Slashdot Mirror

← Back to Stories (view on slashdot.org)

Accountability, Not Code Quality, Makes iOS Safer Than Android

Posted by timothy on from the well-it-isn't-obscurity dept.

chicksdaddy writes "Threatpost is reporting on a new study of mobile malware that finds accountability, not superior technology, has kept Apple's iOS ecosystem free of viruses, even as the competing Android platform strains under the weight of repeated malicious code outbreaks. Dan Guido of the firm Trail of Bits and Michael Arpaia of iSEC Partners told attendees at the SOURCE Boston Conference on Thursday about an empirical analysis of existing malicious programs for the Android and iOS platforms which shows that Google is losing the mobile security contest badly — every piece of malicious code the two identified was for the company's Android OS, while Apple's iOS remained free of malware, despite owning 30% of the mobile smartphone market in the U.S. Apple's special sauce? Policies that demand accountability from iOS developers, and stricter controls on what applications can do once they are installed on Apple devices."

13 of 210 comments (clear)

  1. what counts as malware.. by gl4ss · · Score: 5, Insightful

    ..and how would they detect it on the ios? they just said that there is _zero_ malware, yet there's plenty of ios games/apps which leak all your contact info?(as is there for android).

    (and the accountability part is that it takes a little more checks to get yourself identified as a publisher for itunes appstore.. however.. it doesn't take that much, there is and has been plenty of unauthorized distribution of asian comics etc there)

    I haven't identified any iOS malware either, but that could be because I haven't looked for any(just not my field).

    --
    world was created 5 seconds before this post as it is.
    1. Re:what counts as malware.. by wvmarle · · Score: 5, Funny

      No, no, no. Totally wrong. If it's reviewed and accepted for listing in the App Store, then it's not malware. So the App Store is by definition 100% malware free. QED.

    2. Re:what counts as malware.. by chrb · · Score: 5, Insightful

      ..and how would they detect it on the ios?

      Good point. The security researchers who identified some of the Android malware visited third party Android app stores and downloaded all of the apps so that they could build up a huge app corpus, which they could then scan (static analysis) for malware suggestive signatures. They stated that they couldn't do the same with the iPhone because Apple prohibits mass downloading of iPhone apps in order to build an iPhone app corpus. So the only people who can look for malware across the whole range of iPhone apps is Apple, and it seems unlikely that they would announce if they found any malware, when they can instead just silently remove it from the app store.

  2. Freedom has it's risks by Zico · · Score: 5, Insightful

    Guess what?! Freedom comes with risks! I don't make any decision until I weigh the pros and cons and do a bit of research, and yes, this includes any and all apps I may want to use.

    1. Re:Freedom has it's risks by squiggleslash · · Score: 5, Insightful

      If you ever feel like it, buy yourself an Android device (one with Google), and actually try buying some software - or even downloading stuff from a third party website and installing it directly.

      You'll notice that "auditing every bit of software (you) install" is ridiculously easy. The installer tells you what rights the app needs when you install it. It's pretty easy to determine that a game does not need to capture your keystrokes, and if a cool tool to change the wall paper needs "access to your Google account" then there's obviously something odd going on.

      If an app doesn't ask for a particular right, Android's security model prevents it from doing whatever it was that required the right in the first place.

      By comparison, as I understand it, I only have Apple's (and a developer's) word that a particular tool for iOS doesn't contain malware. I'm not going to be told what parts of the system it needs to access, I just get a straight "Do you want the advertised features or not?" choice.

      The flaw here is on Apple's side. Both systems require you audit the apps you install. Only Android actually lets you do that.

      --
      You are not alone. This is not normal. None of this is normal.
    2. Re:Freedom has it's risks by QuasiSteve · · Score: 5, Insightful

      It's pretty easy to determine that a game does not need to capture your keystrokes, and if a cool tool to change the wall paper needs "access to your Google account" then there's obviously something odd going on.

      Certainly, but even when setting aside that people ignore this all too easily because they simply want the shiny, your examples are obvious.

      What if a chat app wants access to the internet, your contacts, and your phone?
      Well the internet makes sense - can't very well expect an app that is intended for chatting to not have that connectivity.

      Contacts also makes sense because in combination with the phone, it allows the app to send a text message if you have no internet connectivity or simply choose to use SMS instead of its internet-based chat functionality.

      So you install the app, and the app sends all your text for datamining to China, all of your contacts to some company in Bulgaria, and sends a bunch of texts to expensive SMS service numbers.
      Oh, and it also lets you chat with people, so as far as you know, it's doing exactly as advertised.

      This is no different on any other platform, of course. It may have been different in the early days of the iPhone, but I rather doubt that they still check each and every app before making them available and instead rely on exactly what the article says.. accountability.. you only get away with malware once unless you also manage to fool Apple into allowing you a new account. But to the end-user(s), the damage is already done anyway.

  3. Re:You have to be kidding by mysidia · · Score: 5, Informative

    Since when is the iOS more secure? The latest Android has a very stable code and a solid permission system that allows the user to set exactly what an app can or can't do.

    The reason there are fewer iOS malware infections has to do with something totally separate from security of the device.

    There is a 'more efficient' distribution channel for Android platform malware.

    Developing for the Apple platform requires a security certificate from Apple to sign applications, paying money to apple, signing a contract, and approval from Apple and review to be listed on the pap store, which makes the app store a less efficient means of distributing malware than the Android marketplace.

    An operating system can be extremely insecure, but if there is no useful distribution channel, or no network connection, it is not likely to be infected.

