Apple draws crypto criticism again: what you need to know
Apple has found itself under the microscope of the crypto community twice recently. What are the implications of these events?
In a recent turn of events, Apple, the tech giant, finds itself in the crosshairs of the crypto community, not once but at least twice.
The first blow comes in the form of a sophisticated side-channel attack called “GoFetch,” which has exposed a vulnerability in Apple’s M1, M2, and M3 processors. This exploit can pilfer secret cryptographic keys residing in the CPU’s cache, leaving sensitive data susceptible to compromise.
A group of seven researchers from various universities in the U.S. developed GoFetch and reported their findings to Apple. However, the nature of this hardware-based vulnerability means that impacted CPUs cannot be fixed. While software fixes could mitigate the issue, they would come at the cost of performance, particularly affecting cryptographic functions.
Adding fuel to the fire, the second blow lands courtesy of the United States Department of Justice (DOJ), which has leveled a hefty antitrust lawsuit against Apple.
The lawsuit claims that Apple’s App Store rules and developer agreements stifle competition and innovation, creating barriers for developers and users across diverse sectors, including finance and crypto.
Let’s delve deeper into the implications of these events and dissect what really is happening and how it impacts crypto.
Understanding the GoFetch attack
The GoFetch attack zeroes in on a sophisticated vulnerability within modern Apple CPUs, putting users at risk of having their private cryptographic keys compromised.
At the heart of the GoFetch assault lies a feature known as the data memory-dependent prefetcher (DMP), a component designed to enhance the speed of computing operations by predicting and fetching data ahead of time into the CPU cache.
Think of it as a forward-thinking assistant, preemptively retrieving information it believes the computer will need based on past memory access patterns. However, the DMP’s predictive prowess becomes its Achilles’ heel in the context of the GoFetch attack.
This exploit targets cryptographic processes that maintain a constant execution time, regardless of the input—a security measure aimed at thwarting data leaks.
By delving into the intricacies of Apple’s DMP implementation, the attackers uncovered a critical flaw that violates this fundamental principle of constant-time programming.
The crux of the attack lies in the prefetcher’s propensity to activate and dereference data loaded from memory, particularly data resembling pointers—an action strictly prohibited under constant-time programming guidelines.
Exploiting this flaw, attackers can craft specialized inputs designed to trigger the prefetcher, gradually revealing bits of the secret cryptographic key.
With persistence and repetition, the attackers can reconstruct the entire key, exposing sensitive information to potential compromise.
Apple’s M1 processors, and likely their successors M2 and M3, are susceptible to this vulnerability due to similar prefetching behavior.
Unfortunately, as this weakness is deeply ingrained in the hardware design of Apple CPUs, there’s no straightforward fix available.
Who’s at risk and Apple’s response
The discovery of this critical security flaw in Apple’s M-series chips has put users of Mac and iPad devices at potential risk.
What’s concerning is that users cannot address this vulnerability directly. Cryptographic application developers must implement mitigations for the problem and issue updates to their applications.
However, this process may not be straightforward, and users may find themselves in a vulnerable position until these updates are rolled out.
Security experts like Robert Graham, CEO of security consultancy Errata Security, advise caution, suggesting that individuals with substantial holdings in crypto wallets on Apple devices should consider temporarily removing them as a precautionary measure.
In response to Zero Day’s inquiry, Apple acknowledged the research findings but hasn’t provided concrete steps to address the problem.
Apple’s developer page offers guidance to application developers, suggesting the implementation of>Apple’s antitrust woes and crypto’s future
The DOJ’s lawsuit contends that Apple’s tight grip on its App Store has led to anti-competitive behavior, stifling innovation and imposing hefty fees on developers.
Central to the debate is Apple’s infamous 30% “Apple tax,” a commission charged on in-app purchases, including crypto transactions.
This fee model, deemed “grotesquely overpriced” by critics, became a significant obstacle for crypto developers seeking to offer their services on iOS devices in the past.
Now Apple is killing all NFT app businesses it can’t tax, crushing another nascent technology that could rival its grotesquely overpriced in-app payment service. Apple must be stopped. https://t.co/4KChp6jtFZ
— Tim Sweeney (@TimSweeneyEpic) September 23, 2022
The repercussions of Apple’s fee structure are evident in the NFT marketplaces. Companies like Magic Eden, faced with the prospect of paying substantial commissions, opted to withdraw their services from the App Store in 2022 and are still holding onto their guns.
There is a fake Magic Eden wallet app on the IOS App Store.
Do not download this, it is NOT from us. We are working to get it removed.
We are currently developing a mobile app but any announcements will come from our official channels. Please be careful and assume any Magic… pic.twitter.com/WGF08lCMPZ
— Magic Eden 🪄 (@MagicEden) March 7, 2024
Others, like OpenSea, have had to scale back functionality to just viewing and browsing NFTs, limiting user experience and access to NFT trading.
The Bitcoin-friendly social app Damus also had to remove its BTC tipping feature. Apple delisted the app because it didn’t use Apple’s in-app payments, which Apple uses to take a cut.
Damus will be removed from the app store in 14 days, apple says zaps are not allowed on their platform because they *could* be used by content creators to sell digital content. This is right before we’re about to give our talk at the oslo freedom forum on how decentralized social… pic.twitter.com/uAK1U0UBet
— Damus⚡️ (@damusapp) June 13, 2023
Additionally, Apple’s guidelines go beyond mere fee structures, encompassing restrictions on payment systems and app distribution.
These guidelines prevent developers from offering alternative payment methods, hindering the integration of crypto into iOS apps.
For instance, Apple is facing a class-action lawsuit initiated last year, filed in Nov. 2023 in a California District Court.
The lawsuit alleges that Apple collaborated with payment platforms such as PayPal’s Venmo and Block’s Cash App to restrict peer-to-peer (P2P) payments within iOS applications.
Meanwhile, in response to the DOJ’s allegations, Apple has defended its practices, citing concerns about user privacy and security.
However, critics argue that these policies disproportionately favor Apple’s bottom line at the expense of developer freedom and consumer choice.
It is nice when the DOJ gets it right and calls a spade a spade. The Apple pro-privacy and security ‘spin’ has been one of the smarter and well executed cynical marketing plans in history. Glad folks are starting to see through it and say something beyond tech echo chambers. pic.twitter.com/tLr2cJz2WQ
— sam lessin 🏴☠️ (@lessin) March 22, 2024
Experts estimate a three-to-five-year timeline for any resolution to Apple vs. DOJ case. However, app makers and the Coalition for App Fairness have voiced strong support for the DOJ’s regulatory action, citing Apple’s long history of unfairly increasing prices, degrading user experiences, and choking off competition.
Read more: CertiK reports a critical security vulnerability in Solana’s Saga phone