Forgot your password?
typodupeerror
Android Google Iphone Security Apple

Accountability, Not Code Quality, Makes iOS Safer Than Android 210

Posted by timothy
from the well-it-isn't-obscurity dept.
chicksdaddy writes "Threatpost is reporting on a new study of mobile malware that finds accountability, not superior technology, has kept Apple's iOS ecosystem free of viruses, even as the competing Android platform strains under the weight of repeated malicious code outbreaks. Dan Guido of the firm Trail of Bits and Michael Arpaia of iSEC Partners told attendees at the SOURCE Boston Conference on Thursday about an empirical analysis of existing malicious programs for the Android and iOS platforms which shows that Google is losing the mobile security contest badly — every piece of malicious code the two identified was for the company's Android OS, while Apple's iOS remained free of malware, despite owning 30% of the mobile smartphone market in the U.S. Apple's special sauce? Policies that demand accountability from iOS developers, and stricter controls on what applications can do once they are installed on Apple devices."
This discussion has been archived. No new comments can be posted.

Accountability, Not Code Quality, Makes iOS Safer Than Android

Comments Filter:
  • by Anonymous Coward on Saturday April 21, 2012 @09:34AM (#39755389)

    Since when is the iOS more secure? The latest Android has a very stable code and a solid permission system that allows the user to set exactly what an app can or can't do. This in contrast to an OS that can be rooted by a fucking website.

  • by gl4ss (559668) on Saturday April 21, 2012 @09:35AM (#39755395) Homepage Journal

    ..and how would they detect it on the ios? they just said that there is _zero_ malware, yet there's plenty of ios games/apps which leak all your contact info?(as is there for android).

    (and the accountability part is that it takes a little more checks to get yourself identified as a publisher for itunes appstore.. however.. it doesn't take that much, there is and has been plenty of unauthorized distribution of asian comics etc there)

    I haven't identified any iOS malware either, but that could be because I haven't looked for any(just not my field).

  • by Zico (14255) on Saturday April 21, 2012 @09:37AM (#39755407)

    Guess what?! Freedom comes with risks! I don't make any decision until I weigh the pros and cons and do a bit of research, and yes, this includes any and all apps I may want to use.

  • by ircmaxell (1117387) on Saturday April 21, 2012 @09:42AM (#39755441) Homepage
    This. Very much this.

    This article is pure FUD. Plain and simple.

    Malware, by its very definition [us-cert.gov] is:

    Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent.

    Android requires that you give consent, since it tells you what permissions the application needs prior to installing it. So by very definition, these data leakages on Android are not malware. The user said it was ok for that application to collect that data.

  • by Anonymous Coward on Saturday April 21, 2012 @09:44AM (#39755457)

    Freedom has little risks compared to looking to be "taken care of".

  • by vakuona (788200) on Saturday April 21, 2012 @09:47AM (#39755477)

    And that is why the Android model is flawed. Not fatally mind you, but flawed nonetheless.

    You can't expect people to have to audit every bit of software that they install on their smartphone. In fact, it ought to be reasonable for users to expect software they download off the official repositories (App Store, Market) to be malware free.

    And yes freedom comes with risks. But freedom also allows users to choose a phone that doesn't require them to expend more effort than necessary to be able to do what they require. Don't forget, a smartphone is a luxury, not a necessity.

  • by Anonymous Coward on Saturday April 21, 2012 @09:50AM (#39755505)

    and what percentage of phones out there have the latest Android release? My Galaxy S2 is still waiting...

  • by Sponge Bath (413667) on Saturday April 21, 2012 @09:57AM (#39755569)

    I would not be so quick to label it Apple Fanboy.

    FTA: "despite accounting for <strike>more than 40%</strike> 30% of the same market."

    Seems like a jab at falling market share. I think the real motivation behind the article is inflammatory statements to get views.

  • This just in (Score:5, Insightful)

    by GameboyRMH (1153867) <gameboyrmhNO@SPAMgmail.com> on Saturday April 21, 2012 @09:57AM (#39755571) Journal

    Crushing authoritarianism leads to lower crime, worth the misery? Film at 11.

  • by Anonymous Coward on Saturday April 21, 2012 @09:59AM (#39755579)

    Could you post the link, please? Seriously. I have an iPhone 3GS which I want to jailbreak to use with another phone carrier, but it has been updated to ios 5.1 and nothing I find (whited00r, redsn0w, tinyumbrella etc) seems to work. The most I've been able to is make the phone boot with a non-working 3G/Wifi radio, which defeats the device being a mobile. Fucking Apple support doesn't want to make it free, and my old operator says it has been freed (my ass).

    Please, post the link, it would have saved me a week of failed hacking attempts so far!

  • by Clsid (564627) on Saturday April 21, 2012 @10:00AM (#39755583)

    Call it whatever you want, but we just got the first major malware outbreak in OS X recently after so many years. On the iPhone that is unheard of. Much as in the Windows world and the much hated Vista security system that kept asking you, do you want to do this, or allow that?, that security model is fail since regular users will start saying yes to everything and then end up with a problem. Call Apple what it is, an overpriced hardware/software company that likes to keep the lid closed, but as far as their products running trouble free in general, I will have to agree with the article. But hey, everybody is free to think whatever they want.

