Apple’s Penchant for Consumer Security

Ben Bajarin / April 18th, 2016

At a security “deep dive” at Apple on Friday, executives went into depth on Apple security philosophy and technological approach to the matter. I’ve sat through many technology company’s technical briefings but never one from Apple which went deeper on custom silicon solutions than I had seen before. I’ll weave some technical tidbits I learned into this article but there was a theme which came up that struck me. More than a handful of times, presenters used the phrase “balancing security with ease of use”.

This seemed to be a key phrase and philosophy that is driving Apple’s thinking. The more I thought about it, the more it made sense in light of so many other security issues that exist in corporate, government, and other high-security environments where computers are used. You can build Fort Knox-level security into a personal computer but it would come at the expense of user experience — and oftentimes does. Apple is attempting something that seems unprecedented at an industry level. To bring industry leading security but do so by actually enhancing the user experience. Prior to Touch ID for example, many organizations required eight, and sometimes longer, PIN numbers. Imagine entering that many numbers every time you pick up your smartphone. To emphasize this point, Apple shared a great statistic: their average users unlocks their phones 80 times a day. Other reports state people look at their phones upwards of 130 times a day but those are less of the average and more the heavier users. Regardless, the simple act of logging into our phone via a secure form of login like passcodes or fingerprints is now taken for granted in much of Apple’s ecosystem when, just a few years ago, anyone could have stolen my phone and have access to my personal information. Here again, Apple shared that 89% of their users with a Touch ID-capable device have set it up and use it. In our own consumer study of iPhone owners, we learned 85% of respondents said they use either Touch ID or a pin to log in to their iOS device. Again, this seems unprecedented given where we were in consumer security just a few years ago. Touch ID is a clear example of enhanced security and enhanced user experience. It is difficult to objectively argue that logging in to our devices with Touch ID is not only faster, more natural, and more efficient than the old swipe to log in but it is also inherently more secure.

After sitting through the technical explanations of how Apple has specifically designed the interplay of custom silicon like the A-series processors, iOS, and the Secure Enclave coprocessor, I came to the realization that, while I knew the iPhone was a secure device, I really had no idea just how secure it actually is. It can’t be overstated how essential Apple’s custom designed silicon is to the security of iOS products. For example, in a Mac, running software designed by Apple but using a main CPU and GPU made by Intel/AMD/Nvidia, they have put security measures in place including encrypting the entire storage disk. However, with the custom A-series processors, custom designed secure enclave co-processor, and custom designed iOS, Apple is able to encrypt every single file on your iOS device, not just the entire disk.

Secure Enclave: A Security Designed Coprocessor

I came away from this discussion with a much greater appreciation of the Secure Enclave. Some details on this product are outlined in Apple’s Security White Paper, but we were given a bit more depth at this briefing. Yet I still desire a great deal more technical details should we be able to acquire them at some point. From the white paper, here is some detail on the Secure Enclave:

The Secure Enclave is a coprocessor fabricated in the Apple A7 or later A-series processor. It utilizes its own secure boot and personalized software update separate from the application processor. It provides all cryptographic operations for Data Protection key management and maintains the integrity of Data Protection even if the kernel has been compromised.

The Secure Enclave uses encrypted memory and includes a hardware random number generator. Its microkernel is based on the L4 family, with modifications by Apple. Communication between the Secure Enclave and the application processor is isolated to an interrupt-driven mailbox and shared memory data buffers.

Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, entangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space.

There is a great deal of security “magic” that happens in the Secure Enclave but this co-processors sits at the heart of Apple’s encryption techniques. Everything from booting up securely to individual file level encryption runs through the secure enclave. This means someone can’t hack into just part of my phone and get some of the data. It is all protected and encrypted. A hacker needs my passcode or she gets nothing. There is no middle ground. Apple’s security designed ecosystem runs through a series of trusted chains with the secure enclave at the center. It is a deep system of trust built from the silicon up.

The Security Battle

What I find most interesting about Apple’s story around security is how it goes much deeper than a feature. While security, in this case, could be perceived as a feature, my read on what Apple is doing is going a step beyond simply making security a feature and making it a priority. It is a deep guiding philosophy to which Apple appears to be unwaveringly dedicated. In an age where billions of consumers are now using computers more often than they ever did at any point in history, it is clear we are in a new era of consumer computing being led by smartphones. Looking back historically at the efforts of hackers in the PC era, one can only imagine it would be magnitudes worse in this era with more people online than ever. Some may argue Apple is emphasizing and picking this battle when consumers really don’t care much about security and privacy. The big debate about how much consumers care about security is certainly a valid one. What I appreciate about Apple’s efforts is they are making it so consumers don’t have to care. Apple is simply doing it anyway and going out of their way to ensure consumers have the best security possible at the moment and making secure environments the default while also enhancing the user experience. Which is not only the way it should be, but it is the right thing to do.

Ben Bajarin

Ben Bajarin is a Principal Analyst and the head of primary research at Creative Strategies, Inc - An industry analysis, market intelligence and research firm located in Silicon Valley. His primary focus is consumer technology and market trend research and he is responsible for studying over 30 countries. Full Bio
  • obarthelemy

    Just a bit of context: Apple’s Secure Enclave is simply a rebrand of ARM’s TrustZone features, available on almost all recent ARM SoCs. https://blog.fortinet.com/post/iphone5s-inside-the-secure-enclave
    Branding that as an Apple feature is mostly a nod to their superior PR.

    • benbajarin

      except that they designed it… Not a generic core here. As you know architecture licensees can take liberties with the core since all they use is the instruction set from ARM.

      • klahanas

        How different is it conceptually from TPM approaches used in laptops and desktops for a while now? I’m quite aware that fingerprint sensors have evolved, as has the software, but the schematic components?

        • benbajarin

          I really wish they would have dug into more into the design of the secure enclave but they went as far as to explain the chain of trust which encrypts and decrypts keys in the secure enclave via its own OS as information is requested from iOS. Individual file keys are created in the secure enclave, recreated when they are cast out like when you turn your device office, keys are never seen by iOS and only exist as an encrypted key inside the SE. TO my point that PCs do hardware/disk level encryption it is this process in the SE that gets it to individual file level, that is one of the biggest differences between PCs and iOS. But the fingerprint stuff is interesting because the photos of your fingers are discarded after the SE creates a mathematical model, which is random and also encrypted, then it gets rid of the photos and only uses the mathematical model to determine if its your print or not at log in.

    • informed

      Predictable response with usual superficial understanding on display.

      • obarthelemy

        Indeed. as opposed to your response ?

        • Joe90

          He shows that he understands you very well, something you’ve never demonstrated about Apple.

          • obarthelemy

            Indeed, sorry, Apple is very bad at PR and rebranding, which they never do.
            Oh, wait…

          • informed

            Yup. And patents are always awarded to companies that rebrand things. Oh, wait…

            https://www.google.com/patents/US8775757

          • obarthelemy

            I’m struggling to get what point you’d possibly be trying to make .. That the US patent system carefully reviews patents before granting them, so patents are the proof of magnificent invention ?

            http://motherboard.vice.com/read/the-11-stupidest-patents-of-2015

            Oh, wait. If the US patent Office is your yardstick for innovation, I can understand why you’re so in love with Apple ;-))))

          • informed

            I’m not making a point. I’m dismantling your “rebranding” crap.

            And your penchant for googling anything that might make Apple look bad, even if the source is wrong and everything in the article turns out to be wrong. Like the link you provided above.

            Go back to writing your Android fan fiction. At least that was funny.

          • obarthelemy

            Indeed, you’re not making a point.

            Have looked at h=what TrustZone is, or don’t they have enough PR for you ?

          • informed

            Clearly you haven’t looked into it enough to understand that it is only a framework. By itself, TrustZone accomplishes next to nothing.

          • obarthelemy

            Indeed. As opposed to, say, a processor, which does so much by itself ?
            Oh, wait… You know how computers, riiiight ?

          • informed

            Is there anything you DO understand?

          • obarthelemy

            At least I understand that being granted a patent doesn’t mean much. Which is more than you do ?

          • informed

            Not all patents are frivolous. If you could understand how this patent relates to your lazy and worn-out “rebranding” and “PR” trope, you might even be interesting.

          • obarthelemy

            Can you tell how that one isn’t ? You linked it, you must have a reason ?

          • informed

            Yes.

          • obarthelemy

            About as convincing as I expected. Thank you for your contribution.

          • informed

            From experience I have learned that it is nigh impossible to make you understand anything.

