Apple 2021 year-in-review
Apple had a good year, but there were also some challenges and bumps in the road. Read on for our Apple 2021 year-in-review (with a security and privacy focus, of course), as well as a look at where we see the company heading in 2022!
Big wins for security and privacy
App Tracking Transparency (ATT) launched in full in 2021, much to the consternation of Facebook and other digital advertising companies. The iOS privacy feature forces apps to get a user’s permission before tracking them between apps or across the web. Unsurprisingly, not many people asked for more tracking. Within a few weeks of ATT’s rollout, only 6% of US users had opted in!
Mail also got more private this year. Mail Privacy Protection cracks down on pixel-based tracking in emails. iCloud+ users also have access to an email privacy feature called Hide My Email. This is essentially a built-in “burner email” generator. It lets you give strangers and companies a throwaway email address that forwards to your regular inbox.
In terms of security, Apple has added a significant (but strangely overlooked) change to its password management toolset. The new “Built-in authenticator” features allows users to set up two-factor authentication codes directly, but without having to install a third-party 2FA app.
Apple 2022 outlook: A trend toward privacy
ATT is huge for privacy, and despite the grumblings of Facebook and company, Apple is not likely to backtrack on this one. The trend on privacy is clearly toward putting greater control in the hands of users: expect to see more of the same from Apple in 2022.
No one knows if Keychain will ever evolve into a truly comprehensive password management solution (i.e. one that works on all platforms and devices). But with this year’s addition of native 2FA code generation, there is at least a hint that Apple is moving in this direction.
iOS hacks and privacy pushback
Things weren’t all rosy for Apple in 2021.
The Guardian published a joint investigation showing how numerous iPhones were compromised by Pegasus spyware. The commercial spyware tool is popular with authoritarian governments around the world. It had apparently made its way onto the iPhones of activists, journalists, and other high-risk individuals by exploiting iOS 0-days. Apple is clearly not to blame here. We’ll put that one on NSO group and the repressive regimes who use their products. Nevertheless, the story came as a bit of shock to people who had considered the iPhone essentially un-hackable.
Apple also scored something of an “own goal” in 2021 on the privacy front. The company announced that was going to fight child exploitation by scanning iOS devices for child sexual abuse material (CSAM). Now, on the face of it, that’s a very good thing. But security and privacy researchers immediately saw a problem with Apple’s idea: If Apple can scan your device for CSAM, it can scan your device for just about anything else. And while Apple can probably be trusted, such technology in the hands of an authoritarian government could easily be used to enforce censorship or hunt down political dissidents.
Apple says that it would never allow this. But Apple also has to comply with local law. So, critics ask, what’s to stop a country from creating a security law that requires iOS to detect anti-government memes or pro-democracy material? It is for this reason that Eva Galerpin, Director of Cybersecurity for Electronic Frontier Foundation, said in our interview with her that “having this system at all — under any circumstances — is very dangerous”.
Apple 2022 outlook: Apple on the offensive
In terms of how Apple plans to deal with the problem of spyware on iOS devices, we already have an answer: they’re suing. The company recently announced a lawsuit against NSO Group, manufacturers of Pegasus spyware, citing monetary losses and a desire to protect the security of its platforms. Whether or not this specific lawsuit pans out, Apple clearly believes that companies like NSO Group can no longer go unchallenged. We would therefore expect a more aggressive stance from Cupertino going forward.
To its credit, Apple has delayed its plans to implement CSAM scanning on iOS. The company says that this is in order to consider the objections raised by the security and privacy community. However, it’s definitely a very cautious “wait and see” on this one. The company seemed fairly committed to the idea, even in the face of criticism. It’s unlikely that they will completely abandon it.
Apple, the law, and iPhone security
Apple fended off some serious legal challenges to its business model in 2021. That may not sound like a security issue to most of us. But as we’ll see, Apple certainly thinks it is!
Epic Games, a video game developer, sued Apple over in-app purchases on iOS. Epic argued that Apple was acting as a monopolist by not allowing alternative in-app purchase methods for iOS games. At present, everything has to go through the App Store. Coincidentally, this also ensures a 30% cut of the sales for Apple!
Meanwhile in North Dakota, state legislators proposed a law that would require Apple to allow alternative app distribution and payment methods. The bill wanted to open iOS up to third-party app marketplaces. It would also have let users purchase and install iOS apps directly from developers. In other words, the idea was to make apps on iOS work like apps on macOS!
In both cases, Apple won. The Epic lawsuit was decided in Apple’s favor on nine of ten counts. The presiding judge concluded that Apple was not a monopoly. In North Dakota, the proposed law was defeated in a 36-11 vote.
Apple 2022 outlook: More challenges ahead for the App Store
iOS developers have been complaining for quite a while about Apple’s 30% cut of App Store profits. They have no alternative to the App Store if they want to offer their products to iPhone users. In terms of U.S. politics, there is more discussion than ever about the need to rein in Big Tech. And it’s not just talk: the Federal Trade Commission (FTC) is moving ahead with antitrust action against Facebook.
In short, this issue isn’t going to go away for Apple. The company won in North Dakota, but there are 49 other state legislatures for them to worry about. There are also unsympathetic regulatory bodies at the federal level.
Cupertino, for its part, says that it only wants to “ensure that iOS apps meet Apple’s high standards for privacy, security, content, and quality”. They do have a point. If iOS ever opened up to apps from outside of the App Store, we probably would see more malware targeting iPhones. However, as security researchers have pointed out in the past, the current locked-down state of iOS is a double-edged sword. Yes, it’s hard to hack. But it’s also very hard to see what’s happening on your system — and nearly impossible to tell when you have been compromised.
An unacceptable level of Mac malware
One of the most interesting tidbits to come out of the Epic v. Apple lawsuit was a statement made by Craig Federighi, Apple’s Senior VP of Software Engineering. In his testimony, Federighi said:
Today, we have a level of malware on the Mac that we don’t find acceptable, and that is much worse than iOS.
It’s a bit surprising that an Apple exec would actually say that out loud. However, given the context of the Epic lawsuit, it’s understandable. Apple was making the case that its “walled garden” approach to iOS is all about user security (and not about money). If developers are allowed to distribute apps outside of the App Store, the argument goes, iOS would basically become macOS. Implication: the iPhone would start to suffer from the same malware issues that affect the Mac.
Their motivations for doing so aside, it’s noteworthy that Apple has finally admitted that there is a serious Mac malware problem.
Apple 2022 outlook: More malware, but a stronger community
Perhaps it’s just a sign of the times that Apple is finally talking about the problem of malware on macOS. The company has been moving in this direction for years now, albeit slowly.
We would expect to see more and better macOS malware variants in the coming years. Macs continue to gain market share both among home users and in the enterprise. This gives macOS malware authors a clear financial incentive to keep on doing what they’re doing.
In terms of Apple’s overall approach to the issue, we’re cautiously optimistic. We’re hopeful that the company will continue to be open about the dangers of macOS malware. And perhaps even more importantly, we expect them to go on welcoming the contributions of the third-party security researchers and developers who want to help keep Mac users safe.