Apple downplays Masque Attack, but don't be fooled: It's a problem
Apple and the federal government apparently disagree on the severity of Masque Attack, a bug revealed earlier this week that allows hackers to replace legitimate iOS software with malware. The team responsible for issuing cybersecurity alerts warned about the bug last night; Apple then sent an email to the San Jose Mercury News saying that it doesn't know of a single person affected by it.
Hackers wouldn't be able to take advantage of Masque Attack if Apple hadn't included a feature allowing large companies to distribute software to their employees without using the App Store to the latest version of its mobile operating system. Apple says in its email to the Mercury News that this means Masque Attack isn't a security flaw so much as it's a feature that can be abused.
One might say the same thing about our spacious ribcages: having them allows us to be more flexible, and if we manage to pierce some of our more important bits with sharp objects passing through the gaps, well, that can't really be blamed on who-or-whatever designed our skeletons.
It's true that there isn't much more Apple can do to protect consumers from Masque Attack. Its software already warns them against installing third-party applications, and tells people when they're trying to launch software from an untrusted developer for the first time. Masque Attack is only a problem because some people might be too stupid not to use third-party apps anyway.
But that doesn't mean that the feature doesn't make people vulnerable to attack, like some have argued. Apple could at least make it easier for people to remove information from their smartphones, like it should have done already, or limit third-party downloads to consumers who enable the feature on their own. Not knowing how to fix a problem isn't an excuse for not at least trying to solve it.
To repeat the ribcage metaphor: there are obvious advantages to the design we have now, and it seems like it's worked out for us in the past. But that doesn't mean someone wouldn't wish their bodies were a little different when something slides through their ribs -- the same idea applies to users whose personal data was stolen because they mistakenly used masquerading malware.
It doesn't matter that no one has been affected by Masque Attack yet. There's a first time for everything, and it's better to make consumers aware of the risks than to give something like this a pass because Apple thinks it's a feature, not a bug. Let's at least try to build a better ribcage.