            But for the record (fully realizing this will fly over your head) I will state:

            The Secure Enclave goes beyond the TrustZone framework because it:

            – specifically implements a hardware a non-bypassable/non-reprogrammable interface for Touch ID;
            – specifically implements a hardware random number generator which changes an ephemeral encryption key for device RAM at each boot;
            – specifically implements a hardware anti-replay check on the ephemeral key;
            -specifically implements a hardware a non-bypassable/non-reprogrammable counter for log-in attempts;
            -specifically implements a hardware a non-bypassable/non-reprogrammable check for the Secure Boot chain (System Software authentication)

            The Secure Enclave is a secondary coprocessor unique to Apple which implements and expand greatly on the features of TrustZone. While TrustZone may (or may not) be at its core, Secure Enclave is a hardware design that ONLY exists on Apple’s A-Series processors.

            Now go think about that for a couple years and formulate an interesting reply.

          • obarthelemy

            You do realize that these applications are straight oof ARM’s TrustZone white papers (http://www.arm.com/products/processors/technologies/trustzone/ and http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf ):

            “Example use cases:
            Firmware protection
            Security management
            Root of trust implementation
            Peripheral and I/O protection
            Code isolation between multiple suppliers
            Sandboxing for devices with certified software
            Consolidation of multiple helper processors into one”

            Apple’s is a nice implementation of others’ concepts, HW baseline and code (even the OS they use in the secure zone is 3rd-party). But it’s really nothing original, if well done.

          • informed

            So what? You do realize that these white papers may well have been based on Apple’s input into ARM?

          • obarthelemy

            Yes. Apple released the A7 in 2013, then jumped in their time machine to help ARM think up TrustZone in 2009, making sure it corresponded precisely to their implementation ;-p

            And I’m sure they happily contributed to an industry-wide solution too, just like they do with all their hardware such as their proprietary plug, their proprietary air play…

          • informed

            Do you have any comprehension of how ARM Holdings functions, how it makes money, or its history? Are you unaware that 3rd parties have contributed to ARM designs throughout its history? That there are ARM partners called “lead licensees?”

            http://semiaccurate.com/2013/08/07/a-long-look-at-how-arm-licenses-chips/

            Do you think that Apple started designing the 64-bit A7 in 2013?

            Why do bother? You are beyond reach. There are things growing in my cat’s litterbox with greater understanding than you.

            I’m done with you, as your “contributions” are infantile.

          • obarthelemy

            How does that give even an inkling of famously jealous-of-their-IP Apple contributing to TrustZone, not even getting an acknowledgement, let alone royalties or a competitive advantage, out of that contribution ? That’s an interesting claim, but with absolutely zero substantiation. You’re running on hot air.

          • informed

            Bullshit. Look up the PowerPC Apple/Motoraola/IBM partnership. Look up Apple’s contributions to Open Source Unix extensions https://www.apple.com/opensource/ . Look up Apple’s newest programming language (Swift).

            You’ve got nothing but empty opinion. Until you write anything less stupid, I shall ignore you.

          • obarthelemy

            You’re funny, as in ridiculous.

            Webkit, let’s look it up: “WebKit’s HTML and JavaScript code was originally a fork of the KHTML and KJS libraries from KDE”. So… Apple had no choice but to keep it open source.

            The rest ? http://www.techeye.net/news/apple-mocked-for-playing-open-source-card

            Do you think there is any chance of ARM losing Apple to Intel ? That’s beyond ridiculous (hint: if anything, it’s the other way around: http://www.cultofmac.com/289773/ex-apple-exec-says-macs-run-arm-processors-2016/ ).

            Please do keep talking, I’m in need of comedy…

          • informed

            Predictable response with usual superficial understanding on display.

            We’ve come full circle.

          • obarthelemy

            Actually, with you moving the topic, we haven’t moved a jot. Dispelled some fluff yes; moved, no chance.

          • benbajarin

            I’ll recommend we end this here. As I said, it’s a custom coprocessor built by Apple, we assume as a part of their architecture license with ARM. ARM creates IP, Apple has licensed the instruction set and designed their own unique process on it as does other ARM architectural licensees like Qualcomm, nvidia, broadcomm, etc..

          • Space Gorilla

            Thanks Ben. It sure gets tiresome when you folks take the time to write an article about something interesting Apple is doing, and we get the usual suspects in the comments blathering on about how Apple is Doing Nothing Special At All (patent pending) and Simply Copying Others ™.

            I agree with your notion that we’re seeing the start of what Apple needs to put together for future products and services.

          • informed

            It’s been some time since I foolishly danced with the suspect above.

            This time, I make no apologies.

            But I am done.

          • jontseng

            Hey informed. Judging from obarthelemy’s response you’re basically got completely pwned in this fight. Best to quit while you’re ahead.

          • informed

            Sure I did. He really showed me.

            You and he should get together sometime and see if you can out think each other.

          • benbajarin

            I responded to obart below, and similarly recommend we end this and move on.

          • pk_de_cville

            Informed,

            O is nigh beyond exasperating and I bet almost all here appreciate your intent and knowledge.

            But may I suggest something?

            Just realize you’re arguing with a stone. Stop trying to win the stone over.

            Forget the stone. And please continue with your evidence and thoughts, just direct your writing to us. We appreciate it.

          • stevenjklein

            Good Point. After all, it’s not as if Apple co-founded ARM… Oh, wait!

          • obarthelemy

            2 things:

            1- Actually, Apple co-founded the later ARM Holdings, not the early ARM Ltd which launched the first products and IP. They joined in early in the expansion phase, but after the early product+IP were created.

            2- As far as I can tell, Apple hasn’t had any ARM shares for a while. Are you saying that any company that ever had shares in another can take credit for anything that second company does, forever ? That would be funny, since MS once threw a $150 million lifeline to Apple. So MS can take credit for all of Apple’s IP ? right ?

            Thank you for your contribution.

          • informed

            Who needs shares when you are the customer they cater to?

          • stevenjklein

            BTW, which is the proprietary plug?

            Is it the USB plugs that are on all Macs?

            Is it the miniDisplay Port plug they invented, and which was adopted by Asus, Microsoft, Lenovo, Toshiba, HP, Dell. (Apple licenses it for free)?

            Perhaps it’s the Intel-standard Thunderbolt ports found on almost every Mac model?

            Oh, I know, you’re referring to the HDMI port on many Macs! No? Maybe the audio port? No?

            One proprietary port that come to mind are the old 30-pin dock port, which included lines for power, USB, Firewire, and analog audio and video. Of course, there wasn’t (and still isn’t) any industry standard port that carries all those signal lines.

            The other proprietary port is the Lightning port, which provides for a thinner profile, and reversibility, neither of which were (then) available in an industry-standard connector.

          • obarthelemy

            See ? you knew it all along.

          • klahanas

            Dude! You told them about the Time Machine!!! :-O

    • jontseng

      As obarthelemy said I think Secure Enclave is basically an implementation of TrustZone. Claiming its special to Apple they are responsible for the hardware implementation is somewhat missing the point – the value is in the IP. There’s nothing to stop anyone else licensing the same IP and doing the same thing. Samsung Knox would probably incorporate similar features, although slightly hampered by their inability to even tie up their shoelaces properly.

      I have a feeling in the back of my head there may also be so NXP IP in here – they have a bunch of pretty weapons-grade crypography and are also involved in the Apple Pay stuff. Can’t remember precisely if they did anything with Secure Enclave but they may have done.

      I think Tim Bajarin certainly has fallen into the PR trap by hyping this up. He claims downthread its special because Apple has an architecture license (allegedly – talk to ARM and they never confirm or deny identity of licensses :-p) and so can implement the instruction set with their own processor architecture. A couple of flaws with this argument:

      1) Having an architecture license isn’t anything particularly special – just as messrs Kryo, Denver and Mongoose.
      2) I’m not sure the architecture licence vs. off the shelf design argument holds true for additional functions like Trustzone. Architecture licence is basically the right to implement something that work with the ARM instruction set. I don’t think Trustzone is abstracted at that high a level its more likely an entire drop-in architecture.

      Just my 2c worth. You could of course claim I simply have superficial understanding, but a more substantive response would be welcome.

      • informed

        Wow.

        • jontseng

          Nothing else to add?

      • jontseng

        Edit Ben not Tim. I’m clearly showing my age…

        • benbajarin

          Thanks for catching 😉

      • jfutral

        Do you have something evidentiary? Arguing about arguing doesn’t really mean anything. Ben has a better track record of being fact and data driven than you, or even obarthelemy, give him credit for. And he is a pretty smart guy and understands architecture. I’m not saying that automatically makes him correct. But you and obarthelemy have to do better than simply raising possibilities, especially since Ben pretty well directly answered the “yeah, but”s.

        Maybe you were there at the briefing, know what was said (not just what was likely said) that would be helpful, too. So far you are basically accusing Ben of what you think anyone accusing you of would have a less than substantive response.

