Slashdot Mirror
Apple Cleaning Up App Store After Its First Major Attack
Reuters reports that Apple is cleaning up hundreds of malicious iOS apps after what is described as the first major attack on its App Store. Hundreds of the stores apps were infected with malware called XcodeGhost, which used as a vector a counterfeit version of iOS IDE Xcode.
Things could be a lot worse, though:
Palo Alto Networks Director of Threat Intelligence Ryan Olson said the malware had limited functionality and his firm had uncovered no examples of data theft or other harm as a result of the attack. Still, he said it was "a pretty big deal" because it showed that the App Store could be compromised if hackers infected machines of software developers writing legitimate apps. Other attackers may copy that approach, which is hard to defend against, he said.
Thirty-one years later, it's still worth reflecting on it.
Then what, pray tell, is the point of Apple's byzantine approvals process?
This shit has got to stop. Either programmers have to stop it, which I doubt can be done, or a lifetime in prison for anybody caught doing this shit.
I'm wondering how these apps made it through in the first place. Apple is known for being strict about vetting apps and what's allowed to enter the walled garden. If so many apps were able to make it past the vetting, it ought to raise concerns about what other malicious apps might be in the app store on a smaller scale. The vetting process probably lulls many users into a false sense of security that any app downloaded is going to be safe because Apple wouldn't let unsafe apps through. Obviously that's not the case, and it's not possible to know before downloading an app whether it's safe or not. Even reputable publishers could be compromised in this way. Although I think the walled garden is actually a good idea, it's obviously not sufficient, and there needs to be other layers of security. As much as I despise most antivirus software, it might be another good line of defense. I'd like to see more about app permissions like the old Android Market listing, and perhaps firewalling and only whitelisting certain sites for apps to connect to. It's reasonable that the browser you download would be able to connect to any site; that game, not so much. What's there now isn't enough and there really is no way for a user to know that an application is safe prior to installing it.
M-I-Z
kU still sucks!
Some Chinese developers downloaded this tainted XCode because of slow download times of XCode from the Mac App Store.
Downloading XCode from the Mac App Store takes nearly a full day!
I think this delivery mechanism of XCode is developers is very crummy and quite a nuisance.
This kind of possible attack is mitigated because after you download an app, it still has no permissions to do anything interesting - access to background location, contacts, camera, audio, etc. all require permissions that prompt the user for access.
So even if someone uses an Xcode that is compromised, there's not very much gain you are going to get by having malicious code in the app except for what that app is working with.
Happily Android has also recently moved to this same "permission on demand" model which makes way more sense than "agree to laundry list of demands to run" ever did.
On a side note, I would think it would be hard for an attack like this to succeed because as a developer builds an app, they are often monitoring network traffic or otherwise examining app activity... even in release mode at times.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Um, Xcode is free.
The only thing you pay for is the $99 to distribute applications (through the App Stores or within your organization) - writing and installing your own applications to your iPhone, iPad, Apple Watch, Mac, etc. are all free.
The issue here appears to be limited to developers that are downloading Xcode from unofficial sources which allows their code to become infected.
I print, therefore I am.
From the article:
The tainted version of Xcode was downloaded from a server in China that developers may have used because it allowed for faster downloads than using Apple's U.S. servers, Olson said.
Really? Really?!?
From the context in the article, it obviously sounds like these were Chinese developers. You click on the Apple app store, and Xcode downloads for free. I'm not sure how it could be easier - if speed was the issue, just update overnight. I can't figure out what the exact angle is, but it just seems too strange for legitimate developers to "innocently" make such a boneheaded mistake.
Or, maybe Chinese developers are so used to just downloading everything illegally that they didn't think twice about this.
Irony: Agile development has too much intertia to be abandoned now.
Apple's no difference.
They aren't paywalled.
You can download Xcode for free, and you can install apps you build on your own devices with the same Apple ID
You only pay if you want to distribute the binary to Apple's App Store, or you want to distribute with an Enterprise Developer certificate.
More like, this is exactly why development tools should be paywalled. It may suck to have to vnc into an apple.com-hosted development machine but at least it would close this vector of fake tools.
> urban Seattle, multiple gigabytes can become very expensive to download.
