Apple faces renewed criticism over its stance on cryptocurrency: essential information you should be aware of

Apple, the well-known technology company, has recently found itself in the spotlight of the cryptocurrency community. It has faced two significant events that have raised concerns and implications for both Apple users and the crypto industry as a whole.

The first event is a side-channel attack called “GoFetch,” which has exposed a vulnerability in Apple’s M1, M2, and M3 processors. This attack can steal secret cryptographic keys stored in the CPU’s cache, making sensitive data vulnerable to compromise. A group of researchers from various US universities developed GoFetch and reported their findings to Apple. Unfortunately, this hardware-based vulnerability cannot be fixed, and any software fixes would come at the cost of performance, particularly affecting cryptographic functions.

The second event comes in the form of a substantial antitrust lawsuit filed by the United States Department of Justice (DOJ) against Apple. The lawsuit claims that Apple’s App Store rules and developer agreements hinder competition and innovation, creating barriers for developers and users in various sectors, including finance and crypto.

Now, let’s delve deeper into these events and explore their implications for the crypto industry.

Understanding the GoFetch attack is crucial in assessing its impact. This attack targets a sophisticated vulnerability in modern Apple CPUs, putting users at risk of having their private cryptographic keys compromised. The attack exploits a feature called the data memory-dependent prefetcher (DMP), which is designed to enhance computing speed by predicting and fetching data into the CPU cache ahead of time. However, the predictive nature of the DMP becomes a weakness in the context of the GoFetch attack.

The exploit focuses on cryptographic processes that maintain a constant execution time, regardless of the input, to prevent data leaks. By examining Apple’s DMP implementation, the attackers discovered a flaw that violates this principle of constant-time programming. The flaw lies in the prefetcher’s activation and dereferencing of loaded data, particularly data resembling pointers, which is prohibited under constant-time programming guidelines. Using this flaw, attackers can gradually reveal bits of the secret cryptographic key and eventually reconstruct the entire key, compromising sensitive information. This vulnerability affects Apple’s M1 processors and likely their successors, M2 and M3.

Unfortunately, there is no straightforward fix for this vulnerability, as it is deeply embedded in the hardware design of Apple CPUs. Users of Mac and iPad devices are potentially at risk, and it falls on cryptographic application developers to implement mitigations and issue updates to their applications. However, this process may not be simple, leaving users in a vulnerable position until updates are rolled out. Security experts advise caution, suggesting that individuals with substantial holdings in crypto wallets on Apple devices should consider temporarily removing them as a precautionary measure.

In response to inquiries, Apple has acknowledged the research findings but has not provided concrete steps to address the problem. The company’s developer page offers guidance to application developers, suggesting the implementation of data-independent timing (DIT) to disable the prefetcher during cryptographic functions. However, this solution presents its own challenges, as disabling the prefetcher could decrease processor performance during cryptographic operations, raising concerns about usability and efficiency. Furthermore, the DIT fix is only applicable to Apple’s latest M3 chips, leaving users with M1 and M2 devices vulnerable to exploitation.

Moving on to Apple’s antitrust lawsuit, the DOJ alleges that Apple’s tight control over the App Store has resulted in anti-competitive behavior, stifling innovation and imposing high fees on developers. The focus of the debate is Apple’s 30% commission, known as the “Apple tax,” charged on in-app purchases, including crypto transactions. This fee model has posed significant obstacles for crypto developers looking to offer their services on iOS devices.

The impact of Apple’s fee structure is evident in NFT marketplaces. Some companies, faced with high commissions, have chosen to withdraw their services from the App Store. Others have had to limit functionality, hindering user experience and access to NFT trading. Apple’s guidelines also go beyond fees, restricting payment systems and app distribution. Developers are prevented from offering alternative payment methods, making it challenging to integrate crypto into iOS apps.

Apple has defended its practices, citing concerns about user privacy and security. However, critics argue that these policies favor Apple’s profits over developer freedom and consumer choice. The DOJ’s lawsuit is expected to take three to five years to resolve, but app makers and the Coalition for App Fairness strongly support the regulatory action, highlighting Apple’s history of increasing prices and stifling competition.

In conclusion, Apple’s recent events have raised concerns within the crypto community. The GoFetch attack exposes a vulnerability in Apple’s processors, compromising private cryptographic keys. The antitrust lawsuit filed by the DOJ challenges Apple’s control over the App Store and its impact on competition and innovation. These events have implications for both Apple users and the crypto industry as a whole. It remains to be seen how Apple will address these issues and how they will shape the future of crypto on iOS devices.