Apple has always had a stellar reputation when it comes to security standards and the innate protection it provides users from hackers. In fact, there are many people that believe that Apple is invulnerable to hackers since there has never been a report of a widespread exploit that was exploited in the real world.
Up until now, that is.
When news broke recently about a human rights activist who had received a suspicious-looking link on his phone, a number of security researchers immediately began to look into it. Their promptness paid off big time since the link was designed to remain active only for thirty minutes.
It took them a couple of days to find out what exactly the link was and the extent of damage the infected malware could do. Pegasus, as this was malware was later named, could remotely take over an iPhone and compromised almost all aspects of the phone.
All of the data, pictures, account information and even access to the camera were compromised.
Once the security researchers had collected all the information, they sent it to Apple so that they could issue a patch and plug the security hole. What followed was an eye opener into the relatively long amount of time even a company with the resources and expertise of Apple needs to respond to security threats.
It took Apple 10 days to finally issue a critical update for all its users, a time frame that security researchers say is the least amount of time that can be expected and would have meant round the clock hours for some its best software engineers.
The first thing that a company like Apple does when it receives news about the software being compromised is to try and find out all the vulnerabilities in its code. This is one of the most difficult tasks and can be extremely time-consuming. Also, throwing more engineers at it does not necessarily make the process go faster.
Even though Apple itself does not share any details about the process it takes to respond to such threats, people who have worked on such projects in the past say that the same process is followed in all major companies.
The first three days would have been spent in finding all the flaws and then starting on getting the software patch ready. Different patches need to be prepared for different carriers, and for different companies.
All of these patches also need to be tested for quality before they can be sent out in case they end up opening other bigger holes in the security structure. This again takes anywhere from three days to a week.
Only once the team is satisfied with the quality of the patch can it then be rolled out in step three of the response cycle.
It is only expected that these attacks on our mobile systems will become more and more common as they continue to grow in importance and start to store all of our most important information. No company is immune to these threats, not even Apple.