Well not really an Apple store, but a reseller featuring only Apple products. Other than the legal difference (not a shop run by Apple) there is probably nothing really different. For simplicity I’ll just go with “Apple store” from now on.
In my effort of improving computer security and moving out of my comfort zone I thought it would be nice to learn a bit about the overpriced bitten windfall fruit technology. So I went to the store with a friendly smile and told the guy what was my goal: Improving my computer security and learn about Apple by asking an expert in a shop dedicated to selling Apple products. I’m even ready for getting a Mac Mini if the price is okay. But visiting the Apple shop turned out to be a fiasco:
Question 1: MacOS Differences to Windows+Linux?
He said he can’t compare anything to Windows or Linux as he only uses Apple products, just his POS terminal run Windows.WTF? How are you going to explain anything to anyone who is ready to switch to your systems if you know nothing about other operating systems? Never mind. If he is at least an expert in Apple products I can it compare myself.
Question 2: Can I isolate parts from each other by Virtualization or Sandboxing
Guy: “What do you mean?”
Sinchen “Limit the impact of a security breach on a part of my system in a controlled way.”
Guy: “Apple is very secure. You have to actively download malware for an infection.”
Well, it is definitely a false claim and I told him zero click attacks on Apple systems exist (forgot to mention Pegasus as an example targeting iPhones).
Not knowing what to answer he said there was no compartmentalization (which is wrong by the way, there is a kind of sandboxing on MacOS – even I know that, but no details) and the whole system would be compromised if that actually happens… but… “Apple is so secure that never happens! Windows an Android infections spread in minutes across the globe… not so with Apple. We have a strong Antivirus-Firewall!”
It was like talking to a living advertising brochure uttering buzzwords. My bullshit-o-meter said “Overload!” and was about to explode. I stayed friendly and tactfully replied:
“That doesn’t sound very technical.” (In my cliché German bluntness I was about to yell that he had zero knowledge of information technology and security… and was completely failing on his job. But I stayed calm.)
“You can stop hackers with a strong encryption password!” he added out of nowhere.
“What would encryption do on a system in use? The key is loaded, data is active and not at rest. Malware has access to the plaintext.”
“Yes, if you actively download a trojan horse it can extract the data. But hackers from outside can’t, because it is encrypted.”
I gave up at this point. If the system is active, my data loaded an an attacker gets arbitrary code execution (ACE) it doesn’t matter if the entry point is a trojan horse (Pebkac – Problem exists between keyboard and chair) or somebody decided to burn up a multimillion $$$ exploit chain on me to use zero click for gaining ACE. I both cases my computer and my data is f…ed! So much for my interest in MacOS in the form of a Mac Mini.
Omitting the questions about attack surface reduction I took out my Google Pixel 8a with GrapheneOS. Biometrics alone are insecure even if implemented correctly: They can be forced by attackers (criminals, police, malignant partner while asleep…)
Question 3: Any way of secure Biometrics usage?
“Can the iPhone make secure use of biometrics? That is GrapheneOS.”, I asked.
“What? Never heard of this!” he answered.
“Fingerprint unlock alone is insecure because it can be forced.”
“That’s why we (Apple) have given up fingerprint long ago and uses Face ID. Fingerprint can be spoofed, Face ID is secure.”
“No matter if Face ID is beyond any spoof attempts, it can also be forced. If I press my finger here it doesn’t unlock but asks for a short 2FA PIN additionally.”
“You can turn off Face ID and use PIN only.”
“My password is very long. I can’t just type that everywhere and under video surveillance.”
“No, iPhone can’t do such a thing. You are the only one asking such questions! Nobody taught us that at the Apple training courses!”
Finally I unlocked my phone with 2FA and made a short shaking motion (forces primary unlock getting rid of biometrics) to show it in action. He looked even more confused.
Sadly he even failed having any answer to the following, which was part of main stream media. He obviously knows nothing about the inner workings of the products he is supposed to sell. He doesn’t follow any (news) sites dedicated to Apple products.
Question 4: How does the automatic reboot on iPhones work?
“I reboot my iPhone every few days manually. It tends to crash otherwise.”
WTF? He admits these overpriced thing crashes when not rebooted frequently (I highly doubt that iPhones regularlyA sponsored post on front page.
Sinchen: “Okay then. I thought I could get some technical insights here. Was wrong.”
Guy: “Maybe my colleague responsible for business sales knows more. He can add Sophos to the security.”
I had prepared some more questions, but at this point I gave up. Premium prices, no competent staff. I had no ill intent when asking these questions.
The insane amount of incompetence presented in a shop selling only expensive luxury goods caught me off-guard and struck me like a blow with a sledge hammer.