Tuesday at the first congressional hearing on the issue of iPhone encryption, Apple’s general counsel argued against the FBI’s call for creating a backdoor into the company’s technology, a door that could allow the government — and hackers — to intrude on our privacy in the future.
Apple CEO Tim Cook’s position — supported by everyone from Google to Facebook, Microsoft, and Amazon — resonates with us because of we worry about “Big Brother” and “government surveillance.” But while many users are expressing solidarity with Apple’s apparently principled stance, they might also be asking a serious, related question for themselves: Does Apple really do enough to protect users from hackers?
Apple’s App Store Terms and Conditions clearly absolves it from any responsibility for a hack, breach, or data loss stemming from the use of any apps you purchase from it.
Imagine one of the apps you used to say, edit pictures, store passwords, or track your health was breached and the information was made public — similar to how hacked pictures from celebrity iCloud accounts were released. Only this time, imagine that it was due to an app in the Apple store being compromised — something that we know is probable after the recent discovery of hundreds of malware infected apps on Apple’s app store. If this happens, we the users have literally no one we can hold responsible.
In light of this, it’s hard to make a case then that Apple is always looking out us. Can’t Apple do better in protecting us from hackers?
Before we discuss that, let’s pause to recognize that this is a problem not just with Apple but also every other major technology company, from Google to Facebook to Amazon, each of which is vying to become your gateway to the Internet.
And the problem is likely to get worse as more and more everyday products become part of the “Internet of Things” (IoT) — that is, cyberspace connecting every “thing” (like clothes, thermostats, watches, and cars) to each other — all managed and controlled by devices like Apple’s iPhone, Amazon’s Echo, or Google’s Android platform.
Already the so-called sandboxed ecosystems of mobile operating systems — where only approved apps are given limited access to their respective operating system resources — have been shown to be susceptible to hacks by other apps that do not have the same access authorizations.
Such issues are only likely to get worse as more IoT gadgets come online and as more information is shared by “situationally aware,” decision engines like Siri, Alexa, and Google Now, which need to know everything we do on different apps throughout the platform in order to belt-out those smart responses to our queries..
Further complicating this is that most IoT gadgets are created by companies that have little to no information security experience, or that are simply negligent. Many have been shown to have serious vulnerabilities, and we have already seen successful breaches into everything from “smart” toys to thermostats.
In between all this, we, the users, are left to fend for ourselves. Often breaches remain unreported, or even undetected. Many security flaws are found by security enthusiasts or accidentally stumbled upon by affected consumers, sometimes months after a breach. Worse yet, many users are oblivious to the problem and continue to use these gadgets. Why? Because there exists no single gateway to learn about the security of new products outside of the online feedback from other users, most of who have little technical understanding of security.
But there is something that companies like Apple and Amazon can do. And they could do it now.
First, iOS and Android operating systems have specific technical guidelines for app developers, but these are designed to protect their operating systems, not our data, from being “exfiltrated” — taken without our consent — out of a gadget that connects through the app. Here, technology companies like Apple and Amazon act as mere intermediaries that provide their platforms for exchanging products. Instead, such technology companies should create and mandate security standards that gadget makers must adhere to, providing standards of protection for all of us.
Second, app stores today function merely as software purchasing outlets. All they present is user feedback about an app’s functionality without communicating its security flaws or those of gadgets connected to or controlled by the app. This could be easily altered if companies like Amazon actively solicited more pointed feedback from users about apps and the products they connect to and about the types of security issues they have considered or encountered. Not only would this help all of us purchase safer technologies, but it would also shape our expectations about what we should be looking for when we purchase IoT gadgets and apps.
Third, a consortium of technology companies, including Apple, Facebook, and Amazon must develop a security rating system and a standardized system for displaying this information, much like we have star-rating systems for automobiles and warning labels on products. The system should be easy for the end user to understand, should proactively rate new gadgets and apps as they are introduced, and these ratings should be prominently displayed on the app stores and product packages. All technology users, no matter their technical competency, should have this quick way to assess the security implications of the devices they plan to purchase.
It is one thing for Apple to take a stance against government intrusions into our privacy, but it is another to do something to better protect our data from hackers.