Craig Federighi blasts Mac security to prop up iOS App Store

Craig Federighi, Apple's head of software engineering, said that the Mac is not currently meeting the bar for customer security set by iOS and that the platform has an unacceptable level of malware.

Federighi took the stand on Wednesday in the ongoing Epic Games v. Apple trial, and offered details about the security of Apple products and some of the differences between the Mac and the iPhone.

For example, when asked by Judge Yvonne Gonzalez Rogers about why macOS can support multiple app stores — something Epic wants on iOS — Federighi used it as an opportunity to tout the security of the iOS platform by contrasting it with the Mac.

Multiple app stores are "regularly exploited on the Mac," Federighi said. He added that there's a "level of malware on the Mac that we don't find acceptable."

"iOS has established a dramatically higher bar for customer protection. The Mac is not meeting that bar today," he said.

The Apple engineering chief also used Android as an example of the dangers of third-party app stores. He pointed out that "it's well understood in the security community that Android has a malware problem." By comparison, "iOS has succeeded so far in staying ahead" of the problem.

Federighi said that there are 130 types of Mac malware that have affected at least 300,000 systems since last May. However, Federighi took the opportunity to defend the Mac as a different product with different users in mind.

"The Mac is a car. You can take it off road if you want and you can drive wherever you want. That's what you wanted to buy. There's a certain level of responsibility required. With iOS, you wanted to buy something where children can operate an iOS device and feel safe doing so. It's really a different product," he said.

Compared to other personal computers, Federighi said, the Mac is still "the safest possible" if operated correctly. "I've had a couple of family members who have gotten malware on their Macs, but ultimately, I believe a Mac can be operated safely," he said.

At other points during his testimony, Federighi explained and defended the thinking before iOS's walled garden approach.

If iOS was opened up, for example, "it would become commonplace for users to be directed to download misrepresented software from untrusted sources where they'd be subject to malware."

Federighi also contrasted the iPhone with the Mac by saying that the smartphone is much more personal, typically contains sensitive data, and has features like a camera and a microphone. All of these factors make iPhones "very attractive targets."

Similarly, the Apple executive said that Mac users are "typically much more wary of downloading software." By comparison, iOS users are accustomed "to getting apps all the time." Attackers, then, could find a much easier audience to exploit.

Federighi was also asked about the enterprise certificate program, which lets companies distribute apps on iOS outside of App Store review purview if they sign up for the initiative. Federighi says that the endeavor relies on a "specific trust relationship" between a company and its employees.

However, he said that Apple has seen "all manners of attack" through the enterprise program, and even called it "an area of significant abuse." The Apple executive added that the company has seen a "pattern" of bad actors signing up with fake companies and setting up app stores that are "absolutely full" of malware.

Epic's lawyer fired back during cross-examination, noting that Apple markets Mac as being suitable for use by children and does not position iOS as a safer, more secure alternative to Mac.

At another point, Epic's lawyers attempted to argue that features like App Notarization and the Mac Gatekeeper could be ported to iOS as a way of allowing outside app stores. Federighi disagreed, and said that the solution would not be practical.