Apple needs a mega-security audit. As far as I know Apple has not contracted for a security audit from anyone. I’ll be generous and assume Apple has fulfilled it’s PCI DSS obligations, but I don’t have a reference for that.
So why? Why, with all the customer good-will that Apple has accumulated, does Apple need an outsider to come and and perform a security audit?
Well, to establish trust in the Snowden Age, that’s why.
Apple, like any other netizen, has been attacked repeatedly, and sometimes successfully. See
- Australian Apple ID
- Bypass iOS 7.0.4 – 7 Apple ID Activation Lock iCloud [iPhone 4]
- Touch ID hack
- Jonathan Zdziarski’s revelations about corporate backdoors in iOS (given a user’s or Apple’s approval)
- OS X’s File Vault2 has not been audited so who knows if it’s really secure.
- No password, no problem from 2012.
- The recent “goto fail” fixed by Apple in 10.9.2.
- Have there ever been any penetration tests run against iCloud? Or Apple’s ID page?
So what do the items above have in common? Most of them are recent issues or outstanding issues. They cover every platform or significant web page that Apple deploys including iOS, OS X, iCloud, and Apple’s ID maintenance.
Apple continues to release security fixes regularly, but now we need more assurances than the proverbial ‘trust us’. Now we need audited software and we should expect anything less from a recognized product leader.