  4. Re:You have to be kidding by DavidRawling · · Score: 5, Interesting

    On the contrary, the user has NO control over app permissions, by default. The app author sets what he/she wants, and the user has the choice of accepting it or finding an alternative. No justification, no ability to say "well I want this useful SSH app but I don't want it reading my contacts, so I'll deny that permission". Yes, there are firewall apps (the permissions are in the OS, why do I need an APP to enforce OS permissions?) and for rooted devices, apps that can tweak permissions. But the default is horribly, terribly broken because most of the power is in the hands of the developers, NOT the users.

  5. Re:You have to be kidding by BasilBrush · · Score: 5, Informative

    Since when is the iOS more secure? ...an OS that can be rooted by a fucking website.

    If that is your measure, the answer to the question you pose is July 15th 2011. That was when the last version of iOS that could be rooted via a website was replaced.

    4.3.3 could be jailbroken via website, 4.3.4 would not.

    5.x has been out since Oct 2011.

    Personally I'd say a better measure is the amount of malware. And on that measure, Android has always been many times worse than iOS.

  6. Re:But the Apple factor? by wvmarle · · Score: 5, Insightful

    Being accountable does help keeping people honest. Knowing you will get away with taking a fistful of dollars from the cash register versus knowing that the management will realise that there is money missing from your cash register makes a big difference.

    Security is all about layers. Accountability is just one of them, and it is an important one.

  7. Re:You have to be kidding by Anonymous Coward · · Score: 5, Insightful

    There's a number of things you're missing. Most importantly: practically everyone would consider trojan horses to be malware, or at least an important security issue. Just because the user checked a box somewhere doesn't mean that trojans don't count.
    Beyond that, trojan horses are due to their very nature less useful in an environment where accountability is higher. This is definitely the case with Apple/iOS, and has lead to a large number of false positives and censorship by Apple, both of which have been discussed at length here on slashdot.
    Thirdly, unlike Android, I haven't seen any major and widely-reported breaches of apple devices, despite widely-available jailbreaking tools. This surprises me quite a bit. According to the iPhone users I've asked about this they claim that the cause is that most jailbreaks these days work through a physical connection (ie. with a computer).

    Android may be more secure in capable hands, but the average user is safer in an environment where available software is code-signed and strictly supervised, either by a single entity such as Apple's iOS market or by the community such as the debian repositories.

  8. Re:You have to be kidding by Anonymous Coward · · Score: 5, Insightful

    Sure, but if the user is asked for every app whether to share data, the act of sharing data then becomes a standard part of the install. Very technically aware users will make use of this, but for most users it's effectively worthless: it's just another mind-numbingly annoying button you click for the app to run, like EULAs almost no one reads. (Just to be clear, I'm not really arguing about Android vs. iOS, I'm just pointing out the generally low value of relying on users giving consent for an install.)

  9. Re:You have to be kidding by chrb · · Score: 5, Interesting

    I don't think that is the reason that we hear more about Android malware, although it may be a factor. The barrier to entry of becoming an iOS developer is: buy a Mac (Intel Mac Mini will do), pay $99, sign up on web site. The barrier to entry of becoming an Android developer is: buy a PC (any will do), pay $25, sign up on web site. You could argue that the cost of a Mac Mini is prohibitive, or that hackers are less likely to own a Mac and begin hacking around on iOS in the first place, but for serious malware authors these are not significant barriers.

    The real reasons that we hear more about Android malware:

    1. Android users can enable installs of apps from non-official markets and random web sites. Many of the reported malware apps come from these kind of sites. But users have to explicitly do this, no phone ships with random web sites enabled as app stores. These same users, having enabled random app sources, then presumably don't bother to check the permissions that the app they install requests.
    2. Android allows apps to send premium rate SMS messages and calls without an explicit popup. I personally think Google should probably kill this ability, but then I never call premium rate numbers. Blocking premium rate texts would kill the profit incentive for most malware. If this were an explicit, in your face, permission or setting (like the big warning for data roaming in settings!), then we wouldn't have seen any premium SMS fraud malware.
    3. Apple marketing is happy for the media to push the "no iOS malware" angle in the same way that they did successfully with "no OS X viruses". It isn't strictly true, but people believe it anyway, and there is a huge class of users who are willing to pay more for the belief that there will be fewer problems in future. Malware that affects a few thousand people really isn't important in the big scheme of things, but it is something that marketing can use to try and differentiate iPhones in the eye of the consumer from very similar and equally capable Android phones.
    4. Apple fans are pushing the "Android is full of malware" meme extensively, even though very few Android users have actually been affected. Is malware an issue that should be dealt with? Yes, but these same Apple fans who argue that Android is "straining under the weight of malware" after a few thousand users have been infected, are also the ones who claim that half a million infected Apple desktops is no big deal.

    History has shown that a monoculture is actually more vulnerable to attack. There were some very skilled virus writers back in the 80s who innovated with polymorphic, anti-virus proof code, hidden boot sector infections etc. For whatever reasons, these kinds of hackers moved on to other projects, and what we see now in the virus/malware sector is mainly an industry driven by financial profit motive. iOS has had root exploits, and getting an app on the iPhone app store isn't that hard. Maybe they scan code and do some static analysis to try and spot dodgy functions, but at least one person has gotten malware into the iPhone app store, so it is certainly possible. I really do think that the only reason this hasn't been done is due to the explicit permission that the iPhone requires to send a premium rate SMS. If people ever start doing widespread banking on the Android/iPhone, or Android/iPhone malware ever becomes a populist hobby again (like viruses of the 80s), then I'm sure there will be more. An X-Prize, designed to stimulate malware production on either platform, would almost certainly produce results.