        Joe

        • jontseng

          TBH obarthelemy put most of the evidence out there – please go back and re-read it. As he linked to Fortinet (a $5bn security firm) already fingered it as a Trustzone implementation. Of course they could be mistaken but believe me they know their stuff. Then when challenged on a bunch of proprietary secure enclave capabilities he cited ARM’s white papers (which surprise surprise) cover these off. These are pretty credible sources in my book – maybe you don’t consider them “evidentiary”?

          Look, I don’t particularly have a dog in this fight but reading what obarthemelemy has put up it jibes pretty well with my knowledge of the space.

          The point to make on Ben’s coverage is not that he was wrong in writing up the briefing (which I wasn’t at), but that he swallowed the line that this was proprietary to Apple hook,line and sinker. Although he may have been in the tech analysis space for a long period of time he seemed unware of technologies such as Trustzone which were pretty apparent to both obarthemely and myself. And if he wasn’t aware of these it is natural to question what is being fed to you by any corporate source, let alone Apple. A quick bit of searching would have dug this up.

          Sure Apple have done a lot of work implementing the architecture – just as Swift, Cyclone etc does a great job implementing ARM V8. But to write a whole post of this without mentioning the background IP says to me other he’s unaware of the background technologies at work, or was aware of them but didn’t think they were important.

          • jfutral

            Obarthelemy’s post only talks about TrustZone and only speculation on Apple’s system and only an attempt at obfuscation by accusing Ben of “buying hook,line [sic] and sinker”. No evidence to counter Ben’s coverage. You’ve done no better. What OB says about Trustzone may well be true, but it doesn’t directly counter either Apple or Ben’s coverage of Apple. Neither do your own presuppositions.

            Joe

          • jontseng

            So just to clarify the Fortinet post here stated “the Secure Enclave is no more no less than ARM’s TrustZone technology.”
            https://blog.fortinet.com/post/iphone5s-inside-the-secure-enclave

            Author’s credentials in Linkedin are below. TL;DR “I also act as Fortinet’s resident ‘expert’ on crypto.”
            https://www.linkedin.com/in/axelle-apvrille-7b99154?authType=NAME_SEARCH&authToken=LfHv&locale=en_US&trk=tyah&trkInfo=clickedVertical%3Amynetwork%2CclickedEntityId%3A14213949%2CauthType%3ANAME_SEARCH%2Cidx%3A1-1-1%2CtarId%3A1461076764442%2Ctas%3AAxelle%20Apvrille%20%20

            You may class that as speculation, but if so its pretty credentialised speculation.

            The point is I was surprised that there was zero mentioned of this in the write-up. Yes as OB and myself have made clear Secure Enclave is an implementation of the technology which I’m sure has its own hooks into the Apple platform, but there’s a bunch of stuff here which is unlikely to be unique or proprietary to Apple.

          • jfutral

            Since nothing in technology changes in 2 1/2 years, I suppose you are right.

            Joe

          • benbajarin

            The point your are making is really moot. It’s like asking me to give credit to ARM since Apple uses it.. As I’ve said many times in my writings on the A-series processors, I’m focusing more on what Apple goes above and beyond in custom tuning of their ARM implementation to which the SEP is a part of. I am certain it is more than trust zone and Apple went above and beyond but myself and no one at that firm you mentioned knows how much. I’d say I got more insight given I was there asking questions and they were not, but I’m certain Apple has added custom sauce.. This is where I was focusing my attention.

            The entire narrative of they just use ARM stuff is tired and entirely incorrect and not held by anyone worth their salt in understanding the semiconductor landsape.

          • informed

            “…but there’s a bunch of stuff here which is unlikely to be unique or proprietary to Apple.”

            Please provide a specific example of a shipping product that has implemented anything on the level of Apple’s Secure Enclave. Be specific.

            Otherwise, you’re just trolling.

          • jfutral

            I would appreciate if he could even address something Apple specifically shipped than what he thinks they “likely” shipped.

            Joe

          • jontseng

            SecureMSM is Qualcomm’s flavour. As regards shipping products it’s been build into Snapdragon for a long time. Samsung’s version is Knox see some of the commentary at this link https://www.samsungknox.com/en/products/knox-workspace/technical “Samsung KNOX Workspace introduces the ARM TrustZone-based Integrity Measurement Architecture (TIMA). TIMA uses the ARM TrustZone a tamper-resistant sector of an ARM processor.” This one less so (viz earlier comments about Samsungs poor execution).

            The point is the underlying idea of implementing a seperate hardened part of the processor to handle crypto functions. In fact that’s how Chip & Pin credit cards and mobile phone SIM’s work – they have a seperate hardened SoC running their own OS called a “Secure Element” (outfits like Gemalto have been doing this for years). The physical security behind these chips is actually quite interesting ranging from secure production lines in the fab (for obvious reasons) to obfuscating the physical layout of the chips so you can’t just read the signals off externally. But that’s a story for another day.

            However as I alluded to above the difference is Samsung LSI (the arm which makes Exynos chips) or Qualcomm are component suppliers and don’t have PRs to run puff pieces for them. Also because of the fragmentation within the android ecosystem these features aren’t properly utilised. You also want to throw in the fact that for at least some of these functions Google is looking at virtualised solutions such as HCE on the payments side.

            But the underlying point is that tamper-proof secure processors really aren’t new or special. What Apple does do very well however is the implementation and the full integration into the OS/software stack – that I do not dispute one bit.

          • informed

            And your examples fail to meet the request.

            I asked for something on the level of Apple’s Secure Enclave. Knox is not that product.

            The difference is significant. On an Apple A7 device or newer, the entire customer-facing OS is an encrypted secure space, and the Secure Enclave’s hardware makes it possible.

            Under Knox, a separate, encrypted virtualized space is created. In theory, data can be kept separate in this virtualized space. But in practice, this turns out to be less than true. Security researchers were quickly able to leak data into and out of this virtualized space.

            This is not on the level of Apple’s accomplishment.

          • jfutral

            “And your examples fail to meet the request.”

            Which would be less likely if he actually showed an understanding of what Apple has actually done. He has not. Only what Apple “likely” (or not) has done.

            Joe

          • obarthelemy

            Wasn’t the A7-equipped “FBI iPhone” hacked ?

          • informed

            No.

          • jfutral

            The 5c had the older A6. I have no idea where that puts it in ARM timelines.

            Joe

          • obarthelemy

            Post-TrustZone, pre-Secure Enclave ^^

            So indeed, not a hack of Secure Enclave, my bad.

          • Troll Be Gone

            Name a product that utilized TrustZone prior to September 2013.

            You are such an ignoramus.

          • informed

            In obarts’ world, Apple is a fast follower.

            “Ignoramus” is too kind.

          • obarthelemy

            You *can* make the difference between IP and implementation, can you ?

          • Troll Be Gone

            “credentialised speculation.” Boy Howdy!

            That’s the best kind.

          • Mark Jones

            The Fortinet post also clearly says:

            “How it possibly works

            Apple has not released its design specifications, so we’ll try and guess how it works.”

            Keywords: “possibly”, “guess”

            I don’t have to class that as speculation. It did so itself, though I’d say it was a well-educated, and not a wild, guess.

          • Troll Be Gone

            You are soooo right! All ya gotta do is license the IP! With instruction set in hand, the processor practically designs itself!

            There’s nothing ‘special’ about it! All the cool kids are doing it.

          • pk_de_cville

            “Although he may have been in the tech analysis space for a long period of time he seemed unware of technologies such as Trustzone…”

            TrustZone ™ is known by everyone mildly literate on security. It is a huge ARM feature. And yet you believe that Ben doesn’t know about it?

            Give us a break. This is tiresome.

      • benbajarin

        Glad you caught later on it was Ben not Tim that wrote this ;). And first point is ARM is quite public that Apple is an architectural licensee and it is widely known and accepted the extensive degree in which Apple creates custom architectures on top of the ARM ISO. None of that is in question.

        I agree we don’t know the depth that Apple used trust zone, if at all they did. And believe me I tried to pry as much information as one could on the SEP (secure enclave processor as they call in internally) due to my semiconductor industry background I love the technical stuff. 😉 I did get that it does run its own custom OS made by Apple to handle the generation of encryption keys and encrypt/decrypt capabilities. So we do know they went beyond standard ARM IP we just don’t know how far.

        And to your last points, not recognizing the quality of Apple’s designs, by stating architectural licenses don’t do anything special is strongly misinformed. Because of my background in semiconductors (My first job was at cypress semi) I’m very close to the cream of the crop in the semi-community. There is deep appreciation for Apple’s quality of SoC design including the high degree of customization by everyone worth their salt in this industry. Only folks with design backgrounds can really appreciate how rare it is to be able to do this in the first place. I strongly, STRONGLY, advise to not take lightly what the few good companies with chip design (Nvidia, Intel, AMD, Apple, Qualcomm, etc.,) do in this area.