This! We're still updating a dozen dev machines to XCode 6.4 for iOS 9 support. It looks like it is going to take two weeks since we're in Seattle and stuck sharing an ISDN line between almost twenty people. I wish Apple had a solution where you could download the update once then redistribute it.
They aren't. But even if they were why the fuck would this make a difference in this situation?
By that particular definition of 'paywalled', literally *everything* is 'paywalled' for those users, including the official Linux kernel source tree.
If your definition includes *literally* everything that can be downloaded, it probably isn't a useful (or accurate) definition of a paywall.
It's actually version 7.0, and is a 3.59 GB update. With our office dialup at 26k bps, it looks like it is going to take us 17 days per Mac dev system. Seattle sucks.
Wow, weeks. We usually take our systems to N employees house that lives outside of Seattle and has Frontier to update them. It's a huge time waster. It's sad that the city government is so anti-Internet.
I'm the GP. You're right, it is 7.0 The system I checked on wasn't updated, but I thought it was. So, that's one more update that's going to take 3.5 more days to download the upgrade.
Linux source code can legally be downloaded once per neighborhood and sneakernetted from one machine to another. Xcode, being proprietary software, doesn't allow this.
Sign into https://developer.apple.com/do..., and click here
App appers who app apps get apped!
Apps!
how about adding an extra hidden recipient to all your emails?
How would you do that?
The MFMailComposer class window you open tokenizes email recipients for the user, I can't see any way of composing an email that you could not see it was going to more than one person, or that you had pre-populated the "to" or "cc" or "bcc" values with an address they did not know.
You have no control or visibility as to email addresses the user populates in this composer window. The content is totally separated from the other email fields.
The app has no control of what happens when you press send; you cannot inject post-send hooks. The mail server communication does not occur in the same application process.
how about a bank app that transfers money to the malware author instead of the intended recipient?
That's a more realistic scenario for risk I imagine. But also much harder to get through the extensive testing any serious app has; you would see funds were not being transferred to the right account. Also pretty sure any decent banking API would catch the oddity around accounts it requested info for vs. account numbers you said to transfer to.
There are a lot of layers any such attack would have to go through, in the end scrubbing out anything much useful (which is what we see with the results). I'm not saying there's no risk, I'm saying that the system as a whole does a good job of having enough layers of security that it's very hard to get something really malicious in place.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
One thing I meant to add is; because all the interesting attacks happen around what the application actually does, you have to ask is the attack easier to perform though Xcode, or attacking the server the app communicates with. Just like in a bear attack you only need to run faster than the person you are hiking with, to avoid a security breach you just have to be more secure than the server you work with.
For any given attack (like trying to attack a bank app) why would it not be lots simpler to hack the website, or API server? If you get in you get everything, not just one version of the app. It's way easier to hack a website than to do a custom build of Xcode, find a developer system and social engineer them to install some kind of malicious alteration.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Why the fuck is Seattle like a 3rd world country? Well, at least McDonald's employees make 15$ an hour tho!
Yea, developers don't do that unless they have a reason to believe something is wrong.
When you are developing there is ALWAYS something wrong. I have used web proxies and other performance monitoring tools, not to mention the debugger, countless times during the development process because I have to figure out why any one of a hundred things are wrong/slow/simply not working.
That's especially true with any software that needs to talk to a server, which is pretty much any app these days. Even if there's not a bug you use web proxies to verify it's sending what you think it is sending, or to show the server guys who generally do not believe you anything can be wrong with the server the exact traffic going to and from servers.
When you are in the debugger the whole app is halted, with the stack traces of all threads visible...
Not impossible to hide something in there, no, but it all adds to the difficulty.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Generally I'd agree with you.
But the prompting on iOS is clear enough that many people actually do click no - especially for things like location, which people know uses battery. Or contacts, which is very easy to say "no application you do not need to see my contacts".
And again, all this prompting happens at the time the resources is requested. So if permission is asked for later it's especially odd.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
You can easily download Xcode, put it on a USB stick, and share it with others. I do that with every build. Using a modern USB3 memory stick it will copy fairly rapidly.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
No one seem to be asking the question, is this an attack sponcered by the
US government in retaliation for Apple's position on encrypting their iPhones.
