iPhone users have groaned and moaned about the device’s lack of basic copy-and-paste functionality, but Apple held off on delivering the feature until it got the security right. Kudos to Apple for making security a requirement, and designing its software correctly. Third-party iPhone developers should be designing software the same way.
It has become increasingly important for developers to treat security as they would any other software severe defect–stamping out problems at the very beginning of an application’s lifecycle. It’s less expensive for software makers to address security issues before an application ships, and the security and privacy of end users is safeguarded better that way.
That’s the rationale behind Apple’s decision to delay copy-and-paste. During Appple’s press conference today, Scott Forstall, senior vice president of iPhone software, explained that the company opted to address resolve security issues that arise when information is copied between applications.
I think that is of particular importance in a smartphone’s operating system–after all, users store important information on their phones that could be compromised by malware. Clearly, Apple is thinking security, but it should be empowering its developers to do the same. As far as I know, it has not invested the resources to make that happen.
In fact, no big vendor has invested in a major security push with developers–except for Microsoft. Microsoft has published its Security Development Lifecycle (tools and processes that the company uses to build security into its software), has released free threat assessment tools for developers, and set up training programs for sharing security-related knowledge and experiences.
Over the past several weeks, I spoke with Microsoft about the future of the Security Development Lifecycle. While the SDL is not a cure-all, security vulnerabilities in Microsoft software have dropped marked since it was adopted. It would not surprise me if there were security tools incorporated into the next version of the company’s Visual Studio development environment.
Apple would be smart to take a similar approach with the iPhone, sharing its internal principles for writing secure software with third-party developers whose applications also need to be as rock-solid as possible. For that matter, so should Palm, and every other smartphone software producer.
At today’s event, Harry asked the last question, concerning the App Store approval process, and Apple marketing chief Phil Schiller pointed to security checks as one reason why giving third-party apps the go-ahead takes time. Overall, I’m encouraged by Apple’s commitment to security, but today’s iPhone 3.0 announcement didn’t answer the broader question: What is it doing to make certain that iPhone developers know how to write applications that are safe, period?