    • FalKirk

      “Apple’s Secure Enclave is simply a rebrand of ARM’s TrustZone”

      People who don’t give credit where credit is due disgust me. I’m sure that if Apple builds the world’s greatest car some pedant will come along and claim that it’s nothing new because it (literally) rests upon the wheel which was developed millennia ago.

      Just shut up. What you don’t seem to realize is that even very tiny differences can sometimes create huge improvements.

      Did you know that the Gutenberg printing press was simply a recombination of inventions that had existed for hundreds of years? What a bunch of derivative blowhards are those pikers Apple and Gutenberg.

      • obarthelemy

        Are you seeing anyone here giving credit to TrustZone, which is at least a precursor and an inspiration for Apple’s version of it ?
        I’m with you on the disgust for not giving credit, but I see it the other way round. As for shutting up…

        • benbajarin

          Only someone with deep knowledge of SoC design can appreciate the differences. But benchmark wise, look at what Apple, and Qualcomm, can do in hard benchmarks with less cores that it takes others to do with more “standard” ARM cores and you can get close to seeing the differences 😉

          But I don’t see you getting angry I’m not giving credit to ARM. What I”m focusing on is the going above and beyond and I can do the same for Qualcomm and I would not see the same level of ornary-ness.. 😉

          • obarthelemy

            indeed, but for that you would have to write about Qualcomm ;-p

            Or Android. Google’s report is far from perfect: “PHA” is better than Apple’s “no info at all, but look, shiny !”, but Real instead of Potential would be more relevant.

          • benbajarin

            The experts have spoken in both cases. Crypto experts have weighed in and informed what is good and what needs work. We will consider the matter settled and credit has been given where it is due by those in the know of the technical matters at hand. So case closed. 😉

        • FalKirk

          NOTE: I apologize for repeating my post, but I wanted to make sure Obarthelemy saw it:

          Did you know that Bill gates purchased MS Dos for $50,000? Who cares? He turned it into almost a trillion dollar business.

          Did you know Apple purchased what became iTunes? Who cares? They combined it with the iPod and disrupted the music industry.

          Innovation can be subtle changes that have a huge impact. Don’t disparage people for being wise enough to make good purchases or clever enough make a minor tweak that creates a big impact.

          Give credit where credit is due.

          • informed

            The usual suspect seems blissfully unaware that Google purchased a company called Android Inc. That company was formerly known as ‘Danger.’ Danger was founded by an ex-Apple employee, and was first acquired (and badly managed) by Microsoft.

            So using the same level of scholarship employed by the usual suspect, it is clear that Apple invented Android. With the help of Microsoft.

          • obarthelemy

            ??? “Danger Inc” never owned Android Inc. They’re 2 completely separate companies that simply share a founder, Andy Rubin, who left Danger before the sale to MS to found Android.

            MS never owned Android Inc. As for why you’re throwing Apple into the mix…

          • informed

            It is obvious that much of your perpetual confusion stems from your lack of reading comprehension.

            I realize that English is not your first language, but your inability to discern sarcasm is troubling.

          • obarthelemy

            Business acumen is indeed different from technical nous, and as respectable. I’m not disparaging anyone, you’re the one who repeatedly started insulting me, not the other way around, and I’m not insulting Apple. Physician, heal thyself.

            My saying “Just a bit of context: Apple’s Secure Enclave is simply a rebrand of ARM’s TrustZone features, available on almost all recent ARM SoCs. https://blog.fortinet.com/post
            Branding that as an Apple feature is mostly a nod to their superior PR.” kicked up a storm of … fluff, not one line about how Apple’s stuff is different from ARM’s basic stuff. What tweak ? What impact ?

            Give credit for what exactly ? I’m freely giving credit for excellent branding and PR ? Should I be giving credit for something else ? What exactly ?

          • jfutral

            “Apple’s Secure Enclave is simply a rebrand of ARM’s TrustZone features, available on almost all recent ARM SoCs”

            Or so you and a three year old blog post speculate.

            Joe

          • obarthelemy

            And for all the outraged responses over the last few days, nobody has proven, and barely anyone has even argued, otherwise.

            I’m not an expert, I just read the description, matched it to ARM’s, and concluded “but wait, there’s nothing new”. Maybe, possibly, I’m wrong, and I’d be delighted to learn something. For now, I’ve learnt that iPeople including some writers, have a very thin skin and no arguments.

          • jfutral

            I’m no expert either, which is why I stayed out of the posturing. I’m just annoyed by the cynicism. You could have asked Ben questions, since he was _there_ and asked questions. I think Ben has earned a bit more respect than that. Instead you call his integrity into question. i don’t think Ben ever avoids being called out if someone thinks he is wrong. Just present a case other than cynicism (and a three year old blog post based on earlier implementations, who also could only speculate on what Apple has actually done).

            But, as Ben has articulated, the point isn’t where SE and TZ are similar or the same, the point is where they are different. And I think Ben has done a good job of presenting that in response to the (belittling) comments.

            I mean, unless you just enjoy the pointless banter (which you could; I used to, too, but hate it when I catch myself now), if others want to be outraged, screw’em.

            Joe

          • obarthelemy

            I’m not calling anyone’s integrity into question, nor meaning to belittle. OTOH, you seem to be trying to stir up trouble.

            Most of the stuff described in the article is bog standard TZ, which is why I thought I could mention that SE is mostly TZ and give credit where most credit is due. Didn’t think it would kick up such a storm.

          • Mark Jones

            “My personal guess would be 80-100% basic TrustZone, 0-20% magic Applesauce, but that’s unsubstantiated.”

            You are still ignoring Ben, since you wrote that hours after Ben responded to you. Isn’t including 100% basically belittling him?

          • obarthelemy

            Can you name one thing Secure Enclave does that Trust Zone doesn’t ?

          • Mark Jones

            If you talk to a forensic scientist who has hacked iPhones, (which I have done), the SEP by itself (and by extension, Trust Zone) cannot completely secure an iPhone. So Apple implemented several additional obstacles. And after some analysis, some scientists believe the obstacles are still not enough, but no one has announced publicly that they have broken in. In other words, it may have been hacked by 3-letter government agencies not named FBI, or by criminals; namely, people who aren’t going to say so publicly. They believe Apple also recognizes the most obvious hole and expect it to be closed in the next or next-next iPhone.

            Whether these additional obstacles are considered to be included as part of the “Secure Enclave” branding or not, I don’t know.

          • obarthelemy

            Agreed, TZ/SE are kind of “security coprocessors”, having them does not mean you’re using them fully and/or well. Presumably Apple does a good job with that, and is rather punctual with updates.

          • KevinD

            1. Have multiple platforms and generations supported by the manufacturer across multiple generations of the OS code.

            2. Actually update most machines is the field.

            Not saying Apple’s platform isn’t based on TrustZone, if it is, they obviously own their implementation and the code.

            My problem with the versions of TrustZone I dealt with wasn’t the quality of the security but the variability between implementations.

          • jfutral

            Cheeky monkey!

            Joe

          • benbajarin

            Consider it confirmed by me that it is not just a rebrand of trust zone. I was briefed by ARM in detail on what trust zone is, includes, and how it works, and what was described to me by Apple has key differences. Most notably the custom OS Apple wrote to run on their custom designed SEP.. So let’s move on.

          • Space Gorilla

            So Ben has just confirmed for you that you are indeed wrong. I assume you are now delighted to have learned something new and will admit you were wrong… wait, I forgot who I was talking to… never mind.

          • obarthelemy

            Well he used the authority argument, and I won’t push further, but he didn’t demonstrate anything, he stated. So no,, I didn’t learn anything.

          • Space Gorilla

            Ben did not use the argument from authority. It isn’t a fallacy if you’re actually an expert on the topic being discussed. But when you admit you didn’t learn anything, that’s quite an understatement. However, anyone reading this comment thread has learned plenty about you, of that we can be certain.

          • obarthelemy

            How do you jump from “authority” to fallacy” ? I didn’t. Lapsus révélateur, maybe.
            I’m sure readers are learning a lot of stuff about a lot of people.

          • Space Gorilla

            The argument from authority (also known as appeal to authority) is a common logical fallacy. It can be a legitimate form of argument, as is the case with Ben’s comments. But since you seem to be complaining that Ben’s argument is not legitimate, you must mean Ben’s argument is fallacious. Now, if you are claiming that fallacy isn’t what you meant (your words) “How do you jump from “authority” to fallacy” ? I didn’t.” then that means you believe Ben’s argument is legitimate and correct (which means you are wrong). So which is it? It has to be one or the other. The argument from authority is either legitimate or fallacious. There’s no other option.