The NSA lost a a very effective intelligence asset, Don't you think they would
want another way into Apple's iPhone networks?
No I don't often wear an aluminum foil hat, but when I do I prefer reynolds .
Just move. Most of the people here don't like the Internet so things are not going to improve. I'm looking for a job somewhere I can get decent access.
There you go - you can pay someone $15.01/hr to, instead of working at McDonald's, sneakernet your Xcode.
This! We're still updating a dozen dev machines to XCode 6.4 for iOS 9 support. It looks like it is going to take two weeks since we're in Seattle and stuck sharing an ISDN line between almost twenty people. I wish Apple had a solution where you could download the update once then redistribute it.
They do, if, you know, you would bother to look in the "downloads" section of your developer account.
"Downloading XCode from the Mac App Store takes nearly a full day!" I get it and the accessory files in about an hour. YMMV but a day? Where?
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
You can just package up Xcode.app and distribute it on floppy... er, USB key. It's not that hard. The betas are packaged as DMGs, which are also easy to pass around.
If you know so little about how to do basic file management on a Mac, perhaps you shouldn't be developing apps.
You're an iOS developer and you weren't aware XCode7 came out when there were betas available to registered devs all summer? Yeah, sounds like you're pretty serious about app development...
Wasn't there a slide in one of the leaked "Snowden" documents about the NSA wanting to hack xcode to sneak data collection tools into apps....
"I wish Apple had a solution where you could download the update once then redistribute it." They do. Two in fact. Once it's on your own network, use Caching Server inside OS X Server. $20. Worth the savings in aspirin alone. Or ARD. Similarly cheap. Outside of Apple, sneakernet. Store apps like XCode only care that you bought them and they they are intact on the drive. I did this for several large in-the-store, non-installer-based, free-with-OSX apps (GarageBand, iMovie) in a building that shared a 10-base fiber link across 18 machine and I wanted to get home for dinner.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
He said chinese developers so i am assuming china.
It is free if you have a Mac. So it is "free".
Serious question here...
How did they know information wasn't sent random places?
Some Chinese developers downloaded this tainted XCode because of slow download times of XCode from the Mac App Store.
Downloading XCode from the Mac App Store takes nearly a full day! I think this delivery mechanism of XCode is developers is very crummy and quite a nuisance.
Maybe it's an effect of the Great Firewall? My understanding is that Internet throughput in China (especially for inbound traffic) is very unpredictable with speed varying not only across time but also on physical location.
blog
China. Connected to the outside nworld can sometimes be very slow. Like kbps slow. Especially when it's for downloading updates on a secure connection. Sometimes if a major event happened and they don't want the news to spread secure connection s literally stop working.
I think he meant free as is in "Xcode has such a great GUI builder with a great IDE that has great features vi and emacs lack, that it frees me up to do other things in my job/life." As the old Jamie Zawinski saying goes "Linux is only free if your time has no value."
> The only thing you pay for is the $99 to distribute applications...
$99/year, *every* year. If you stop paying, your app is *removed* from the App Store (but not people's iDevices!). This makes creating a free app for iDevices a *bit* more expensive than it should be.
I wonder if it would be possible for XCode to compute a hash of system libraries / executables that is then embedded into the App binary. Apple could then check this hash against what it should be and reject any app that was compiled with a bogus version of XCode or system libraries.
Might not stop everything... but it could be a start.
Does Apple actually allow you to run an app on your own iDevice without paying the $99 fee? I thought you had to pay it even if you were developing and testing on your own iDevice, not just if you wanted to distribute it.
No more, they made the change earlier this year (I think at the last WWDC) and also combined the different developer programs so you don't need to pay a separate iOS and Mac developer (distribution) fee. So now you can just download the free Xcode software and compile and install to your own devices/computers without paying a penny to Apple.
I print, therefore I am.
I think it was 10-15 minutes for me. But I digress...
If these people were able to download the infected alternative faster than from the App Store, then the real question is why? Is this a consequence of the Chinese government's internet interference?
If these people were able to download the infected alternative faster than from the App Store, then the real question is why? Is this a consequence of the Chinese government's internet interference?
