The last couple of days, the tv and newspaper talked about the Apple FaceTime Vulnerability. It was one of the security holes that Apple has on their products, such as iPhone, iPads, and Mac computers. A vulnerability happened in Apple FaceTime application. It allows someone to access audio and video on another Apple device even when the recipient does not answer the call. This vulnerability applies to Apple iOS users who have Group FaceTime capability on iOS 12.1 or later.
This was how the vulnerability actually happens:
When user #1 starts a FaceTime call with user #2, while the call is processing, the user #1 adds a person and then enters their own phone number. The user #1 can then hear the audio from the user #2, even when user #2 hasn’t answered. “The problem was the result of a bug and involves Apple’s FaceTime app for placing video and audio calls over an internet connection. The bug could also give caller access to a live feed of the recipient’s camera” (Chen, 2018).
For now, Apple has disabled the Group FaceTime feature and has tried to fix the bug. I hope that Apple could fix the bug as soon as possible and resume the Group FaceTime feature for the users. I am not a big fan of Apple, but I am a big of Android. I have a small business and I use Messenger for group chat. Messenger has similar features as Group FaceTime and I love to use this feature to have a meeting with my employees when I am away from the office.
I came from a software development background and when I heard about this security bug, I could tell that Apple needs to update their software development life cycle (SDLC) as soon as possible. Their SDLC has a serious bug. It’s either their employees not performing the tasks correctly within the SDLC or the SDLC missed important steps to verify the quality and security of the software. As a big and well-known company like Apple, they should not have this kind of bug that leads to a huge vulnerability to the customers. Here is what I could tell Apple needs to do with the SDLC.
First, they need to create a design (general design and detail design) with a flow diagram for the Group FaceTime feature. With a flow diagram, it should give senior developers, security software developers, and architect software engineers the ability to review the whole process and catch any security issue.
Second, when the developers write the code, they would be able to understand the whole process before coding. They should be able to catch the security issue when coding and especially testing. The testing from the developer is considered a unit test, but it could catch great defective errors.
Last, Apple Quality Control (QA) team did a bad job. Their testing scripts, testing different cases, and different groups of users were not throughout. QA plays a very important role. They need to work with senior developers to come up with different test cases and make sure the product is free from error in terms of logical errors and security errors.
Depending on the products, each company will have a different rating level for the defective acceptance. For example, if a system (software and hardware) is written for a hospital to distribute medicine to the patient, the required defective acceptance level would be - 0.00001% or +0.00001%. It is because if the system distributes 1mg less or more of medicine this could cause a serious problem to the patients. If a system (software and hardware) is written for distributing food for the pets, the required defective acceptancy level could be -10% or +10%. In this case, the defective level could be large and it is still acceptable because it won’t hurt the pets when the system distributes a bit more or less food for the pet.
Back to the Apple FaceTime system. It’s a security issue and the product serves the whole world. Therefore, it is critical for Apple to not have this security problem. The issue did not only hurt the customers, but it also hurt Apple itself financially (the stock market went down) and Apple’s reputation.
Reference:
Chen, B. (2018, Jan 28). FaceTime Bug Lets iPhone Users Eavesdrop, in a Stumble for Apple. Retrieved from https://www.nytimes.com/2019/01/28/technology/personaltech/facetime-bug-iphone-hack.html
No comments:
Post a Comment