Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Apple's iOS Went From Insecure To Most Secure

Posted by ryuzaki0 on from the shaking-in-my-boots dept.

GMGruman writes "There's no such thing as a perfectly secure operating system, but security experts agree — somewhat grudgingly in some cases — that iOS, Apple's mobile operating system, is the most secure commercial OS today, mobile or desktop. It didn't start that way of course, and Robert Lemos explains what Apple did to go from insecure to most secure."

32 of 312 comments (clear)

  1. Frist to get jailbroken... by Anonymous Coward · · Score: 5, Insightful

    Wait... aren't we talking about the same iOS that gets jailbroken like clockwork still?

    1. Re:Frist to get jailbroken... by poetmatt · · Score: 4, Informative

      not only that, but the comments are hilarious as are the arguments:

      * A sandbox isolates programs, and iOS's memory organization makes exploitation more difficult.
              * Applications that run on the iOS are vetted by Apple and can be removed if found to be malicious.
              * Patches can be quickly applied to the iPhone and iPad to close security holes in the operating system.
              * The software is regularly reviewed, especially its open source components.
              * The platform has the advantage of attacker psychology -- attackers still target smartphones far less than desktop systems.

      This is hilarious, considering that the sandbox is the only true thing. Patching is known to break things continually (and done to break things - hello anti-jailbreak?), apple doesn't vet third party apps - you think they vet the browsers or MS office on mac? Said things are open and known security breaches. Same argument can be made for microsoft and google's first party apps being vetted (no shit) on that, and I'm not even a microsoft fan.
      Attacker psychology? What joke of a phrase is that? That's as anecdotal as it gets.

      So in summary, the thing apple does right is put things in a sandbox. that is all. Infoworld sure does have a hardon for apple sometimes.

    2. Re:Frist to get jailbroken... by gabebear · · Score: 2

      Jailbreaking is not really a security problem. Firstly, because "jailbreaking" just means allowing unsigned code to run. Secondly, I don't think you have ever been able to Jailbreak an iPhone remotely, you have to be in possession of it. If you give a hacker unlimited time with a device, they will find a way to do what they want.

    3. Re:Frist to get jailbroken... by MrCrassic · · Score: 5, Interesting

      Considering that the last major jailbreak used a PDF rendering exploit in Safari to allow users to jailbreak their devices online, which requires modifications to files in system directories, I'd highly beg to differ.

      And while jailbreaks for iOS happen for almost every point release, they are getting tougher and tougher to find (as in it takes the dev-team more and more time to find a patch).

    4. Re:Frist to get jailbroken... by jjetson · · Score: 2

      I'd disagree, the article is claiming iOS is the most secure because of the gated app store. If the device can be jailbroken then the gated app store point is moot. Now any app from nearly anywhere can be installed and ran, so the main point of the article is shot. Therefore I'd say the ability to jailbreak the device has everything to do with security in this context.

    5. Re:Frist to get jailbroken... by mini+me · · Score: 2

      Jailbreaking uses security flaws to run unsigned code. The same flaws can be used for malicious purposes. It is most definitely a security issue.

      While most jailbreaking methods do require the phone to be tethered to a computer which greatly reduces the chances of infection in the wild, there have been at least two well known untethered jailbreak methods that could have been used to install malicious code quite easily.

    6. Re:Frist to get jailbroken... by Enry · · Score: 5, Funny

      Jailbreaking is not really a security problem. Firstly, because "jailbreaking" just means allowing unsigned code to run.

      Why don't you re-read that and tell me where your logic flaw is.

    7. Re:Frist to get jailbroken... by EraserMouseMan · · Score: 3, Insightful

      It's amazing how people lose all objectivity when they've fallen for Apple. Love is blind. The fact is that they love their Apple gear so much they love it and discount all flaws and shortcomings and never stop begging for more.

    8. Re:Frist to get jailbroken... by scot4875 · · Score: 2

      It only looks like blind attacks to people who have bought into the hype.

      Believe it or not, when someone tells you that your shit stinks, it's not that they're "hating" you -- it's just that they're tired of smelling your shit.