I was just discussing this on G+, and that's the claim, all right. Which makes you wonder, was this hack by the chinese government? Or just someone taking advantage of the situation they've created by leaning on their people so hard and denying them any and all freedoms which might be the slightest bit inconvenient for the power elite?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If Apple had PGP-signatures on it, and the developers verified them, it would not matter where they got the XCode package. But yes, the slow download is a risk in itself, namely incompetent people taking shortcuts like happened here.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Xcode is signed. However, you can turn off Gatekeeper or temporarily override it while you run Xcode for the first time.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
Xcode is signed and Gatekeeper warns about a corrupted binary. The issue is that these developers that were infected intentionally disabled Gatekeeper checks so they could run the infected Xcode.
This is exactly why development tools shouldn't be paywalled. Your fault, Apple!
Today I learned that $0 is a paywall!
No wonder things are so expensive!
Does Apple actually allow you to run an app on your own iDevice without paying the $99 fee? I thought you had to pay it even if you were developing and testing on your own iDevice, not just if you wanted to distribute it.
Yes it does.
And as of iOS9 you can side load apps onto your device without paying as long as you build from source.
Comment removed based on user account deletion
It doesn't mean that there's no value in imperfect security. Apple's walled garden failed in this attack, but it succeeded in thousands of other cases. The infected apps will be removed from devices and the app store, the hole will be closed.
The answer is NOT to present customers with fourteen more layers of pop-ups and train users to just hit 'accept' on everything. The answer is NOT to load down our mobile devices with anti-virus software, most of which are worse that most viruses. The answer is NOT to expect users to become experts on technology.
Those are the failed ideas and policies of the Windows world. Android is trying hard to make most of the same mistakes. They are horrible, horrible, ideas and it's scary that there are some in the tech community that are still advocating them.
Apple's current model IS the answer. Just look at the stats of malware/virus infections of Apple devices vs. Windows or Android. But nothing is perfect, there are going to be occasional infections.
I would hope that a developer would know better than to allow an allegedly Apple-published app to continue to run when Apple's own security measures are warning you about it.
But then I remember that most software developers are complete knobs.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
They do.
Download Xcode.app, don't run it after it downloads. Copy Xcode.app to other machines via USB key. It self-installs the first time you run it.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Xcode is signed and Gatekeeper warns about a corrupted binary. The issue is that these developers that were infected intentionally disabled Gatekeeper checks so they could run the infected Xcode.
So were they unwitting participants in the scheme; or was this the Developers' plan all along, and they just got caught?
that Apple switched from GCC to LLVM specifically to avoid copyleft.
Yea, they wanted an open source compiler instead of the GPL crap. So they went from GPL to BSD ... are you seriously trying to claim thats proprietary? If so you're just making yourself look retarded. Not stupid, flat out retarded.
You probably meant "Xcode is free as in without charge." That's true if your home Internet lacks a quota or has dozens of GB per month.
Apple will allow you to download it in their stores for free.
But if you're stuck behind cellular or satellite Internet, such as in a rural area or urban Seattle, multiple gigabytes can become very expensive to download.
And that changes any of this how? Regardless of where you download it from, you're going to be downloading it and thats going to cost. You've not described anything that justifies downloading it from someone other than the source.
You're just a shitty hater, you can't even find actual flaws to pick on.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
The critical consideration is whether the company that operates the store invests enough money to maintain a high level of QA. Apple makes that investment (even for free apps) because it helps with sales of hardware (which is where they make all the money) and thus can be subsidized by hardware sales.
Apple will allow you to download [Xcode software] in their stores for free.
Is this true only of Apple's own stores or also of independent Apple authorized dealers?
Regardless of where you download it from, you're going to be downloading it and thats going to cost.
There's a difference between downloading what you need and downloading it all. Or has Xcode been factored into components that can be downloaded and installed as needed? And there's also a difference between downloading once for a neighborhood or office and downloading once for each Licensed Computer.
Xcode is free.
Since when? I thought it was proprietary software, that Apple switched from GCC to LLVM specifically to avoid copyleft.
You probably meant "Xcode is free as in without charge." That's true if your home Internet lacks a quota or has dozens of GB per month. But if you're stuck behind cellular or satellite Internet, such as in a rural area or urban Seattle, multiple gigabytes can become very expensive to download.
