What to expect in Apple’s big event tomorrow

What to expect in Apple’s big event tomorrow

It’s time for the biggest Tech event of the year – Apple’s product (hardware) launch event tomorrow. 

WWDC in June is when we find out about the greatest and the latest software Apple has built, but when it comes to how the software blends seamlessly with hardware, resulting in one of the best designed, engineered and built tech products on the planet, it’s the event in Fall, where they launch them. 

Key expectations are the next iPhone – iPhone 7, and the next big leap in wearables Apple Watch 2.

If there is one preview that you would want to read, about the event tomorrow, make it Jason Snell’s

The devil’s in the details, though. This event is Apple’s big chance to put all of its fall product offerings in context, to tell stories that explain why these products do what they do (or in some cases, don’t do what they don’t). This is product marketing at its highest level, and the way Apple introduces a product can be enlightening.

Apple getting rid of the headphone jack, what’s their take on wireless audio, the best camera on a smartphone getting even better (two lens camera), positioning of the Apple Watch – Jason has it all in his post. 

On Apple’s Bug bounty program

On Apple’s Bug bounty program

The Head of Security Engineering and Architecture at Apple, Ivan Krstić, announced to Black Hat attendees last week, that Apple will begin offering cash bounties of up to $200,000 to researchers who discover vulnerabilities in its products.

Krstić’s talk at Black Hat was definitely interesting and covered a good breadth of the technical measures that Apple has been taking in making iOS secure, from grounds up. The presentation also included a level of technical detail and disclosure of security—here, related to AutoUnlock, HomeKit, and iCloud Keychain—that has been mostly absent in the past at conferences, according to those present.

Apple being so open and forthcoming, about their security architecture, is somewhat unusual, but definitely welcoming.

Now, about the the bounty program itself, it will initially be limited to about two dozen researchers who Apple will invite to help discover difficult-to-uncover security bugs in five specific categories:

Screen Shot 2016-08-24 at 9.18.30 PM

Each of these aspects represent key threat vectors for attacks by governments and criminals alike. While iOS has never had exploits spread significantly in the wild, jailbreaking the software has made use of various methods of running arbitrary code in iOS. In another Black Hat presentation, the makers of the Pangu jailbreak for iOS 9 (fixed in 9.2), described how they achieved that kind of code execution.

Until now, there’s been no known extraction of data from Secure Enclave, the dedicated hardware in iOS devices with an A7 or newer processor that acts as a one-way valve to store fingerprint characteristics and certain data associated with Apple Pay. It is also used to prevent downgrading iOS to exploit a bug in a previous release. iCloud, which has been in the media sometimes for the wrong reasons, have had some accounts compromised in the past through certain weak password entry endpoints and social engineering of celebrity accounts, there has been no reported breach of iCloud servers itself.

Going by these clearly laid out vulnerability categories and qualification parameters, I see that Apple’s program sets clear objectives – find exploitable bugs in key areas. It makes complete sense, because proving exploitability with a repeatable proof of concept, takes lot more effort than merely finding a vulnerability. If the bug is found to have significant impact on security, then Apple will pay the researchers a fair value for their work. By doing this, Apple aims to learn how to improve a bug bounty program, over a period of time, and derive maximum value out of it.

The end result is – high-quality vulnerabilities (and their respective exploits) discovered, by researchers and developers who Apple believes have the skills and the right intentions to help advance product security. Bounty fees at other companies range from a starting point from $100 to $500, and are capped at from $20,000 at Google to $100,000 at Microsoft, clearly indicating the focus being quantity, unlike Apple’s focus on quality and difficult to discover, exploit and reproducible vulnerabilities.

Many major tech companies, like Google, Facebook, Microsoft, Adobe, and SAP, have been running Bounty programs for years. But there is a reason for Apple not getting into the Bounty business until now, even if security has always been a priority for them and iOS is way more secure, grounds up, than other competing mobile OS platforms today. That reason is primarily to ward off governments and underground hackers who merely want to make money, by not being in a position to negotiate with them. The disclosure by the United States government on last week that an unknown third party had approached it — and not Apple — to help open a controversial iPhone only highlights how the giant company approaches bug-hunting efforts and security differently from the rest of the tech industry.