      --Jeremy

      --
      Jesus was a liberal
    9. Re:Frist to get jailbroken... by PopeRatzo · · Score: 3, Insightful

      the article is claiming iOS is the most secure because of the gated app store.

      Ah, there it is. Just a few stories ago, there was the headline about Apple putting some desktop and laptop machines behind the walled garden and maybe phasing out OSX altogether.

      And then..."iOS is the most secure".

      You can start to see the outline of a marketing campaign that will convince people that they really don't need to have anything on their Mac that didn't come from Apple, one way or another.

      As a long-time Mac user and owner of several Mac Pro and MacBook Pro machines, I find this transformation of "machines to make things with" to "machines you can consume content with" quite offensive. It may be good business for Apple, and good for Apple shareholders, but for the future of personal computing for people who don't use Windows or Linux, it kind of sucks.

      --
      You are welcome on my lawn.
    10. Re:Frist to get jailbroken... by Nerdfest · · Score: 2

      If you stick to the stock repositories, it's very similar. One of my main complaints about iOS and the OS X app store is that they limit you to *only* those choices. If they allowed you to install other sources like Apt does it would go a long way to making me (and probably quite a few others) consider using their products.

    11. Re:Frist to get jailbroken... by poetmatt · · Score: 2

      hahaha. they refuse third party apps is more like what they do. How's that firefox/chrome doing on iOS?

      Also, how's all those apps that are arbitrarily refused and/or apps that clearly were not vetted. You think they vet every google app that comes across or can actually control what is used?? Hello HTML5 on that.

    12. Re:Frist to get jailbroken... by VolciMaster · · Score: 2

      apple doesn't vet third party apps - you think they vet the browsers or MS office on mac

      Yes, the article is lame, but it's about iOS, and not Mac OS X

      --
      antipaucity
    13. Re:Frist to get jailbroken... by crafty.munchkin · · Score: 2

      Show me this secure operating system you speak of...

      --
      ... wait, what?
  2. An ultimately secure OS by dmt0 · · Score: 5, Funny

    An ultimately secure OS would be the one that does not do anything at all. No inputs and no outputs. Perhaps iOS is closer to that ideal than any other.

    1. Re:An ultimately secure OS by Flyerman · · Score: 3, Funny

      The Ultimate Machine: http://www.youtube.com/watch?v=Gw2Bq0HYu1M

  3. Most Secure? by OKK77 · · Score: 2, Insightful

    Most Secure? And the security is in the App Store? I don't know why the author's trying so hard to bullshit his way through. Sensationalist headlines just to get a few more ad impressions, eh.

    --
    A casual stroll through the lunatic asylum shows that faith does not prove anything.
    1. Re:Most Secure? by jo_ham · · Score: 2, Funny

      It's just the reverse of the enormously slanted "Apple is definitely phasing out OS X and locking it down and will force people to only buy from the App Store" article earlier, just with the "anti-Apple" bias changed to "pro-Apple".

      There must be balance in the ad-impression linkbait, lest the universe implode.

  4. Agreed. by Anonymous Coward · · Score: 3, Funny

    Sent from your iPhone.

  5. Grudging by Altus · · Score: 4, Insightful

    Any expert that holds a grudge like that is no expert I ever care to hear from.

    --

    "In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson

  6. Security is a big selling point by elrous0 · · Score: 4, Insightful

    Apple is going after the market of users who are sick of dealing with security issues/malware/etc. They've done it by created a closed system. And while us geeks hate that, it has a strong appeal to most people. When they go to a closed system on Mac's (and they will), that's who they're going to be appealing to. "Buy a computer where all your software is pre-screened through our App Store and you don't have to worry about viruses" is a powerful (and potentially very profitable) message in a time when malware and assorted hacks have become so common.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:Security is a big selling point by kevinmenzel · · Score: 3, Insightful

      Agreed - the eventual limited machines... "consoles" essentially, though for 'work' instead of 'games', will be quite popular. Which does kind of suck for geeks, because our specialty hardware will no longer benefit from the economies of scale, at least not to the same degree.

