Slashdot Mirror
Accountability, Not Code Quality, Makes iOS Safer Than Android
chicksdaddy writes "Threatpost is reporting on a new study of mobile malware that finds accountability, not superior technology, has kept Apple's iOS ecosystem free of viruses, even as the competing Android platform strains under the weight of repeated malicious code outbreaks. Dan Guido of the firm Trail of Bits and Michael Arpaia of iSEC Partners told attendees at the SOURCE Boston Conference on Thursday about an empirical analysis of existing malicious programs for the Android and iOS platforms which shows that Google is losing the mobile security contest badly — every piece of malicious code the two identified was for the company's Android OS, while Apple's iOS remained free of malware, despite owning 30% of the mobile smartphone market in the U.S. Apple's special sauce? Policies that demand accountability from iOS developers, and stricter controls on what applications can do once they are installed on Apple devices."
..and how would they detect it on the ios? they just said that there is _zero_ malware, yet there's plenty of ios games/apps which leak all your contact info?(as is there for android).
(and the accountability part is that it takes a little more checks to get yourself identified as a publisher for itunes appstore.. however.. it doesn't take that much, there is and has been plenty of unauthorized distribution of asian comics etc there)
I haven't identified any iOS malware either, but that could be because I haven't looked for any(just not my field).
world was created 5 seconds before this post as it is.
Guess what?! Freedom comes with risks! I don't make any decision until I weigh the pros and cons and do a bit of research, and yes, this includes any and all apps I may want to use.
Last time I checked, there were plenty of reports of malicious iOS apps clandestinely hoovering up your private data/contacts, and sending that bundle to the app's developers, who will use it for Lord-knows-what-nefarious-purpose. With this being the case, how can anyone possibly claim that iOS is "secure & malware free". The malware doesn't have to be a Trojan or Virus. It can also be a nasty little app that secretly sends your private data to a server somewhere that you don't even suspect exists. ----- I don't understand why Apple fans need to maintain a strange belief into the "infallibility" of Apple's ecosystem. Apple is plenty fallible in my humble opinion. And this is just another snide attempt to advertise the "Extra-Special-Specialness" of using Apple products.
Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
From TFA: "the competing Android platform strains under the weight of repeated malicious code outbreaks"
It takes a determined idiot to make a spelling mistake when copying and pasting from a website.
Crushing authoritarianism leads to lower crime, worth the misery? Film at 11.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Telepathy= Salt flats
C.B. Radio= Nascar
Twitter= lemmings jogging
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
Since when is the iOS more secure? The latest Android has a very stable code and a solid permission system that allows the user to set exactly what an app can or can't do.
The reason there are fewer iOS malware infections has to do with something totally separate from security of the device.
There is a 'more efficient' distribution channel for Android platform malware.
Developing for the Apple platform requires a security certificate from Apple to sign applications, paying money to apple, signing a contract, and approval from Apple and review to be listed on the pap store, which makes the app store a less efficient means of distributing malware than the Android marketplace.
An operating system can be extremely insecure, but if there is no useful distribution channel, or no network connection, it is not likely to be infected.
This article is pure FUD. Plain and simple.
Can't imagine that a company called "iSEC" would be biased on this matter.
Sheesh, evil *and* a jerk. -- Jade
On the contrary, the user has NO control over app permissions, by default. The app author sets what he/she wants, and the user has the choice of accepting it or finding an alternative. No justification, no ability to say "well I want this useful SSH app but I don't want it reading my contacts, so I'll deny that permission". Yes, there are firewall apps (the permissions are in the OS, why do I need an APP to enforce OS permissions?) and for rooted devices, apps that can tweak permissions. But the default is horribly, terribly broken because most of the power is in the hands of the developers, NOT the users.
Since when is the iOS more secure? ...an OS that can be rooted by a fucking website.
If that is your measure, the answer to the question you pose is July 15th 2011. That was when the last version of iOS that could be rooted via a website was replaced.
4.3.3 could be jailbroken via website, 4.3.4 would not.
5.x has been out since Oct 2011.
Personally I'd say a better measure is the amount of malware. And on that measure, Android has always been many times worse than iOS.