  • by squiggleslash (241428) on Saturday April 21, 2012 @10:10AM (#39755647) Homepage Journal

    If you ever feel like it, buy yourself an Android device (one with Google), and actually try buying some software - or even downloading stuff from a third party website and installing it directly.

    You'll notice that "auditing every bit of software (you) install" is ridiculously easy. The installer tells you what rights the app needs when you install it. It's pretty easy to determine that a game does not need to capture your keystrokes, and if a cool tool to change the wall paper needs "access to your Google account" then there's obviously something odd going on.

    If an app doesn't ask for a particular right, Android's security model prevents it from doing whatever it was that required the right in the first place.

    By comparison, as I understand it, I only have Apple's (and a developer's) word that a particular tool for iOS doesn't contain malware. I'm not going to be told what parts of the system it needs to access, I just get a straight "Do you want the advertised features or not?" choice.

    The flaw here is on Apple's side. Both systems require you audit the apps you install. Only Android actually lets you do that.

  • by Black Parrot (19622) on Saturday April 21, 2012 @10:18AM (#39755695)

    This article is pure FUD. Plain and simple.

    Can't imagine that a company called "iSEC" would be biased on this matter.

  • by QuasiSteve (2042606) on Saturday April 21, 2012 @10:31AM (#39755743)

    It's pretty easy to determine that a game does not need to capture your keystrokes, and if a cool tool to change the wall paper needs "access to your Google account" then there's obviously something odd going on.

    Certainly, but even when setting aside that people ignore this all too easily because they simply want the shiny, your examples are obvious.

    What if a chat app wants access to the internet, your contacts, and your phone?
    Well the internet makes sense - can't very well expect an app that is intended for chatting to not have that connectivity.

    Contacts also makes sense because in combination with the phone, it allows the app to send a text message if you have no internet connectivity or simply choose to use SMS instead of its internet-based chat functionality.

    So you install the app, and the app sends all your text for datamining to China, all of your contacts to some company in Bulgaria, and sends a bunch of texts to expensive SMS service numbers.
    Oh, and it also lets you chat with people, so as far as you know, it's doing exactly as advertised.

    This is no different on any other platform, of course. It may have been different in the early days of the iPhone, but I rather doubt that they still check each and every app before making them available and instead rely on exactly what the article says.. accountability.. you only get away with malware once unless you also manage to fool Apple into allowing you a new account. But to the end-user(s), the damage is already done anyway.

  • by wvmarle (1070040) on Saturday April 21, 2012 @10:36AM (#39755767)

    Being accountable does help keeping people honest. Knowing you will get away with taking a fistful of dollars from the cash register versus knowing that the management will realise that there is money missing from your cash register makes a big difference.

    Security is all about layers. Accountability is just one of them, and it is an important one.

  • by BasilBrush (643681) on Saturday April 21, 2012 @10:39AM (#39755783)

    As a tul of thumb:

    Uploading your contact data for the purposes of expected social connections within the app is not malware. It's not the way it should be done, and poses a security risk if the server is compromised. But there is no mal-intent there. Nevertheless such practice is now explicitly banned without asking the users permission via a dialog at the time.

    Uploading your contact details to a server for the purposes of mailing lists, tracking outside of the intended application domain would be malware.

    The former is what was flagged up for iOS.

    Android meanwhile suffers from both, and much, much worse, such as malware sending premium rate SMSs, thus potentially causing users severe financial losses.

  • by BasilBrush (643681) on Saturday April 21, 2012 @10:45AM (#39755825)

    Guess what?! Freedom comes with risks! I don't make any decision until I weigh the pros and cons and do a bit of research, and yes, this includes any and all apps I may want to use.

    That's a pretty high cost. A bit like living in a ghetto, and having to consider your personal safety every time you go out, versus living in a nice, safe, pleasant community.

  • by Anonymous Coward on Saturday April 21, 2012 @10:48AM (#39755839)

    There's a number of things you're missing. Most importantly: practically everyone would consider trojan horses to be malware, or at least an important security issue. Just because the user checked a box somewhere doesn't mean that trojans don't count.
    Beyond that, trojan horses are due to their very nature less useful in an environment where accountability is higher. This is definitely the case with Apple/iOS, and has lead to a large number of false positives and censorship by Apple, both of which have been discussed at length here on slashdot.
    Thirdly, unlike Android, I haven't seen any major and widely-reported breaches of apple devices, despite widely-available jailbreaking tools. This surprises me quite a bit. According to the iPhone users I've asked about this they claim that the cause is that most jailbreaks these days work through a physical connection (ie. with a computer).

    Android may be more secure in capable hands, but the average user is safer in an environment where available software is code-signed and strictly supervised, either by a single entity such as Apple's iOS market or by the community such as the debian repositories.