Asked by the audience at Black Hat why Apple waited so long to launch a bounty program, Krstić said the company has heard from researchers that finding critical vulnerabilities is increasingly difficult, and it wanted to reward those who take the time to do it.

I have been following Apple closely since 2009, when I bought my first Apple product – an iPhone 4 (the last phone Steve Jobs personally launched). Being a Security Consultant myself, I have always wondered to how Apple builds their software to be far more secure than other operating system platforms. And this has been true from the very beginning of Mac (built on a strong Unix base), And so I have always tried to understand iOS and Mac security a bit deeper, but Apple has always been secretive about sharing information, just the way they are about their product strategy and roadmap. So this new development with the Bounty program and the overall incharge for Product security at Apple making a presentation at Blackhat, is very exciting to me.

I am looking forward to understanding how Operating System security is best handled, from a company that makes the best software and hardware in the world today.

Notes:

  1. Krstić’s presentation at Black Hat is available here
  2. The video of the talk has been published recently on YouTube

 

Feature Image courtesy: blackhat.com

On Tim Cook’s visit to India

On Tim Cook’s visit to India

This is the first time an Apple CEO has come to India. Steve Jobs had been here before, but that’s when he was soul searching and the India visit did play an important role in life thereon. 

Tim’s visit this week has been the most eventful and widely publicised, of all the large tech company CEO’s, in the recent past. I am sure this is going to have a huge positive impact on Apple’s market in India and a great benefit for Apple product lovers and customers here. 

Here is an interesting interview by The Hindu with Tim. I especially liked his reponse to a common and obvious question

Interviewer: Most of the billion people in India may not have heard about Apple. A few million would have heard and seen Apple products and only the minority few, who can afford it, would have actually used an Apple device. How would you as the CEO, explain what Apple is to this Indian audience?

Tim: Apple is about making the best products, we only create products that enrich peoples’ lives and in doing that we change the world in a positive way. That, in a simple way, is what Apple is about. Think of our products as tools to learn, teach; they empower people to do things they could not do otherwise. That’s our reason for being and that’s what drives us.

Development Centers in Bangalore and Hyderabad, and three Apple Stores supposedly in Bangalore, Delhi and Mumbai have been some of the interesting announcements. 

Interesting times ahead for Apple, consumers and entrepreneurs in India. 
Picture courtesy: dnaindia

iPhone to become a key tool in genetic studies 

iPhone to become a key tool in genetic studies 

@AntonioRegalado of MIT Tech Review reports this. 

This is an interesting move by Apple, and I see ResearchKit playing a key role in the healthcare industry’s adoption of Technology to spearhead research initiatives.  

Apple is collaborating with U.S. researchers to launch apps that would offer some iPhone owners the chance to get their DNA tested, many of them for the first time, according to people familiar with the plans.

The apps are based on ResearchKit, a software platform Apple introduced in March that helps hospitals or scientists run medical studies on iPhones by collecting data from the devices’ sensors or through surveys.

IBM to work with Apple Watches Team to integrate health data with Medical devices

IBM to work with Apple Watches Team to integrate health data with Medical devices

Its ironic to note the way the relationship between IBM and Apple has evolved in the last 3 decades. Keeping the historic 1984 Ad (https://www.youtube.com/watch?v=OwT6mgXsZvU) on one side, and this announcement on another, shows that time can change even the bitterest of relationships, isn’t it?

As Jack Purcher notes for Patently Apple:

“…IBM has struck partnerships with Apple and the world’s biggest makers of medical devices, to put health data from Apple Watches into the hands of doctors and insurers, and to create personalized treatments for hip replacement patients and diabetics.

IBM’s push into digital healthcare will allow users monitoring their heart rate, calories burnt and cholesterol levels using Apple’s HealthKit platform to upload the information from an IBM app to a storage cloud, where it will be accessible to their doctors and insurance companies. Those who opt in to Apple’s ResearchKit will also be able to share their data with medical researchers.”

Do checkout the full report here:http://www.patentlyapple.com/patently-apple/2015/04/ibm-to-put-health-data-from-apple-watches-into-the-hands-of-doctors-and-insurers-to-create-personalized-treatments.html