Being accountable does help keeping people honest. Knowing you will get away with taking a fistful of dollars from the cash register versus knowing that the management will realise that there is money missing from your cash register makes a big difference.
Security is all about layers. Accountability is just one of them, and it is an important one.
Afaik most Android malware is not from the Play Store, but from third-party Android stores.
And besides Play Store does have accountability: every developer has to register, and pay a small one-off registration fee as form of identification.
There's a number of things you're missing. Most importantly: practically everyone would consider trojan horses to be malware, or at least an important security issue. Just because the user checked a box somewhere doesn't mean that trojans don't count.
Beyond that, trojan horses are due to their very nature less useful in an environment where accountability is higher. This is definitely the case with Apple/iOS, and has lead to a large number of false positives and censorship by Apple, both of which have been discussed at length here on slashdot.
Thirdly, unlike Android, I haven't seen any major and widely-reported breaches of apple devices, despite widely-available jailbreaking tools. This surprises me quite a bit. According to the iPhone users I've asked about this they claim that the cause is that most jailbreaks these days work through a physical connection (ie. with a computer).
Android may be more secure in capable hands, but the average user is safer in an environment where available software is code-signed and strictly supervised, either by a single entity such as Apple's iOS market or by the community such as the debian repositories.
Sure, but if the user is asked for every app whether to share data, the act of sharing data then becomes a standard part of the install. Very technically aware users will make use of this, but for most users it's effectively worthless: it's just another mind-numbingly annoying button you click for the app to run, like EULAs almost no one reads. (Just to be clear, I'm not really arguing about Android vs. iOS, I'm just pointing out the generally low value of relying on users giving consent for an install.)
the exploit you're talking about existed for 1 or 2 minor version numbers, and can no longer be exploited (including by the device owner) due to the OS version(s) no longer being installable without jumping through some hoops (apple's server no longer signs off on the installation). It was a bug in the PDF renderer for safari, for anyone wondering.
Rooting iOS devices remains a hunt for exploits in every version release, and no one's ever sure if and when the next version's exploit will be released. Many 4S/iPad users on iOSv5.1 are have been stuck using a jailed, but perfectly secure device for months now, with no guarantee that the jailbreak will come anytime soon.
Each version makes iOS more and more secure, and there's no guarantee Apple won't eventually release a perfectly secure, jailed OS, and I hope at that point this OS dies off, but that may be asking too much.
I don't think that is the reason that we hear more about Android malware, although it may be a factor. The barrier to entry of becoming an iOS developer is: buy a Mac (Intel Mac Mini will do), pay $99, sign up on web site. The barrier to entry of becoming an Android developer is: buy a PC (any will do), pay $25, sign up on web site. You could argue that the cost of a Mac Mini is prohibitive, or that hackers are less likely to own a Mac and begin hacking around on iOS in the first place, but for serious malware authors these are not significant barriers.
The real reasons that we hear more about Android malware:
1. Android users can enable installs of apps from non-official markets and random web sites. Many of the reported malware apps come from these kind of sites. But users have to explicitly do this, no phone ships with random web sites enabled as app stores. These same users, having enabled random app sources, then presumably don't bother to check the permissions that the app they install requests.
2. Android allows apps to send premium rate SMS messages and calls without an explicit popup. I personally think Google should probably kill this ability, but then I never call premium rate numbers. Blocking premium rate texts would kill the profit incentive for most malware. If this were an explicit, in your face, permission or setting (like the big warning for data roaming in settings!), then we wouldn't have seen any premium SMS fraud malware.
3. Apple marketing is happy for the media to push the "no iOS malware" angle in the same way that they did successfully with "no OS X viruses". It isn't strictly true, but people believe it anyway, and there is a huge class of users who are willing to pay more for the belief that there will be fewer problems in future. Malware that affects a few thousand people really isn't important in the big scheme of things, but it is something that marketing can use to try and differentiate iPhones in the eye of the consumer from very similar and equally capable Android phones.
4. Apple fans are pushing the "Android is full of malware" meme extensively, even though very few Android users have actually been affected. Is malware an issue that should be dealt with? Yes, but these same Apple fans who argue that Android is "straining under the weight of malware" after a few thousand users have been infected, are also the ones who claim that half a million infected Apple desktops is no big deal.
