When it comes to security, Apple users have had it very easy for a long time. While their Windows peers have struggled with viruses, malware, and trojans, the biggest security worry Apple users have faced is the (largely apocryphal) prospect of being mugged if they’re wearing white earbuds.

But confidence in Mac security is based more on faith than fact. At this year’s Pwn2Own contest, held annually at the CanSecWest security conference in Vancouver, OS X security expert Charlie Miller demonstrated for the third year in a row that Apple’s products aren’t immune to exploits. Miller hacked into a MacBook via flaws in the Safari browser, and another team successfully hacked into the iPhone via its own SMS database.

“Safari is the most risky piece of software you’ll run. One of the things that make Macs cool is that they work out of the box. But the bad thing is that means there’s a lot of code in Safari, it has to parse a lot of different inputs, and more things can go wrong with it,” Miller said.

Other browsers aren’t any better, Chet Wisniewski a Senior Security Advisor at Sophos Security said.

“On the grand scale, Safari is not any better or worse than IE, Firefox, or Opera. A browser is an exceptionally complex piece of software that can be more complicated than some operating systems,” he said.

“Right now you’re in pretty good shape if you have a Mac, but it’s not because the Mac is more secure, it’s because the bad guys care more about Windows boxes, because that’s what most people have. But as Apple’s market share continues to grow, we’ll get on the radar of the bad guys, and then we’ll be in as much trouble as Windows users,” Miller added.

Wisniewski stressed that there’s still time for Apple to plug security holes.

“The security community likes to pick on Apple and point out weaknesses, but I would rather work with Apple to fix these problems now, before its popularity does make it more of a target,” Wisniewski said.

Miller also addressed CanSecWest attendees in a speech entitled “Babysitting an Army of Monkeys” where he pointed to several Apple and third-party programs that are especially vulnerable to attack. Safari was the worst culprit, but Preview, iWork and Adobe Reader also showed serious flaws, he said.

Any program that can be used in OS X is potentially vulnerable, Wisniewski said, and programs that are used often or which arbitrarily download content are the most likely to become hacker targets.  

Wisniewski emphasized that while there are no known viruses on the Mac platform, malware does exist, mostly as trojans.

“Many users believe that if they never open a trojan there is no risk to their security. This is incorrect, as our industry defines a trojan as simply being standalone malicious code. Combined with a vulnerability like the one Charlie used in Safari, you could transmit a trojan to an OS X computer and execute it remotely, infecting a Macintosh without user intervention,” Wisniewski said.

Apple’s products still have advantages over Windows machines, including Steve Jobs propensity to ignore backwards compatibility. Rewriting the playing field for major new products makes for a more secure ecosystem.

“It lets them start with a clean slate, which is much more secure. Being a more homogenous platform could provide security advantages as well, but it appears Apple is more concerned with using this to lock down the platform to their own hardware, rather than to use it to create a more secure platform,” Wisniewski said.

The iPhone’s closed ecosystem makes it more secure than OS X, he added. “Apple has to try to provide a secure environment for any random thing a computer user might want to do. The iPhone, on the other hand, is supposed to be locked down.”

“The iPhone isn’t perfect, but it has pretty good security. The most important thing to do is not jailbreak it. There have been worms that took advantage of unchanged passwords on the iPhone,” Miller said.

The lack of Flash in iPhones and iPads makes it a little safer, since there’s less code running than on a Mac running Safari which enables Flash by default, Miller said.

“A lot of the things Apple has done, like not including Flash, have made the iPhone safer. Apple’s code signing policy also makes the iPhone a little more secure, but they didn’t add it to make it harder to hack, they did so because they want to protect their proprietary chain of getting programs to you,” Miller added.

The iPad is even more secure than the iPhone because it lacks SMS messaging, one of the key ways hackers have tunneled into the phone, he added.

But the locked down nature of the iPhone can also lead to a false sense of security, even amongst those who designed the device. There are areas of the phone that are “off limits” to users but aren’t as secure as they should be, such as the root default password “alpine” on all iPhones, Wisniewski said.

Despite these holes and flaws, Macs and iPhones remain a pleasant and generally trouble-free user experience. Security, just like everything else Apple makes, “just works” for the majority of its users. But that won’t last forever.

“I don’t think it’s necessary at this point to have anti-virus software on your machine. But if things continue to go well for Apple, it will be something worth thinking about,“ Miller said.