An Open Letter to Apple: Please, Please Replace Objective-C with Rust
Dear Apple,
Your iOS 15.1 update fixes 22 vulnerabilities. Thank you. But here’s the thing: of those twenty-two, at least sixteen of them were due to memory bugs. Here are some relevant excerpts:
- “An integer overflow…”
- “A memory corruption issue…”
- “An out-of-bounds read…”
- “An out-of-bounds write…”
- “A use after free issue…”
- “A buffer overflow issue…”
You’ve invested a ton in privacy and security technologies, and I appreciate that. But it’s time to take a more radical step, and the way I see it, you have two choices:
- Borrow the memory and thread safety ideas from Rust and work them back into Objective-C and Swift, or
- Allow Rust to be a first class citizen in your stack with direct interoperability with Swift.
I really hope you choose number two.
If you’re not familiar with Rust, then you should know that it eliminates huge classes of attacks against applications, particularly around memory issues like the ones above, but also around concurrency issues. It can be hard to work with, but you can build very fast code that is safe by design.
Once you make it a first class citizen, assuming you do that, then I hope you start rewriting the key parts of your stack that are the main vectors of real world attacks against Apple customers. I’d start with CoreAudio, CoreGraphics, and WebKit.
That’s a big job, but it would have a huge return on investment. Moving to Rust can eliminate 70% of your vulnerabilities and probably more like 95% of the ones that are remotely exploitable. Focusing on your libraries that parse data coming from untrusted sources will make your platforms way, way safer.
This is a potentially disruptive change and I know you’ve invested a lot in your own programming languages. But Objective-C and any lingering C code need to go. You should plan to replace all of the foundational layers written in these languages as you go. But then you can focus on making Rust cleanly interoperable with Swift. Today it’s possible, but it’s a tremendous pain and contains many pitfalls.
I can’t think of a single thing you could invest in that would better protect your customers.
I know it would be a big lift, but if you don’t do it now, you risk having Linux and Microsoft leap ahead of you in terms of the security of their operating systems as they embrace Rust. It would leave people like me, who think critically and often about how best to protect themselves and others, leaning away from Apple products. But if you embrace Rust and even make it something your developers can use for core parts of their apps while using Swift UI for the higher levels, you’d have an incredibly powerful developer story.
Will you take that step? Please, please do.
Sincerely,
Patrick Walsh