          • obarthelemy

            Indeed, but we’ll never know, it’s stuck at the authority state, with no proof either way.
            My personal guess would be 80-100% basic TrustZone, 0-20% magic Applesauce, but that’s unsubstantiated. A more relevant matter is that TrustZone is a tool for a job: it provides crypto, authentification, secure boot, … services, it’s up to the OS to use them

          • Mark Jones

            “Most notably the custom OS Apple wrote to run on their custom designed SEP.”

            In Apple’s case, it was not just a matter of having iOS use what was provided by the ARM design. Please read again.

          • obarthelemy

            L4 is not really a custom OS, it’s a third-party microkernel also used in several other, non-Apple products. I’m sure Apple added tools around it, but, exactly as for Secure Enclave, wild attribution bias.

          • informed

            And the Black Night battles on in all his troll-rific glory.

          • informed

            “I’m not an expert, I just read the description, matched it to ARM’s, and concluded ‘but wait, there’s nothing new’.”

            The very definition of SUPERFICIAL UNDERSTANDING.

          • obarthelemy

            Indeed. And yet it was way more than yours.

          • informed

            Wrong again. You keep pointing to TrustZone like its some magic bullet that negates Apple’s achievements by its very existence. It doesn’t.

            Unless/until there is another mobile product that fully implements TrustZone’s features into its hardware AND its OS AND its software delivery/update system AND its complete default login methods –like Apple’s alleged implementation DOES– then TrustZone’s mere existence is virtually irrelevant.

            Samsung’s Knox is the first attempt. But it is saddled with Android, which is not TrustZone aware by default. Knox is optional and requires installing software (no potential issues there!) even to begin use. Knox requires a conscious effort to use it. It is not a solution anywhere near as complete, simple, user-friendly, or elegant as Apple’s Secure Element. Period.

            And your argument still naively assumes that Apple merely took the ball and ran. It should be obvious to anyone following along at home that it was Qualcomm and Samsung who tried to take the ball and run. Half-ass implementations with secure virtual worlds and blah, blah, blah. Their implementation’s are a kludge, and thus (as the article states), exactly what Apple has always sought to avoid.

            But hey. As consolation, you can sleep sound tonight basking in the glow of the massive industry-shaking success that Knox has achieved.

          • obarthelemy

            Same as with ARM-64: being the first to implement someone else’s IP doesn’t mean you invented it.

          • informed

            And yet you defend Android as if you were on their payroll.

          • obarthelemy

            You’re firing in random directions. I don’t even have Google shares that I know of (might via funds, I don’t know), while at least Space Gorilla has admitted he does have Apple shares, so his views are a lot more tainted than mine.

          • Mark Jones

            By the rules of logic: his views are not necessarily a lot more tainted than yours.

          • obarthelemy

            Sure. No one’s views are ever influenced bu where their financial interest lies…
            Hey, I got a bridge for sale, rather cheap !

          • Mark Jones

            That’s you stretching again. I didn’t say no one; I said not necessarily since you have no proof, as just owning shares is not proof.

          • informed

            That was a joke. Much like your introduction of the strawman argument that Apple didn’t “invent” the concepts employed.

            Talk about firing in random directions.

          • Space Gorilla

            As Mark Jones points out, that’s yet another logical fallacy from you. Your arguments are full of them, and you don’t seem to understand logic (academically I mean), you clearly didn’t understand my explanation of the argument from authority re: Ben’s comments. Oh well.

          • Mark Jones

            I think we were talking about innovation, not invention. And there are innovations in business models and implementation methods.

          • pk_de_cville

            “Same as with ARM-64: being the first to implement someone else’s IP doesn’t mean you invented it.”

            No, but Apple did shock the industry and it took 18 months for the second implementation to ship.

          • obarthelemy

            Is anyone disputing that ?

          • pk_de_cville

            “Is anyone disputing that ?”

            Sorry. Just reminding others.

            But more accurately, Apple /invented/ the A7 chip which implemented the ARM8 (64 bit) defined instruction architecture.

          • klahanas

            For some levity, take it like this…
            “The first high tide tomorrow will be at 09:09 hours”
            “But is that good for Apple?”

          • klahanas

            Proper credit is to acknowledge the excellent business decision Apple made to buy PA Semiconductor. But they bought the innovation, they no more developed it than Donald Trump would have had he bought them.

          • Mark Jones

            Almost all innovations start with an excellent business decision to pursue that research and development, whether it’s in your own labs or in other people’s labs (which you will buy later but might already be strategizing to buy right now).

            BTW, are you also arguing that Apple still can’t take technical innovation credit for anything PA Semiconductor has done after Apple bought them? If so, how many years after purchase will it be before you allow Apple to take credit? Will you give Apple credit when it releases the Ax chip for its laptops?

          • klahanas

            Almost ALL university scientific innovations do not even have a business plan. When Watson and Crick or Penzias and Wilson or Einstein or any of the scores of scientists that truly changed the world did their magic, profit was not even on their mind. The truth about nature was.

            Now, you have a very good point as to when Apple gets to take credit. Some of it starts now in implementing some of the pieces they bought. That is more implementation than new tech. I would say when the new developments and breakthroughs are done by Apple hires. When would Trump get the credit? It’s the same question.

          • jfutral

            “Almost ALL university scientific innovations do not even have a business plan”

            That’s not exactly true. Their business plan is just not based on consumer demand/consumption, that’s all.

            Joe

          • klahanas

            If you want to equate the “business” of science with Business, I must respectfully disagree. These people exchanged with the currency of truth, not the banalities of money.

            As an aside…
            Penzias and Wilson had jobs at Bell Labs.
            Watson and Crick were Professor and visiting scientist.
            Einstein was just himself. Even when broke financially, and unemployed, he labored on his theories for free.

            Yes, today the pressures of gaining grants have cheapened the role of the professor, but tech transfer departments take care of the business stuff..

          • Mark Jones

            Someone at Bell Labs decided to continue to employ them and invest in their work.

          • klahanas

            Yes, their job was to build a radio antenna for communications, they serendipitously discovered and verified the Big Bang. They were not paid to do so, and to Bell’s credit they allowed them to publish.

          • Mark Jones

            As someone else wrote (I haven’t confirmed), Apple engineers filed a patent for using a fingerprint to unlock a smartphone in 2007. They obviously didn’t have all the pieces they needed to fully implement it in 2007’s iPhone, but Apple made decisions to keep investing in R&D, including the SEP, 64-bit processing, etc, and then decided to buy a key remaining piece (Authentec) in 2012.

            Companies continually are choosing from among do R&D, license IP, acquire companies, or buy components, and more. A finished product will usually include most if not all of them.

          • jfutral

            I wasn’t talking about the “business of science” as much as I was talking about the business of universities. It’s not like universities sue for royalties from scientific discoveries made by their employees… oh wait. There certainly is a business plan when an institution is involved.

            Not that there isn’t a business of science either. Just like the arts, as soon as you decide you want to make a living searching for truth you are deciding you want someone somewhere to pay you for your work. There may be a (long) period of time where no one pays or pays very much. But the goal is at some point someone will pay you.

            Joe

          • klahanas

            Agree with everything you say. US universities currently are “half pregnant” which sometimes is the worst of both worlds.

            The true scientist, like the true artist would do what they do for free. That is their principal remuneration. That they can make a living from it, is a blessing that anyone who can make a living from their hobby enjoys.

            Edit: I must say this, however. The scientist, artist, creator is the innovator if the work is truly innovative, not the accountant. When they get creative, it’s something else. 🙂

          • jfutral

            Not to belabour this point, but to the scientist or artist who has decided to make a living from their work, I guarantee not a one of them would consider what they do their hobby.

            As for who is the true innovator, meh. Every endeavor has it’s own measures of innovation. Someone’s ability to recognize creative innovation and then build an institution that helps foster further innovation from those creators and is itself a sustainable endeavor, is innovative in its own right. A lot of companies (both technological and artistic) try, few succeed. Fewer still succeed for more than a couple of years.

            Joe

          • klahanas

            “I guarantee not a one of them would consider what they do their hobby.”
            Anecdotally, I’m surrounded by them. They assure me that it is, and it’s not meant to be diminishing the value.

          • jfutral

            Well, sure. There may be _something_ they are doing as a hobby (kind of like Apple considered the AppleTV a hobby), or they may be doing something else to make money while they keep doing what they want to do on the side. But then they aren’t making a living doing what they want to do in that case. Sometimes it is a a mind game we play with ourselves since we aren’t making money with what we want to do. Helps not to get to caught up in letting it get you down. Sometimes it is shear resignation.

            I’m surrounded by them, I live with them, I am immersed in them, I am them.