Now you're just TRYING to find excuses to justify your "Not REALLY Free" assertion.
It is as free as Apple can reasonably make it.
Or perhaps you'd like to go back to the bad old days when you had to have a REALLY expensive Subscription (IIRC, it started at $500/yr... and UP!) to get the Monthly Developer CDs mailed to you.
So, by your estimation, and your point of view, is there really ANY truly free software on this planet?
> urban Seattle, multiple gigabytes can become very expensive to download.
This! We're still updating a dozen dev machines to XCode 6.4 for iOS 9 support. It looks like it is going to take two weeks since we're in Seattle and stuck sharing an ISDN line between almost twenty people. I wish Apple had a solution where you could download the update once then redistribute it.
They do. And if you were even a marginally-competent Developer, you'd already have figured it out.
.pkg file is being downloaded. It's not rocket surgery.
.pkg file, put it on a local network resource or even a fast USB Stick or portable drive, and VOILA!
.pkg bundle around town may be faster than dealing with multi-day downloads...
All that is happening is that a
Go somewhere that has reasonable internet, download the
Heck, if you would get a crowbar into your wallet and pry out $70, you could do it all from a central location using Apple Remote Desktop. Of course, if your Dev. machines are spread out all over the place, then you fall right back into the slow internet thing. But if they are all in and around Seattle, then sneakernetting a copy of the XCode
For applications obtained through an App Store, the ISP can bill each person who downloads a copy the full cost of downloading one copy. If 25 people in a neighborhood or office each download one copy, the ISP charges for 25 copies.
For applications distributed under a license permitting redistribution, be it a free software license or not, a user can legally download one copy and sneakernet it to the rest of the neighborhood or office. This amortizes the cost of downloading over an entire neighborhood or office. If it can be shown that Apple permits redistribution of unmodified Xcode software to other Mac owners, I hereby retract my prior claim.
> The only thing you pay for is the $99 to distribute applications...
$99/year, *every* year. If you stop paying, your app is *removed* from the App Store (but not people's iDevices!). This makes creating a free app for iDevices a *bit* more expensive than it should be.
So charge $1.30 for it, and it 100 people buy it a year, then your Dev. license is essentially free.
If people won't pay less than a large coffee at the gas station for your work, then it must be pretty sucky. Personally, I'm not rolling in money; but I will drop up to $5 for an app that I'm even mildly interested in.
If you feel like being altruistic and charging zero for your time and effort, then don't whine about incidental costs you incur along the way.
Apple charges that $99 not because it fills their coffers with significant cash; but because it HELPS keep people who are not serious about creating Apps out. Yes, even fart Apps.
XCode could care LESS
It's not about what the Xcode software technically implements. It's about what a BSA audit could uncover. True, the bits of a licensed copy of Xcode downloaded from Apple are exactly the same as the bits of an infringing copy obtained through sneakernet. But an audit would uncover that the bits are a different color, and Apple has the right to sue over the use of incorrectly colored bits. Bit color is a legal construct, not a technical construct. This might be discovered if someone in your office is discovered to be using Xcode on a computer for which no successful Xcode installation is recorded in Mac App Store.
Just because something isn't Open Sores, doesn't mean that it's DRMed.
Nor does just because something isn't subject to technical DRM mean it's legally free to redistribute to all comers.
Does Apple actually allow you to run an app on your own iDevice without paying the $99 fee? I thought you had to pay it even if you were developing and testing on your own iDevice, not just if you wanted to distribute it.
The only time you have to pay $99 is to be able to SUBMIT Apps. With Ad Hoc Provisioning, besides being able to "Distribute" to yourself, you can even Distribute to up to 100 iOS Devices directly without involving the $99.
It's a pretty well-thought-out system, actually.
Other than laziness there is no good reason for people to get their Xcode anywhere else than apple (as Xcode is a free download).
I wonder if this was part of a Hackintosh set of software, a Hackintosh being Max OS X running on non-Apple hardware.
Apple DOES offer hashes/signatures on their regular Downloads; but not for stuff that is distributed through the App Store (which XCode now is).