History has shown that a monoculture is actually more vulnerable to attack. There were some very skilled virus writers back in the 80s who innovated with polymorphic, anti-virus proof code, hidden boot sector infections etc. For whatever reasons, these kinds of hackers moved on to other projects, and what we see now in the virus/malware sector is mainly an industry driven by financial profit motive. iOS has had root exploits, and getting an app on the iPhone app store isn't that hard. Maybe they scan code and do some static analysis to try and spot dodgy functions, but at least one person has gotten malware into the iPhone app store, so it is certainly possible. I really do think that the only reason this hasn't been done is due to the explicit permission that the iPhone requires to send a premium rate SMS. If people ever start doing widespread banking on the Android/iPhone, or Android/iPhone malware ever becomes a populist hobby again (like viruses of the 80s), then I'm sure there will be more. An X-Prize, designed to stimulate malware production on either platform, would almost certainly produce results.
I like Android, but what has kept me away from it is that I have not found an Android phone that consistently gets new updates after they are released for a long period of time. Sure, Apple makes mistakes like this but the important thing is that they shipped an update and basically all affected phones got it even if they were a couple of years old.
Let's say that the same thing happened to Android. How large percentage of Android phones would even get the update at all?
I'm not sure why this was modded insightful, let alone +5 since if you read TFA you'd know that they weren't saying that iOS is more secure, only that there are virtually no delivery mechanism for malware because of Apple's app store policies of requiring real world identification of an app author to publish apps in the app store. That and iOS apps are more restricted in what they can do over Android apps.
That's the problem when articles like this hit Slashdot. Rabid fanboys (Apple and Google) start posted without even reading the article. The same thing with modders.
That is a distinction that the study apparently did not make, because it talks about "malicious code" rather than viruses. In fact, most of the malicious apps that one hears about are spyware or trojans rather than viruses.
Wow! What a fair and unbiased comparison! A year old iOS version that anyone with an at least 3 year old iPhone could and should have upgraded from, versus the latest Android version that most people can't upgrade to! Rated Insightful, of course, because there's a lot of circle jerk insight in that nonsense of a post!
This is not even to mention that the article has nothing to do with the security of the platform itself but rather its exposure to malware, but hell, let us make it about security and debate the merits of each platform, shall we?
I find it interesting how ignorant some Android fanboys are regarding iOS' sandbox, which is extremely restrictive and does not, by design, allow apps to do anything too fishy even if all permissions are granted. At most an app may be able to pull up your contacts without your permission or access call information, but not much beyond that without the user being notified unless they pierce through the sandbox. An app can't keep itself running in the background for longer than 10 minutes (unless specific profiles that permit so are chosen and approved by Apple for each app), run any kind of code not present during the approval process (meaning it's not OK to download code unless it's an in-app purchase, which may be free, and this includes interpreting code other than HTML and Javascript on Safari, which is why emulators are not permitted), launch or interact directly with other applications unless they register themselves as resource handlers (even running a secondary executable within your own application will result in iOS completely obliterating it without even bothering to inform any attached debuggers of what happened).
In essence, the article hits the spot by claiming that it is the screening process and its walled gardens that keep the nastiness away. It's simply not worth developing malware for iOS, you don't have much to gain by doing it, either you pierce through the sandbox and your app will be rejected (with potential consequences to your developer and / or publisher certificates) or you can be easily detected by any user. There are exceptions, of course, but compared to Android, they are very few in number.
The Path app is not malware. It's still on sale on the App Store, and has 5 times as many five star ratings as any other rating, and litterally zero one star ratings. (the possible ratings run from one to five stars).
Email addresses were uploaded simply to facilitate a find-my-friends feature of social networking.
It was a naive implementation, because the same functionality could be achieved simply by uploading hashes of the email addresses. And it was wrong that in earlier versions it didn't explicitly ask the users permission to upload those email addresses.
But there's no evidence of malign behaviour. Only behaviour intended to implement the advertised features.Therefore it's not malign software; it's not malware.