  7. Easily Fixable by chill · · Score: 3, Interesting

    More people need to pay attention to http://slashdot.org/firehose.pl and mod stories like this into oblivion.

    --
    Learning HOW to think is more important than learning WHAT to think.
  8. Sigh. by Nemyst · · Score: 2

    Sensationalist, baseless claim? Check.
    Short article "sourced" entirely off in-house artices? Check.
    Forces to use print version to avoid ad overload? Check.

    Yep, it's InfoWorld alright.

  9. "no economic incentive to attack" iPhones? by mccrew · · Score: 4, Insightful
    from TFA:

    Although iOS has a lot of security going on underneath the hood, its safety could be due in large part to the fact that attackers have not focused on compromising the devices because there is no economic incentive to attack them, says Lookout's Mahaffey.

    Really? No economic incentive?

    Unlike PCs and Macs, every cell phone is directly associated with a credit card. Essentially a cell phone IS money. Bad actors can - and do - monetize this with malware that places calls to sketchy and high-cost phone numbers, or send texts to subscribe to "information services," resulting in (fraudulent) charges showing up each month. And good luck trying to dispute charges with your cellular provider on those. They will just tell you that their hands are tied by federal law and that they can't help you, but nonetheless will turn around and threaten you with collection if you don't pay.

    There's definitely economic incentive to attack mobile phones.

    --
    Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
  10. Um.. No by sl4shd0rk · · Score: 5, Insightful

    OpenBSD has been at it a lot longer. Even as a Linux Zealot, I would choose OpenBSD for security. IOS is a closed Black-Box that nobody but Stevie knows what's inside. Historically we tend to find *cough*siemens*cough* that closed source, proprietary *cough*secureid*cough* offerings do not necessarily equate to a trustworthy or "secure" system. What seems to happen is closed source options provide a layer of obscurity which allow the governing company *cough*dropbox*cough* to take inexcusable risks with customers assets because, basically, they don't need to show anybody. As long as they never get caught, they save a lot of money not having to implement a system to keep them honest.

    --
    Join the Slashcott! Feb 10 thru Feb 17!
  11. I disagree by Haedrian · · Score: 2

    I think apple iOS is the most secure (tehehe) because of all the people searching for flaws to Jailbreak it with. Its like free security testing.

  12. Re:Completely useless by Chas · · Score: 2

    functionality

    You keep saying that word. But I do not think it means what you think it means. -- Inigo Montoya

    --


    Chas - The one, the only.
    THANK GOD!!!
  13. Re:Completely useless by pandrijeczko · · Score: 3, Interesting

    Oh, so you can run emulator software on it now, can you?

    Or compile source code into packages that you can install onto it?

    Or go into the boot up processes and turn off or configure any services that you don't want or want to run differently?

    Or create a specific account to run the OS will much fewer permissions so that you're more secure due to the tighter restrictions you've placed yourself under?

    --
    Gentoo Linux - another day, another USE flag.
  14. It's pwned before you get it out of the box.. by sqldr · · Score: 2, Insightful

    It updates without asking people..  it disables things without asking people...  certain types of useful software are internally prevented from ever running on it..  it steals information about me - such as my geographical location and uploads it to a server without me asking..  it won't work unless it has my credit card number..

    if a hacker did that to my laptop, I'd hunt him down and punch his fucking head in.

    --
    I wrote my first program at the age of six, and I still can't work out how this website works.
    1. Re:It's pwned before you get it out of the box.. by mr_lizard13 · · Score: 3, Informative
      Okay, I'll tear a hole in your comment piece by piece then.

      It updates without asking people..

      No it doesn't. You have to connect the device to your computer, launch iTunes, choose 'Download and Install' when prompted and follow the onscreen instructions.

      it disables things without asking people...

      Are you referring to the 'kill switch' built into the operating system? That's never been used. Conversely, the Android kill switch was used in March this year. To kill malware that had been downloaded from the Android marketplace.

      certain types of useful software are internally prevented from ever running on it..