            Joe

          • klahanas

            Great point. Sure, they can’t work on multimillion dollar projects alone. There’s no way I can think of discussing this without getting philosophical. (Science, after all, was born out of philosophy’s head :-)). Pun intended.

            Science is not about making money, never was. Science does not rule out making money, but it’s about understanding the natural world based on utilizing the scientific method. It’s the scientific method that separates science from religion. In common with religion, science is a calling, it chooses you, rather than you thinking you chose it.

          • Mark Jones

            I’m sure Apple researchers (engineers, scientists, etc) working on innovations don’t think much about business plans. Woz didn’t; I don’t think Ive does (nor Mansfield now). Those plans are for managers and senior VPs. But I wasn’t talking about plans, but decisions.

            Intel’s layoffs is just the latest reminder of a decision made years ago, as I’m sure, Intel engineers had the smarts to apply to designing power-efficient mobile chips but CEO/senior leaders chose not to pursue chips outside of their core architecture family or not in accord with their business model.

            Universities (at least those in America) are also businesses, with managers who allocate limited resources. None have infinite resources to engage in and pursue anything and everything. Hard choices are made everyday.

            Finally, Apple, by buying PA Semiconductor, hired all of their employees, so they are Apple hires. Most of Apple’s acquisitions are done more so to hire their employees and not for any IP or capital. Google/Alphabet, by buying Nest, hired their employees. You’re making a very arbitrary distinction.

          • klahanas

            “Finally, Apple, by buying PA Semiconductor, hired all of their employees, so they are Apple hires.”

            Most respectfully, that’s unusually weak for you. Did they recruit them? Did they negotiate their salaries and other terms of employment? They bought them. A great decision, but hires they are not. What if they all quit (an intentionally extreme example)? They would still have the IP they purchased, but not the innovators. They would need to hire new ones, and then they could take credit as a team for their work.

          • Mark Jones

            I don’t see it as weak at all. When Apple bought PA Semiconductor (and many other important companies like Fingerworks and Authentec), key employees, deemed by Apple to be critical, signed contracts to stay for at least a minimum period of time. This is well-known, as some did tell the media that they left Apple after their contracts were completed so they could return to founding startups or whatever.

            PA Semiconductor, Fingerworks, and Authentic was not run as a separate subsidiary; they were totally integrated into Apple. The key Fingerworks staff were still filing Apple patents several years after Fingerworks was acquired.

          • klahanas

            So if Trump bought PA Semiconductor, he’s now an innovator?

          • Mark Jones

            If at least some of his employees, including those from the PA Semiconductor acquisition, continue to innovate, then of course.

          • klahanas

            That’s a very low bar. It’s like outsourcing art and claiming you’re an artist. Sorry, we’re just going to have to disagree on that one.

          • Mark Jones

            Are you asking if Trump the individual is an innovator, or Trump the company is an innovator? Why would you even ask the former?

          • klahanas

            Either, but one is worse than the other. First off, the people doing the actual work in design and R&D are the only real innovators. To some degree the team can be claimed to be innovative going forward, but the current innovation was bought, not developed in-house with capabilities existant in the current corporate culture.

          • Mark Jones

            – Of course the people doing the actual work in design and R&D and other places, are the only real innovators.
            – A company can claim or be said to be innovative if they deliver/deploy useful innovative products, business models, methods, etc. It’s not a necessity that a company have an innovative culture, though, arguably that helps deliver/deploy the other things.

            I don’t care whether a company/person is said to be innovative or not. They may just be lucky – who knows? I’d much rather discuss the innovativeness of a particular product, business model, method/system, etc, such as Secure Enclave, Post-It Notes, or Wheeled Luggage.

          • pk_de_cville

            “So if Trump bought PA Semiconductor, he’s now an innovator?”

            Darn… Didn’t think of that.

        • Mark Jones

          “Apple has a competent implementation of TrustZone’s capabilities, though apparently not w/o issues since the FBI did hack that iPhone.”

          Are you saying iPhone 5c has a Secure Enclave? Or do you know of an instance where the FBI hacked a 5S, 6, 6 Plus, 6S, or 6S Plus?

          • obarthelemy

            You’re right and I’m wrong, the 5C doesn’t have an A7.
            iPhones are getting so fragmented, I got confused ;-p

        • pk_de_cville

          “I’m open to being told what the differences are that make Apple’s stuff better than ARM’s //standard fare//, if any.”

          Touch ID. There is no Android //standard fare// that matches Touch ID. Yes. There are Touch ID comps, but all of the working comps are in the top 10% premium devices and most of them suck with a few that actually work.

          Result: 89% of iOS devices are fully encrypted and protected with passwords while Android password protection/encrypted data is below 20%.

          • obarthelemy

            Define suck ? Most reviews find whatever Android calls TouchID perfectly fine on flagships and even on midrangers ? BTW, TouchID intrinsically sucks since it is easy to bypass technically (duplicate a fingerprint) and legally (no 5th amendment).

            Also, encryption and authentication are 2 different topics. Indeed, encryption has a performance penalty, so low- and mid-rangers feel the strain. It has been available to those who feel it’s important for years though. Few of those, but that’s another discussion.

          • pk_de_cville

            Whoops.

            Carry on Mr O.

      • jfutral

        “Pikers”? 😀

        Joe

        • FalKirk

          Piker: Noun; a gambler who makes only small bets.

          You know I was being facetious, right?

          • jfutral

            Oh, yeah. It was just hilarious. I love your use of language and turn of phrases. “Pikers” pretty much made me spit coffee.

            Joe

      • klahanas

        Okay, but you must admit that in buying PA Semi, Apple showed great innovation in shopping!

        • informed

          And planning YEARS in advance.

          Apple filed a patent for a touch-ID method to unlock a smartphone in 200, the SAME year they released the modern smartphone to market.

          Apple was making strategic decisions. All the other “smartphone” makers were still drawing with crayons.

          • klahanas

            I agree.

        • FalKirk

          Did you know that Bill gates purchased MS Dos for $50,000? Who cares? He turned it into almost a trillion dollar business.

          Did you know Apple purchased what became iTunes? Who cares? They combined it with the iPod and disrupted the music industry.

          Innovation can be subtle changes that have a huge impact. Don’t disparage people for being wise enough to make good purchases or clever enough make a minor tweak that creates a big impact.

          • klahanas

            No one in their most delirious state would ever accuse DOS itself of being innovative. Many DOS programs however were indeed innovative, some for reasons of getting around DOS’s limitations.

            Also, DOS was bought out of sheer availability, desperate need, and pure business opportunism.

            iTunes sucked then and it sucks worse now.

            Both these examples are demonstration of shrewd business moves, not technical innovation.

          • Couldn’t Resist Myself

            And at $12.5bn, Motorola was a bargain for Google. The purchase led to many innovations in loss reporting on balance sheets.

          • klahanas

            Their profit or loss is of absolutely no interest to me. That’s not tech.

          • pk_de_cville

            “Their profit or loss is of absolutely no interest to me. That’s not tech.”

            Their purchases weren’t innovation either as Apple’s were.

            Innovation /requires/ market success that leads the way.

            Invention requires a fertile mind and something new in the inventor’s world, perhaps the greater world.

            Some inventions are innovations, some innovations are inventions.

          • klahanas

            Innovation can very easily be overlooked, undisclosed, or ignored for it’s time, only to be re-discovered. Market success often comes with innovation, but is not required for it.

          • pk_de_cville

            From The Huffington Post:

            “What made the iPod and the music ecosystem it engendered innovative wasn’t that it was the first portable music device. It wasn’t that it was the first MP3 player. And it wasn’t that it was the first company to make thousands of songs immediately available to millions of users. What made Apple innovative was that it combined all of these elements — design, ergonomics and ease of use — in a single device, and then tied it directly into a platform that effortlessly kept that device updated with music.

            Apple invented nothing. Its innovation was creating an easy-to-use ecosystem that unified music discovery, delivery and device. And, in the process, they revolutionized the music industry.”

            From me: Innovation that is “overlooked, undisclosed, or ignored” isn’t innovation. Innovation is recognized by its success in establishing a new value standard that is adopted by the marketplace or culture.

          • klahanas

            Let’s put aside money as the only form of remuneration for a moment, and broaden it to include whatever motivates the innovator, be it fame, recognition, world improvement, whatever.
            There are examples upon examples, to write a book about really, of artists and scientists, as well as business people that had really great ideas, reduced to practice, that were, in a word buried. Those were not devoid of innovation. Innovation is an intrinsic property of the object or idea, as is it’s color, texture, “prettiness”, “usefulness”, etc. In fact, when judging for novelty the patent office specifically sets the bar for novelty and usefulness to the person “skilled in the art” as the arbiter of these properties.

