Slashdot Mirror
How Apple's iOS Went From Insecure To Most Secure
GMGruman writes "There's no such thing as a perfectly secure operating system, but security experts agree — somewhat grudgingly in some cases — that iOS, Apple's mobile operating system, is the most secure commercial OS today, mobile or desktop. It didn't start that way of course, and Robert Lemos explains what Apple did to go from insecure to most secure."
Wait... aren't we talking about the same iOS that gets jailbroken like clockwork still?
An ultimately secure OS would be the one that does not do anything at all. No inputs and no outputs. Perhaps iOS is closer to that ideal than any other.
So much mobile fanboy trollbait on the 'dot this morning.
Don't blame me, I voted for Baltar.
Most Secure? And the security is in the App Store? I don't know why the author's trying so hard to bullshit his way through. Sensationalist headlines just to get a few more ad impressions, eh.
A casual stroll through the lunatic asylum shows that faith does not prove anything.
Sent from your iPhone.
[url=http://en.wikipedia.org/wiki/Argument_from_authority]Argument from Authority[/url] is a fallacy of defective induction, where it is argued that a statement is correct because the statement is made by a person or source that is commonly regarded as authoritative.
1. Source A says that p is true.
2. Source A is authoritative.
3. Therefore, p is true.
-----
1. "Security experts" says that "iOS, Apple's mobile operating system, is the most secure commercial OS today"
2. "Security experts" are authoritative.
3. Therefore, "iOS, Apple's mobile operating system, is the most secure commercial OS today" is true.
-----
Note: This doesn't mean that iOS isn't the most secure commercial OS today; it might be. It just means that the article is trying to an argument made of 100% pure USDA Grade A Bovine Excrement in order to show it.
Any expert that holds a grudge like that is no expert I ever care to hear from.
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
Apple is going after the market of users who are sick of dealing with security issues/malware/etc. They've done it by created a closed system. And while us geeks hate that, it has a strong appeal to most people. When they go to a closed system on Mac's (and they will), that's who they're going to be appealing to. "Buy a computer where all your software is pre-screened through our App Store and you don't have to worry about viruses" is a powerful (and potentially very profitable) message in a time when malware and assorted hacks have become so common.
SJW: Someone who has run out of real oppression, and has to fake it.
I'm less likely to tolerate security risks on a phone...a device I have with me at all times...that I want to use without thinking that much.
I'm willing to put more resources into my PC/Mac to keep it up and running and secure.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
More people need to pay attention to http://slashdot.org/firehose.pl and mod stories like this into oblivion.
Learning HOW to think is more important than learning WHAT to think.
1. Forbid legitimate purchasers and owners of the device from doing ANYTHING you don't homogenize, pre-approve, pre-chew, and charge for.
I think this is the analogy you're looking for.
Sour grapes.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Great. A sandboxed environment with limited functionality and a vendor stranglehold on apps is "more secure" than a fully functional PC OS where the use can run any app (or even another OS) that they desire.
Big fricking whoop.
That's like saying that a car that spent the entirety of it's life parked in a little old lady's garage was safer to drive than another car that has spent the last 10-15 years as someone's daily driver.
Chas - The one, the only.
THANK GOD!!!
iOS 4 [8], the latest version of iOS, includes ASLR, DEP, a sandbox, and code signing
Having never used IOS long enough to compare with other systems, it might impress on the phone front, but I am unconvinced its really competing against the Desktop. In fact, its an apples and oranges comparison anyway.
Firstly, having read the article - its incredibly lacking in exposure to many operating systems. After this, the technologies quoted are all available in most modern distros of Linux, plus more including resource limitations to prevent abusing memory or CPU and mandatory access control mechanisms.
From a security perspective seeing as with a smart phone you are carrying your online persona outside with you its at much greater risk of data theft than with a fixed desktop.
Why grudgingly? It either is or it isn't. If you have to begrudge the truth, go find something else to do.
Sensationalist, baseless claim? Check.
Short article "sourced" entirely off in-house artices? Check.
Forces to use print version to avoid ad overload? Check.
Yep, it's InfoWorld alright.
Let me save you 5 minutes of your time. This bit from TFA is really all there is to it:
The security is in the app store.
It's not surprising, then, that security professionals pointed not to Apple's design but to the company's gated App Store [11] and its required code review before publishing as a major security advantage. "The closed ecosystem makes the model pretty safe," says Trend Micro's Genes. "It is not because the iOS is completely safe. From a system design standpoint, Android is safer."
Are iOS devices equipped with an unbreakable "restore from ROM and only install cryptographically signed patches" functionality, like the Google Chromebook are?
I like the idea that apps should only be installable from the AppStore (makes it easy to pull the plug on rogue apps) but there *are* going to be exploits.
The only foolproof method for an OS is, upon reboot, to check (from ROM) if the OS has been tampered and, if needed, to re-install itself from ROM. Then to look for cryptographically signed critical updates.
That plus an AppStore would certainly be more problematic to own than Windows XP ; )
Although iOS has a lot of security going on underneath the hood, its safety could be due in large part to the fact that attackers have not focused on compromising the devices because there is no economic incentive to attack them, says Lookout's Mahaffey.
