The headline seemed sensationalistic, started reading filled with skepticism. That said, I did find the article well written and full of interesting detail.
A few examples:
As a result, Apple has insisted that only its own WebKit engine be allowed to handle that unsigned code. “They trust their own stuff more,” Henze says. “And if they make an exception for Chrome, they have to make an exception for everyone.”
The point being made here is that Apple bottlenecks all browser activity through WebKit. To me, this seems a solid approach, as long as WebKit is bulletproof.
The problem with making WebKit mandatory, according to security researchers, is that Apple’s browser engine is in some respects less secure than Chrome’s.
There’s the rub. If that’s truly the case. Seems to me, no matter the choice Apple makes here, there will be security holes. The key is how quickly Apple responds to identified flaws. My (possibly uninformed) sense is that Apple closes loopholes before they become widely known, or quickly issues a patch if exploits do become public.
As to Messages:
Hackable flaws in iMessage are far rarer than those WebKit. But they’re also far more powerful, given that they can be used as the first step in a hacking technique that takes over a target phone with no user interaction. So it was all the more surprising last month to see Natalie Silvanovich, a researcher with Google’s Project Zero team, expose an entire collection of previously unknown flaws in iMessage that could be used to enable remote, zero-click takeovers of iPhones.
More disturbing than the existence of those individual bugs was that they all stemmed from the same security issue: iMessage exposes to attackers its “unserializer,” a component that essentially unpacks different types of data sent to the device via iMessage.
All very interesting. I’m betting that Apple is working hard to identify and fix attack vectors in WebKit and better sandbox Messages. I think it’s a safe bet that none of this information is new to Apple.