          • Still Can’t Resist Myself

            And at $7.2bn, Nokia made Microsoft a powerhouse in feature phones.

          • klahanas

            See above.

          • pk_de_cville

            Like redefining “innovation”?

            Wikipedia:

            “Innovation is a new idea, or more-effective device or process. Innovation can be viewed as the application of better solutions that meet new requirements, unarticulated needs, or existing market needs. This is accomplished through more-effective products, processes, services, technologies, or business models that are readily available to markets, governments and society. The term “innovation” can be defined as something original and more effective and, as a consequence, new, that “breaks into” the market or society.”

    • Weird link. That’s from 2013 and relies on Apple having produced no technical information. But Apple started producing technical information on how iOS security worked long before that, and has certainly written much since as well.

      How accurate can the linked story possibly be if it doesn’t even get that right? The article admits it’s based on guesswork and assumptions. Is there an updated version now that Apple’s talked about the technology in detail that verifies the assumptions? Maybe provide that link instead.

  • Many people will note that customers still don’t seem to highly value security. However, I don’t think that’s the right way to think about it. A better question to ask is, what would happen if customers suddenly did? What if security breaches and government spying became so bad that it became the last straw?

    This article suggests that if that happened, Apple would have a significant lead over an important feature.

    • ILL TROOPER

      I think in this case, Apple made it so easy and seamless that many people don’t even realize how they’re using cutting-edge consumer security on an daily basis.

    • pk_de_cville

      Naofumi,

      “Many people will note that customers still don’t seem to highly value security.”

      How about people loving their iPhone that’s never stolen?

      Apple’s innovation: iPhones that have no value to criminals.

      No value? Yup. Stolen/lost Touch ID protected iPhones that can’t be ‘repurposed’ are worth $0.

      And lo and behold: iPhones are not stolen any more. (Priceless)

      • I understand what you’re saying, and although I haven’t seen any statistics that show how effective Touch ID has been in reducing the number of stolen iPhones, I believe what you say is true.

        At the same time however, I haven’t seen statistics that show security being a major concern when purchasing smartphones.

        Consumer concern is often sudden, irrational, and/or influenced by government/lobbyists/natural disasters. Examples are tobacco, GMO crops, organic food, earthquake/tsunami-proofness, etc. That’s why I think it’s perilous to try to predict how and when consumers will start to prioritise security as an important feature, and why I try not to discuss this. Instead, I focus on what would happen if they did.

  • klahanas

    Apple is the world’s largest IT department, maintaining total control over the whole enchilada. They better have a penchant for security. Who else would be to blame for a breach when there is security failure.

    Just as MS has to support an OS that must support the universe of hardware, Apple has to take the entire ownership of security. The own the chips, the OS and the store. Who else would?

    So, the only issue I have is with your title. Apple is looking first after their interests, that it’s aligned with customer security is incidental.

    • benbajarin

      From their actions, I think they are going above and beyond, hence the title. Doing this level of security at a consumer level without sacrificing ease of use is a feat. But since Apple is a user experience company it makes sense. But my fundamental point is security is not a feature to them it’s a priority. And it serves many purposes for where we are heading in the future.

    • Ett Noll

      “Apple is looking first after their interests, that it’s aligned with customer security is incidental”

      Wow, that is simply amazingly stupid. Companies that do not keep their customers’ interests in mind or understand the relationship between their customers’ interest and their products, usually have a hard time surviving in the long run, let alone thrive in the way Apple has done for the past decade.

      Apple does not care about security and personal integrity because they’ve sold a lot of products, they’ve sold a lot of products because they care about security and personal integrity (amongst other things).

      • klahanas

        No, what’s amazingly stupid is customers being unquestioning of Apple.
        Planned obsolescence, non-upgradability, feature removal, mandatory IT, etc. All those align with Apple’s interests first.

        • Ett Noll

          Yet somehow, for reasons unknown to modern man, science and even god himself, millions of seemingly perfectly healthy and intelligent people are choosing these products of their own, free will. There clearly must be some kind of conspiracy or elaborate brain washing going on here. Yes, that’s the only possible explanation.

          • klahanas

            You could well be on to something. Considering that the buyer/seller relationship is a competitive one. That, and the election of George Bush a really one of nature’a true mysteries.

        • The phrase “planned obsolescence” is just paranoia.

          What can you build today in a 2.3″ x 4.9 x 0.3 box? What can you build in it next year? Do you have a plan for fitting more in the next next year than today? What about the year after that?

          That’s “planned obsolescence.” Most of us call it “technological advancement.”

          • klahanas

            No sir 8, 16, and 32 GB devices without sd cards is planned obsolescence. That’s just factual. Non-upgradable laptops and desktops, the vast majority of models now, are other examples. Zero paranoia required.

            Technologically backwards from computing capability is more like it. Heck, DOS machines could do this stuff.

          • What 8GB device? As for 16GB devices, I have one and every year I can do more with it thanks to improving cloud technology.

            Would I rather have a 32 or 64, as the case may be? Sure. Do my parents need a 32 or 64? Absolutely not.

          • klahanas

            If I had a disk that was as slow, expensive, unreliable, and wasteful as the cloud, I would burn it. Where the cloud excels is in syncing locally.
            Are you going to tell me that you’re never offline, as in no connection?

            Edit: The 64, 128, or 256 can accommodate both you and your parents. Better yet, buy the 16 cheaply and add a 128 GB card. Or does that offend you? If so, why?

          • Nope. I’m telling you that, even as an app developer, the 16GB is adequate (but not ideal) for my needs. It’s certainly adequate for my parents. They’d hate to have to pay more. It probably is ideal for them.

          • klahanas

            Well it doesn’t hold my music library. Never mind getting movies onto the thing. Oh, and the filesystem…

          • NonyAsip

            Yes you’re right Apple should be ordered by Supreme Court to make an iPhone with micro SD card in it so that Klahanas can put all of his music library in it.

            Who is forcing you to get an iPhone?
            File system…. Oh yes I remember you still want salt where no salt is offered. I think we discussed this issue in length and finally ACCEPTED that it’s Apple’s right to offer their product no matter how limited they are. But again….

            You love banging those drums no matter what the discussion is. SD card, file system and only App Store……

          • klahanas

            Actually it’s your side that imposes ways of doing things. It’s also called critique, something you guys are quite sensitive about. Even if I never buy an iOS device (I actually have 2 Pros, one in each size), I am a potential customer and have the right to critique.

            So… why doesn’t NonyAsip petition the Supreme Court to censor me, it’s ingrained in Apple Club repertoire…

            Edit: And you still haven’t shown how that’s not planned obsolescence.

          • NonyAsip

            Why don’t you accept the fact that Apple is not for you and we’re tired of your same old mantra which you now call critique. Just go into your last 12 months comments and check it out how many times you’ve brought up the same issues. sad card, file access and only App Store.

            Because you don’t understand free market and how capitalism works and how businesses are run you keep coming with same old bullshit you love to beat.
            Some weeks ago many commentators tried to tell you what free market is but still you haven’t learn a thing. You’ve made up your own distorted definitions and try to judge others by those preconceived notions. It’s not critique.
            Now for instance if I put myself in your shoes what my response would be.
            16 GB iPhone can’t hold all my music library and 128GB is more pricier to me that’s why I don’t want an iPhone or my music library is more than 128GB. Also Apple doesn’t allows us access to file system and I like to do some tinkering I’ll go Android way. That’d be a perfectly fine response.

            Putting SD card functionality or access to file system comes at a price. Not just financially but at the expense of simplicity.
            And please cut that bullshit that you’re potential customer. Philosophically you’re not Apple customer and if by mistake you’ve purchased some Apple stuff please get rid of it. Put your money where your mouth is.

            Now tell me do you still believe that iPhone wasn’t a revolutionary product back in 2007?

          • klahanas

            Speaking of “male bovine fecal matter longitudinally extruded” (Steven Colbert), let this “socialist” (according to you) teach you a thing about capitalism.

            -Free market consisting of buyers and sellers (hopefully many) at opposing sides of a trade.
            It most certainly is not:
            -Corporate welfare.
            -Corporate impunity (including impunity from criticism).

            I’m going to follow Space Gorilla’s example and start trademarking. “But is it good for Apple…”-tm

            Now friend, see me as non-conformist to Apple’s will. Screw Apple’s will. I treat them with the same contempt I have for any censor or condo board. “Think Different!” If I wouldn’t allow my government to do it, why should I allow Apple?

            For what we pay for Apple devices, there should be more abundance of power, features, and specs, in addition to the ease of use. An SD card does not complicate things at all if you don’t want/need/know what it is. Is the Mac complicated?

            You still have not answered the planned obsolescence through non upgradability question, which prompted this exchange.

