richard Martinez, an analyst for consulting firm Frost & Sullivan, said by email. "AuthenTec offers Apple the ability to add biometric security and identity management software to their devices to accomplish this."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Show Comments