Xcode is also available as a download from Apple's developer site. The App Store is not required. This developer site is where access to beta versions and "golden masters" may be found. These allow developers to target an upcoming iOS version many months prior to an iOS update and to build and submit to the app store an app built with the official public version of Xcode immediately prior to the iOS update in order to be available on launch day. Plus legacy versions of Xcode are also available in case someone needs one to debug on an older version of iOS. For example Xcode 7 only includes simulators for 9.0, 8.4, ... 8.1.
It seems that one of the affected parties was Tencent, hardly a small developer and unlikely to be using "dodgy" versions of XCode.
Actually its entirely plausible, even likely, that large developers keep Xcode downloads on their local servers for their internal developers. Or have standard suites of software including Xcode that corporate IT puts on internal developer machines. One would only need to infect the Xcode on the server or in this standard suite.
Back during the days of the 3GS, I identified an app in the App Store that was finding ways to hijack passwords. I spent a long time on the phone with Apple, at different times, and they cleverly danced around the issues. It was as if they were purposefully stalling, in hopes I would get frustrated and give up--which I did. So the above doesn't surprise me -- though, I still feel the Apple App Store is far safer than the Droid equivalent.
On the bright side, your 17 Meg file should be done copying by then.
I am wondering the same thing.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
So a piece of "news" does mention about lists several times, but where the fuck are them?
I'll be willing to bet iOS7 isn't affected. Back then apps couldn't talk to each other as easily..
People don't care about any of this bullshit when they are buying a new phone. They just want to know if it will make their friends jealous.
There's nothing magical about being community operated. There are a lot of community operated app stores doling out metric tons of malware right now on Android, Windows, and jailbroken iOS.
Sure, it's possible for a small community to create a clean and well maintained app store--but who certifies which 'community app stores' are clean and well maintained? If your answer is 'the end customer' then that puts us right back where Windows and Android are--you have to be an expert to use your phone. It is a failed system. You know what is an outrageously successful system? Apple's walled garden. I've yet to hear an alternative that wasn't just a thin repackaging of the failed Windows and Android app ecosystems.
Any malware statistics you can find show that iOS has dramatically less malware than Windows or Android.
Amazon's store is fine, but it doesn't matter if one store is okay. You need devices locked to only the "safe stores" or you need customers to be really careful about which stores they download apps from. So, basically, you either need a walled garden model or tech savvy users. Since the whole point of the discussion is how to safely roll out smartphone tech to everyone then the latter option is not really an option.
QED.
malware on iOS. There have been something like 6 total reported cases in iOS history where something slipped past the checks--all of those were pretty much immediately removed.
The XCodeGhost was a new attack vector and managed to infect many apps. Those apps will also be cleaned up and that attack vector will be eliminated.
It is just patently false to claim that the walled garden approach doesn't work. It's the only thing that does work. You are being intellectually dishonest.
I don't understand what you are talking about. The only difference is that Apple makes it very hard to load apps except through their curated store; specifically to avoid creating additional attack vectors.
Security isn't about perfection. It never has been ever before in the history of mankind. The average Apple user is much less likely to experience malware than the average Android or Windows user--that's not something I'm willing to debate anymore than I'm willing to debate whether 2+2=4--the statistics are out there and they are compelling.
I think the problem here is that you don't understand technology. Probably because you're 14.
1. Apple doesn't make money off of apps, they make money by selling hardware. Their only interest in having a locked down app-store is so that iOS will be perceived as the "safe, virus & malware-free approach". I know it's really hard to understand how a company can make money by selling real physical objects because we've all been so conditioned into thinking that you can only make money off of software and ads.
2. iOS is a gigantic market. Android has more users but those users don't have any money. Dramatically more money is spent by iOS users (on apps and everything else) than by Android users. You are incredibly naive to think that iOS is not a big enough target for virus/malware authors.
3. This is how I know you're a child, because you think that if there's a tiniest chink in the armor then the armor is useless. It's really common for kids to have this perception because their brains are under-developed, can't see shades of gray, and thus can't comprehend that there can be a lot of value to imperfect security. Hopefully at some point in your intellectual development you'll understand that ALL SECURITY IS IMPERFECT. As of right now your brain is just not capable of processing that.