Really? No economic incentive?
Unlike PCs and Macs, every cell phone is directly associated with a credit card. Essentially a cell phone IS money. Bad actors can - and do - monetize this with malware that places calls to sketchy and high-cost phone numbers, or send texts to subscribe to "information services," resulting in (fraudulent) charges showing up each month. And good luck trying to dispute charges with your cellular provider on those. They will just tell you that their hands are tied by federal law and that they can't help you, but nonetheless will turn around and threaten you with collection if you don't pay.
There's definitely economic incentive to attack mobile phones.
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
OpenBSD has been at it a lot longer. Even as a Linux Zealot, I would choose OpenBSD for security. IOS is a closed Black-Box that nobody but Stevie knows what's inside. Historically we tend to find *cough*siemens*cough* that closed source, proprietary *cough*secureid*cough* offerings do not necessarily equate to a trustworthy or "secure" system. What seems to happen is closed source options provide a layer of obscurity which allow the governing company *cough*dropbox*cough* to take inexcusable risks with customers assets because, basically, they don't need to show anybody. As long as they never get caught, they save a lot of money not having to implement a system to keep them honest.
Join the Slashcott! Feb 10 thru Feb 17!
I think apple iOS is the most secure (tehehe) because of all the people searching for flaws to Jailbreak it with. Its like free security testing.
As we speak comments from the Apple Lovers and Haters are filling up comment sections everywhere. Also bloggers are coming up with more flametastic headlines to lure your eyeball to their website.
Enjoy it while you can since it lasts... well... Never mind it's a regular occurrence here on Slashdot :P
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Any OS will be more secure simply by virtue of locking it down that much more, thus restricting the people who use it to do less with it.
Gentoo Linux - another day, another USE flag.
Demonstrate to me that jailbroken iOS devices were included in the research to determine those results, then I will believe you.
Gentoo Linux - another day, another USE flag.
Feeling secure in the knowledge that Apple always knows where I am, even when I don't. But then so does Google, nice.
InfoWorld is offline, for "scheduled maintenance"... right
Until the entire iPhone or iPod Touch is by default fully encrypted based upon the user-supplied key so that an application as DiskAid can't bypass the lock screen, then iPhone security is only epsilon better than nothing.
And don't get me started on the limitations on the escrow keybag, vis a vis law enforcement, Apple corporate, and third party access. And of course closed source means that the security is faulty from the original specification to each and every implementation.
Somehow I think Theo will disagree with this article, though Netcraft confirms he is dead.
It updates without asking people.. it disables things without asking people... certain types of useful software are internally prevented from ever running on it.. it steals information about me - such as my geographical location and uploads it to a server without me asking.. it won't work unless it has my credit card number..
if a hacker did that to my laptop, I'd hunt him down and punch his fucking head in.
I wrote my first program at the age of six, and I still can't work out how this website works.
If you need address space randomization, you're already broken. It just makes the dumber stack overflow exploits crash more.
The real question is "how much can an application do?". You have to assume that applications are hostile. Some of them will be. Some of them will have back doors. Some of them will have adware, spyware, remote updating, and similar attack vectors.
You need an OS that can reliably say no to an application. Apparently by "sandbox" the original author means "protected-mode operating system". Actually, what Apple does is to limit the privileges of each application when they sign it.
Apple's real security measure is developer intimidation. Because Apple can at will kick applications off the platform, smaller developers live in fear of being caught with a security hole.
Apple always knows where you are and what you are doing?
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
Blackberry OS is the only secure mobile OS
Snowden and Manning are heroes.
...some of these /. headlines only make it through the firehose so that we can all get a good laugh out of them? Also, "security experts agree" needs a big fat [citation needed]. TFA got like 2 or 3 "experts" that didn't even strongly agree with their conclusions.
FTA: By comparison, Mac OS X has limited application-dependent sandboxing and no code signing, and it only partially implements ASLR.
I was under the impression OS X has had code signing since Leopard, though it's voluntary and not heavily adopted by third parties so far from the looks of it. Also, I noticed a slide in the WWDC 2011 keynote where application sandboxing was listed as a feature of Lion.
Read an apple fanboi's distorted view of the world. Period.
I don't know, this quote from the article doesn't sound very fanboish:
"Moreover, the choice to have strict control over the App Store was driven more by profit considerations than by security foresight, says. "They did not set out to create a supersecure device," Accuvant's Miller says. "They just wanted total control over the apps because they are control freaks, not because they wanted to prevent malware.""
Perfect example of the ignorance of the author: he writes that the BlackBerry OS doesn't use DEP and ASLR. For fuck's sake, it's a Java phone, these don't even make sense in that context!
"Politicians and diapers must be changed often, and for the same reason."
And pigs do fly....
being able to pull software isn't what I call secure, the damage has already been done.. Nah, this is just some fanboy BS article...
To be precise the Mac OS X kernel is XNU, it consists of Mach, BSD and I/O-Kit.
XNU is not based on the FreeBSD kernel, XNU does however contain some FreeBSD code (network stack, FS, etc.).