It should come as no surprise that the most highly anticipated and hush-hush talk at Black Hat this year is the blandly titled "iOS Security" session on July 26, which will be delivered by ‪Apple platform security manager Dallas de Atley.
Although this is Apple's second scheduled appearance at Black Hat (if you count the sudden cancellation in 2008, according to Bloomberg), this year is shaping up to be Apple's first official appearance at the pre-eminent security conference.
It's hard to say what new information Mr. de Atley could possibly tell the most unforgiving, Apple-ambivalent, and tech-savvy audience out there. After all, the audience will include famed Apple platform hackers like Charlie Miller and Dino Dai Zavi, who recently published the "iOS Hacker's Handbook," and the AV community, which has always been critical of Apple's slow response time to patch its platforms (Flashback, anyone?)
I really, really hope Mr. de Atley isn't just going to regurgitate the iOS "whitepaper" Apple released in June. That 20-page report contained absolutely no new information to researchers – one person I spoke to said it was probably written by marketers – but it did make iOS security sound, well, easy for CTOs and other decision makers to figure out. Leave that presentation to RSA.
Instead, here are four things Mr. de Atley could talk about that wouldn't disappoint the crowd:
- Details on iOS 6: With the iPhone 5 apparently the "most anticipated smartphone" ever, it'd be great if Apple discussed some of the security measures in the OS. Just yesterday developers playing with iOS6 beta discovered that Apple wouldn't require a password to download free apps – a strange, backwards move from a security standpoint.
- Why it pulled BitDefender's permissions app, Clueful: Last week Apple inexplicably yanked BitDefender's privacy app after two months in the App Store. Clueful scanned installed iOS apps and displayed all the permissions they required. Frankly I was surprised it ever made it into the App Store, as it revealed alarming things like how Instagram tracked my location, Twitter credentials, and address book.
- A bug bounty program: Google, Microsoft, Facebook all have one. Even though black markets pay more for vulns, Apple doesn't even give hackers the opportunity to wear white.
- Charlie Miller's iOS developer's license: Apple frustrated a lot of security researchers when it revoked Charlie Miller's developer's license for a year last November. Miller had released a proof-of-concept showing how he added a malicious app (which harmed no one) to the App Store. Given that Miller's exploit disclosures have saved Apple's security team a lot of work over the years, this seemed a little ungrateful.
We'll see what happens this Thursday. Meanwhile, stay tuned as Security Watch brings you all the latest coverage from Black Hat 2012, starting Wednesday, July 25.
For more, see Ten Ways To Avoid Being Hacked at Black Hat.
For more from Sara, follow her on Twitter @sarapyin.
No comments:
Post a Comment