      Which useful software is 'internally' prevented from ever running on it? Apps must be vetted by Apple in order to be included in the App Store, but I can't recall the last time an app was rejected for being too useful. Similarly, I can't recall the last time Apple had to throw a kill switch to kill malware downloaded from the App Store.

      it steals information about me - such as my geographical location and uploads it to a server without me asking..

      No it doesn't. The iPhone stores information about nearby WiFi access points and cellular towers. That information is stored in an on board cache. When you sync with iTunes, that information is transferred to your computer, in order that it can be synced back with other iOS devices you own. The locations of WiFi access points and cellular towers is sent to Apple, but not before it has been anonymised. Apple has no details of where you are, unless you implicitly opt in to sharing your location.

      it won't work unless it has my credit card number

      It works fine without your credit card number. I don't even own a credit card, and yet my iPhone functions perfectly. The sleep/wake button works, the volume buttons work, the SMS and Mail apps work, the Phone app works, the iPod, iTunes and App Store apps all work.

      certain types of software includes any programming language

      Really? http://itunes.apple.com/us/app/basic/id362411238?mt=8

      or anything which "duplicates functionality"

      Quite. Because something which duplicates functionality is extremely useful, isn't it.

      storing your geographical location without telling you.. er, you didn't know about that? at least it does google. See if you can find it.

      I can find it just fine. Now, see if you can find it. (Tip: http://www.apple.com/pr/library/2011/04/27location_qa.html)

      --
      "We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
  15. Re:Completely useless by BitZtream · · Score: 2

    I'll preface this reply with: I have an iPhone developer account so I'm not a normal user, however, your list of things aren't on the list of things that normal users give a shit about so I'll follow up anyway.

    Oh, so you can run emulator software on it now, can you?

    Yep, use my own circuit simulators and I've been working on an ATmega simulator for shits and giggles. No they'd never be sold on the appstore, but I can run them just fine without doing anything against Apples rules.

    Or compile source code into packages that you can install onto it?

    Yes, thats exactly what ALL iOS developers do, thats what gets distributed to your phone, a .ipa file which is a ... a software package, so when I compile my projects and select 'make archive' in XCode, it does exactly that, makes a package which can be dragged and dropped onto iTunes and installed. The package manager is called iTunes instead of apt, functionality on the other hand is more less the same.

    Or go into the boot up processes and turn off or configure any services that you don't want or want to run differently?

    Probably not, but I can not for the life of me come up with a reason why I'd want to turn off the only two services that start on startup ... which are designed to manage the wireless network access. I guess I could turn off all networking services and come close, but I wouldn't have bought the device if I didn't want those services, I would have gotten a iPod touch or something without radios.

    What processes do you want to 'turn off'? Push notifications, SMS, or working phone service? Nothing else worth mentioning is running.

    Or create a specific account to run the OS will much fewer permissions so that you're more secure due to the tighter restrictions you've placed yourself under?

    So uhm ... you mean like how iOS works out of the box and has for years? I seem to remember a brief moment on the 1.x series where some things ran as root which was promptly fixed, but the only time anything has exploited that fact has been from jailbreakers without a clue porting apps to iOS without any thought what so ever about security ... WHICH IS EXACTLY WHY APPLE HAS THE POLICIES IT HAS.

    I'm not saying you should buy an iPhone, you clearly shouldn't, its not for you, its for people that make educated choices about their purchases, not for geeks with a stick up their ass who try to pretend they have a clue about something they hate without an actual reason. You don't want a phone, its cool dude. Just let it go, its never going to be the Linux phone of your dreams, but can't you accept that it is perfectly usable for a lot of people ...

    You have basically two choices, accept that other people want other things out of their phone than being able to tweak it to oblivion and run any app they might want while using crappy package managers that some geeks think are gods gift to the world.

    Or

    Accept that you are completely and totally wrong in probably every way.

    Personally, I doubt you'll think either one applies to you since you're clearly out of touch with reality anyway.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager