The iPhone bug: Is Apple getting too rich and too lazy?

The security flaw in Apple products discovered late last week, and so far only partially patched, has shocked software experts the world over -- not because it’s so serious, but because it’s so simple.

The flaw could allow attackers access to most up-to-date Apple devices, including iPhones, iPads, and iMacs and MacBooks, that were being used on open, unsecured Wi-Fi networks, such as those you might sign on to at airports, coffee shops or public libraries. If you’re on a password-protected home Wi-Fi network or a virtual private network (VPN) you’re probably safe. Experts also say you’re probably safe if you surf the Web with the Chrome or Firefox browser instead of Apple’s Safari. That’s because they use a different system of validating outside websites.

Apple issued a patch this weekend for iPhones and iPads; the universal recommendation is that owners of those devices download and install the patch, like, right now. But the company hasn’t yet issued a patch for its OS X operating system, which runs iMacs and MacBooks. That’s supposed to be available shortly.

What programmers find mind-boggling is that the flaw is the result of a single stray line of software code and appears to be the product of nothing more than sloppy cut-and-paste editing. The extra line is visible in the illustration above: It’s the duplicated “goto fail;” line. As the program operates, the duplicated line stops the validation process needed to block access from an unrecognized or unauthorized website to your device. Adam Langley at ImperialViolet has a lucid explanation of the flaw, even for lay readers, here.

Programmer discussion groups were burning up all weekend with amazed commentary about how such a simple and obvious flaw made it through Apple’s software testing procedure without being caught routinely. One common conclusion was that Apple doesn’t have a software testing procedure, or at least an adequate one -- its impulse is just to get the software out to the market as fast as it can.

This plays into growing complaints about what programmer and blogger Lloyd Chambers terms “Apple core rot.” His viewpoint is that Apple has become so preoccupied with selling devices for fun and games that it has started to neglect basic standards of software quality and stability. Because of the company’s habit of releasing new devices and operating systems on an accelerating schedule to bring trivial but well-hyped improvements to market, he suggests, the company’s software engineers are overworked and becoming careless.


“OS X is degrading into a base for an entertainment platform,” Chambers says. “As it stands, the trend is entirely downhill for serious work.” But that’s where the money is: in entertainment, not “serious work.”

It’s true that every new operating system release elicits extensive complaints about new bugs, though it’s hard to say that there are more bugs, or merely more people using Macs in recent years and therefore more extensive reporting. But certainly some recent bugs have been serious. An OS X upgrade not long ago completely destroyed the functionality of the Mac’s invaluable Time Machine backup program; Apple seemed completely at sea for weeks about how to fix it.

The latest security flaw will rank as a major milepost in bad Apple software engineering. One explanation, that the flaw was deliberately inserted in the software to give the NSA secret access to Apple devices, seems to be rapidly losing popularity. Programmer John Gruber at Daring Fireball thinks it’s just a tad too paranoid for comfort, and cites the familiar old adage, “Never ascribe to malice that which is adequately explained by incompetence.”

But an incompetent Apple? It wasn’t long ago that the very idea was held only by paranoids.