            Edit: You have never heard me say the iPhone was not revolutionary. It was even better than the LG Prada. What you might have heard me say is that the iPhone and iPad or iPod Touch cannot BOTH be technologically revolutionary. Whichever came first.

          • NonyAsip

            “For what we pay for Apple devices, there should be more abundance of power, features, and specs, in addition to the ease of use”

            That alone tells that you don’t understand free market. What should I say.

            Klahanas you’ve to learn some concepts with open mind, leaving your angry young man attitude aside that you see companies with contempt.

            “An SD card does not complicate things at all if you don’t want/need/know what it is. Is the Mac complicated?”

            Yes SD card makes thing complicate. SD cards are slow to read and write than built in NAND. Now if they put SD card there’ll be two different read/write speeds. Things will be complicated. Also they do fail. Apple brings simplicity that’s one of the reason they’re successful with common people.

            “You still have not answered the planned obsolescence through non upgradability question, which prompted this exchange.”

            It can be a business decision and a technical decision and I’m perfectly fine with that. Remember when they first took out the CD/DVD drive out of MacBook Air and everyone was screaming about it but what happened.
            Repairibility will be thing of past. Some people like you gonna cry about it but eventually they’ll understand.

          • pk_de_cville

            What about

            “…the planned obsolescence through non [OS] upgradability question.”?

            That’s 95% of Android’s devices today – 2B.

          • klahanas

            I agree OS obsolescence is an issue, a bigger issue on Android than on iOS. It is present on iOS as well, however. But that’s software obsolescence, I was referring to hardware obsolescence.
            Frankly the way Android upgrades are handled is a disaster. That’s what happens when you place goodwill with companies like OEMs and carriers.

          • pk_de_cville

            “[SS obsolesence is] what happens when you place goodwill with companies like OEMs and carriers.

            Google rushed to create its ‘open’ system with no concern or attention to upgrades. Zilch Zilch Zilch.

            Goodwill? How about ‘by design’?

          • jfutral

            As Steven noted above, technology is, currently, intrinsically obsolete, planned or otherwise. Anything being sold and bought today is ALREADY obsolete, no planning necessary. It’s all yesterday’s technology. As Mr. Fisher noted, that’s called “technological advancement”. “Upgradeability” is a placebo.

            Joe

          • klahanas

            There’s much truth to what you and Steven say. In Steven’s case all I can say is that a large basket can hold both a lot and a little. In computing we’ve also been privileged to “grow” our basket. This is the upgradability to which I’m referring- the ability to improve a device post purchase. This extends the life of a device.

            The obsolescence you refer to, on a macro level, is also a consideration. That’s just progress, unless it gets released in rapid incremental succession, in which case it’s ‘milking it’.

          • pk_de_cville

            “Actually it’s your side that imposes ways of doing things.”

            Just In:

            EU Competition Commission is charging Google with imposing odious and illegal contractual requirements requiring competitors to do things as Google demands.

          • klahanas

            Please see the opening post on this thread.
            https://techpinions.com/googles-eu-antitrust-battle/45198

            Is it possible they are both ? Is one perhaps a bigger than the other?

  • Vadim Dumin

    People already know that SE is 10% of Apple total secure content and it needs to get mixed with the lucking 90% to get a taster of it first and then make it transparent.

  • KevinD

    Great, when I tell my wife that she is part of the 11% of users that haven’t enabled Touch ID, she will feel special. If I could find her a water resistant, shock resistant case that would actually work with Touch ID, maybe she would use it.
    I was never able to get her to use a passcode. The only reason she does now is because our 3 year old grandson got into her phone and started mucking around….

  • obarthelemy

    Strangely timely: Google’s yearly report (with data !) on Android security. No such comprehensive report from Apple….
    https://security.googleblog.com/2016/04/android-security-2015-annual-report.html

    • benbajarin

      we all know how having to run the latest version of Android to get the best security works out for their customers ;). Even though the Play Framework is generally current, it still doesn’t go far enough given where were are headed.

      • obarthelemy

        That’s actually what the white paper is about: OS version is one node in a security web(*). I understand Apple is agitating like crazy about OS versions and Trurt Zone or whatever they named it, but… that’s crazy: when I talk about features, I get back “but UX is not an accumulation of features”; and when I talk security, I get back “but Apple has this and that feature so they’re wayyyy secure”.

        It not only does it not make sense on its own (security is NOT an accumulation of individual features, it’s a web of interdependent nodes, weakest link principle); it’s also internally inconsistent with the Apple-approved answer about features. You get to pick and choose the approach ?

        (*) say, one verison of the OS has a privilege escalation bug. If the supervisor, the appstore, the runtime,… block that vulnerability, that fact that the OS has it becomes immaterial.

        • benbajarin

          The way Apple handles sandboxing prevents malicious apps from accessing sensitive data and often data at all. But the central point the Secure Enclave handles all keys to sensitive information and that is never revealed to the OS or other because it is always encrypted only Yes/No approval is comforting.

          I’ve had plenty of chats with Google engineers on Android security, but the fact apps have such easy access to information or collect data so easily without users consent or knowledge is not that comforting given where we are heading.

          • obarthelemy

            Mmm Android is sandboxed, too. Are you saying it’s broken more often than iOS’s ? Source ?

          • benbajarin

            iOS’s isn’t broken to begin with. Apps have no access to any data. Where in Android apps can and often do access my contacts, and more without asking.. Or if there is an option to turn that off it is buried deep. I can’t tell you how many of my friends with an Android phone get their emails taken or log-in to facebook or twitter posts something they did not. Huge source for phishing attacks. May certainly be older OSes but that’s also the point that OS fragmentation leads to.

          • obarthelemy

            ??? In both OSes, apps that are granted that permission can access Contacts (or other data), and apps that aren’t granted the permission, can’t. I do hope (actually, I know) that same as on Android, iOS Apps have access to some data, otherwise you’d, say, have to manage a separate contact list for each app.

            What is different is that most implementations of Android used to ask once at install time and no backsies, while iOS re-asked at first access and allowed backsies. Notice I said “most”, Huawei’s for example (also, CyanogenMod and OS, and surely others), for a while (at least since 4.0 for Huawei), as re-asked + allowed backsies à la iOS. That’s a.. benefit.. (gasp !) of OS fragmentation: OEMs can add useful functionality.

            I also want to stress that the underlying permission model is the same, what was different was that Google had no tool/UI to edit those rights after install, and no second confirmation at first access. Recent versions of Google Android (6.0+) now work the exact same as iOS: list permissions in the store, re-confirm at first access, allow backsies.

            The issue with older and un-modded versions of Android, was not the lack of sandbox or permissions, but that users pay no attention to what permissions an app is requesting before installing it. A UI issue, not a security model issue.

          • benbajarin

            Both are ok, but one has proven to lead to more issues than another 😉

          • obarthelemy

            Indeed, but it is plain untrue that “[iOS] Apps have no access to any data. ” and that “Android apps can and often do access my contacts, and more without asking.”. They asked, people didn’t pay attention.

          • klahanas

            You’re right, but it should be revocable or at least making it easier to comply by offering to uninstall the App.

          • pk_de_cville

            “[iOS] Apps have no access to any data. ”

            Reestablishing context for above:

            “[iOS] [sandboxed] Apps have no access to any data [outside of secure shared data APIs].”

            Context is everything. 15 yard penalty and loss of down for Roughing the Context.

          • obarthelemy

            Your comment makes no sense because
            a) all apps on iOS are sandboxed
            b) so are all apps on Android
            c) and on both OSes the only accessible data is what’s been asked permission for, via secure APIs.

            my [iOS] was just to clarify my quote. Yours is… I don’t know what for, imply that Android isn’t the same ?

            If someone’s roughing the context, it’s you.

  • charlesarthur

    It seems pretty clear, from reading around, that the Secure Enclave is “a highly optimised version of ARM’s TrustZone” (https://www.quora.com/What-is-Apple’s-new-Secure-Enclave-and-why-is-it-important?share=1). Trustzone (TZ) has been around for over a decade, apparently. There are some very, very abstruse writeups about TZ which won’t make much sense unless you’re into microprocessor architecture. That Quora writeup is the most accessible which also acknowledges the TZ’s role.

    The point though that people don’t seem to be picking up on, which seemed to be the one that Apple (and Ben) emphasised, is that this is enhancing user security while not putting a big block in the way. Imagine if using PGP were as easy as using TouchID: we’d all be using encrypted email all the time. (At least, consumers might.)

    Your other bonus fact today: your fingerprints are formed by your embryonic fingertips touching your mother’s womb. You’re welcome.

  • Someonewhoknows

    You should do more research, secure enclaves aren’t unique to ARM/TZ

Protected by Gerben Law