  • by Anonymous Coward on Saturday April 21, 2012 @10:48AM (#39755843)

    Sure, but if the user is asked for every app whether to share data, the act of sharing data then becomes a standard part of the install. Very technically aware users will make use of this, but for most users it's effectively worthless: it's just another mind-numbingly annoying button you click for the app to run, like EULAs almost no one reads. (Just to be clear, I'm not really arguing about Android vs. iOS, I'm just pointing out the generally low value of relying on users giving consent for an install.)

  • by chrb (1083577) on Saturday April 21, 2012 @11:15AM (#39756025)

    ..and how would they detect it on the ios?

    Good point. The security researchers who identified some of the Android malware visited third party Android app stores and downloaded all of the apps so that they could build up a huge app corpus, which they could then scan (static analysis) for malware suggestive signatures. They stated that they couldn't do the same with the iPhone because Apple prohibits mass downloading of iPhone apps in order to build an iPhone app corpus. So the only people who can look for malware across the whole range of iPhone apps is Apple, and it seems unlikely that they would announce if they found any malware, when they can instead just silently remove it from the app store.

  • by kthreadd (1558445) on Saturday April 21, 2012 @11:17AM (#39756039)

    I like Android, but what has kept me away from it is that I have not found an Android phone that consistently gets new updates after they are released for a long period of time. Sure, Apple makes mistakes like this but the important thing is that they shipped an update and basically all affected phones got it even if they were a couple of years old.

    Let's say that the same thing happened to Android. How large percentage of Android phones would even get the update at all?

  • by mkraft (200694) on Saturday April 21, 2012 @11:41AM (#39756201)

    I'm not sure why this was modded insightful, let alone +5 since if you read TFA you'd know that they weren't saying that iOS is more secure, only that there are virtually no delivery mechanism for malware because of Apple's app store policies of requiring real world identification of an app author to publish apps in the app store. That and iOS apps are more restricted in what they can do over Android apps.

    That's the problem when articles like this hit Slashdot. Rabid fanboys (Apple and Google) start posted without even reading the article. The same thing with modders.

  • by BasilBrush (643681) on Saturday April 21, 2012 @11:46AM (#39756231)

    You CHOSE to upgrade your iPhones to the latest iOS version, that iOS version wasn't supported by the version of iTunes you had on your computer, so you CHOSE to upgrade iTunes too.

    The fact that one software product is only compatible with certain version numbers of another software product doesn't make for a forced upgrade.

  • by MacDork (560499) on Saturday April 21, 2012 @12:12PM (#39756383) Journal

    What about the Path app. [arstechnica.com] It would steal your address book and private photos. It's recent and very high profile. That's not malware?

    I find it very suspicous that their "empirical analysis" didn't uncover a single bit of "malware" on iOS. Mod article Troll.

  • by Deorus (811828) on Saturday April 21, 2012 @12:21PM (#39756439)

    Wow! What a fair and unbiased comparison! A year old iOS version that anyone with an at least 3 year old iPhone could and should have upgraded from, versus the latest Android version that most people can't upgrade to! Rated Insightful, of course, because there's a lot of circle jerk insight in that nonsense of a post!

    This is not even to mention that the article has nothing to do with the security of the platform itself but rather its exposure to malware, but hell, let us make it about security and debate the merits of each platform, shall we?

    I find it interesting how ignorant some Android fanboys are regarding iOS' sandbox, which is extremely restrictive and does not, by design, allow apps to do anything too fishy even if all permissions are granted. At most an app may be able to pull up your contacts without your permission or access call information, but not much beyond that without the user being notified unless they pierce through the sandbox. An app can't keep itself running in the background for longer than 10 minutes (unless specific profiles that permit so are chosen and approved by Apple for each app), run any kind of code not present during the approval process (meaning it's not OK to download code unless it's an in-app purchase, which may be free, and this includes interpreting code other than HTML and Javascript on Safari, which is why emulators are not permitted), launch or interact directly with other applications unless they register themselves as resource handlers (even running a secondary executable within your own application will result in iOS completely obliterating it without even bothering to inform any attached debuggers of what happened).

    In essence, the article hits the spot by claiming that it is the screening process and its walled gardens that keep the nastiness away. It's simply not worth developing malware for iOS, you don't have much to gain by doing it, either you pierce through the sandbox and your app will be rejected (with potential consequences to your developer and / or publisher certificates) or you can be easily detected by any user. There are exceptions, of course, but compared to Android, they are very few in number.

  • by Tore S B (711705) on Saturday April 21, 2012 @02:37PM (#39757355) Homepage
    Actually, human beings are social animals, and accountability can actually worsen security if it weakens a perception of a bond of trust, which might very well be more effective. Accountability can be circumvented, expectations of honesty cannot. In terms of the cash register, keeping the balance is probably a good idea, but there are other situations and I just wanted to nuance this very American notion that interpersonal trust is equal to weakness.

Computers will not be perfected until they can compute how much more than the estimate the job will cost.

Working...