Forgot your password?
typodupeerror
Android Google Iphone Security Apple

Accountability, Not Code Quality, Makes iOS Safer Than Android 210

Posted by timothy
from the well-it-isn't-obscurity dept.
chicksdaddy writes "Threatpost is reporting on a new study of mobile malware that finds accountability, not superior technology, has kept Apple's iOS ecosystem free of viruses, even as the competing Android platform strains under the weight of repeated malicious code outbreaks. Dan Guido of the firm Trail of Bits and Michael Arpaia of iSEC Partners told attendees at the SOURCE Boston Conference on Thursday about an empirical analysis of existing malicious programs for the Android and iOS platforms which shows that Google is losing the mobile security contest badly — every piece of malicious code the two identified was for the company's Android OS, while Apple's iOS remained free of malware, despite owning 30% of the mobile smartphone market in the U.S. Apple's special sauce? Policies that demand accountability from iOS developers, and stricter controls on what applications can do once they are installed on Apple devices."
This discussion has been archived. No new comments can be posted.

Accountability, Not Code Quality, Makes iOS Safer Than Android

Comments Filter:
  • by DavidRawling (864446) <hulk_@y a h o o .com> on Saturday April 21, 2012 @10:25AM (#39755719)
    On the contrary, the user has NO control over app permissions, by default. The app author sets what he/she wants, and the user has the choice of accepting it or finding an alternative. No justification, no ability to say "well I want this useful SSH app but I don't want it reading my contacts, so I'll deny that permission". Yes, there are firewall apps (the permissions are in the OS, why do I need an APP to enforce OS permissions?) and for rooted devices, apps that can tweak permissions. But the default is horribly, terribly broken because most of the power is in the hands of the developers, NOT the users.
  • by chrb (1083577) on Saturday April 21, 2012 @11:01AM (#39755935)

    I don't think that is the reason that we hear more about Android malware, although it may be a factor. The barrier to entry of becoming an iOS developer is: buy a Mac (Intel Mac Mini will do), pay $99, sign up on web site. The barrier to entry of becoming an Android developer is: buy a PC (any will do), pay $25, sign up on web site. You could argue that the cost of a Mac Mini is prohibitive, or that hackers are less likely to own a Mac and begin hacking around on iOS in the first place, but for serious malware authors these are not significant barriers.

    The real reasons that we hear more about Android malware:

    1. Android users can enable installs of apps from non-official markets and random web sites. Many of the reported malware apps come from these kind of sites. But users have to explicitly do this, no phone ships with random web sites enabled as app stores. These same users, having enabled random app sources, then presumably don't bother to check the permissions that the app they install requests.
    2. Android allows apps to send premium rate SMS messages and calls without an explicit popup. I personally think Google should probably kill this ability, but then I never call premium rate numbers. Blocking premium rate texts would kill the profit incentive for most malware. If this were an explicit, in your face, permission or setting (like the big warning for data roaming in settings!), then we wouldn't have seen any premium SMS fraud malware.
    3. Apple marketing is happy for the media to push the "no iOS malware" angle in the same way that they did successfully with "no OS X viruses". It isn't strictly true, but people believe it anyway, and there is a huge class of users who are willing to pay more for the belief that there will be fewer problems in future. Malware that affects a few thousand people really isn't important in the big scheme of things, but it is something that marketing can use to try and differentiate iPhones in the eye of the consumer from very similar and equally capable Android phones.
    4. Apple fans are pushing the "Android is full of malware" meme extensively, even though very few Android users have actually been affected. Is malware an issue that should be dealt with? Yes, but these same Apple fans who argue that Android is "straining under the weight of malware" after a few thousand users have been infected, are also the ones who claim that half a million infected Apple desktops is no big deal.

    History has shown that a monoculture is actually more vulnerable to attack. There were some very skilled virus writers back in the 80s who innovated with polymorphic, anti-virus proof code, hidden boot sector infections etc. For whatever reasons, these kinds of hackers moved on to other projects, and what we see now in the virus/malware sector is mainly an industry driven by financial profit motive. iOS has had root exploits, and getting an app on the iPhone app store isn't that hard. Maybe they scan code and do some static analysis to try and spot dodgy functions, but at least one person has gotten malware into the iPhone app store, so it is certainly possible. I really do think that the only reason this hasn't been done is due to the explicit permission that the iPhone requires to send a premium rate SMS. If people ever start doing widespread banking on the Android/iPhone, or Android/iPhone malware ever becomes a populist hobby again (like viruses of the 80s), then I'm sure there will be more. An X-Prize, designed to stimulate malware production on either platform, would almost certainly produce results.

  • by hot soldering iron (800102) on Saturday April 21, 2012 @11:18AM (#39756057)

    I've told people for several years that Apple, Windows, and Linux are for totally different philosophies. Apple seems to be more for the creative content producers, that don't really want to know how the computer works, or play with it, they just want to focus on whatever it is that they want to do. They may pay a premium, and have a severely limited selection, but they are getting what they want. Windows seems to appeal to the largest percentage of the consumer market and industry. It's got everything under the sun available for it, and is fairly well locked down, but with some work you can dig into it and do some limited customizing.

    You didn't think I was going to leave out Linux/Android, did you? My personal favorites, but I don't recommend them for everyone. They seem to appeal to the tinkerers and hackers, not afraid to get their fingers burned or let the magic smoke out. Linux does run most of the Internet though, and most smartphones, and a lot of tablets now, and Google and Yahoo! and Ebay, and 9 out of 10 financial institutions, and is embedded in most home routers and god-knows-what-all. Just not most desktops.

  • by Nemyst (1383049) on Saturday April 21, 2012 @11:58AM (#39756307) Homepage

    Get a Nexus phone? They tend to get extensive updates, and once your warranty's up/official support dries up, you're guaranteed to be able to flash to Cyanogenmod or any other distribution you can think of thanks to unlocked bootloaders and the inherent popularity of the device.

    For anyone remotely tech savvy, it's the logical choice.

  • by BasilBrush (643681) on Saturday April 21, 2012 @01:01PM (#39756687)

    The Path app is not malware. It's still on sale on the App Store, and has 5 times as many five star ratings as any other rating, and litterally zero one star ratings. (the possible ratings run from one to five stars).

    Email addresses were uploaded simply to facilitate a find-my-friends feature of social networking.

    It was a naive implementation, because the same functionality could be achieved simply by uploading hashes of the email addresses. And it was wrong that in earlier versions it didn't explicitly ask the users permission to upload those email addresses.

    But there's no evidence of malign behaviour. Only behaviour intended to implement the advertised features.Therefore it's not malign software; it's not malware.

  • by Dr_Barnowl (709838) on Saturday April 21, 2012 @03:37PM (#39757789)

    .NET gets this right, as it happens - the administrator can grant or deny permissions on a fine-grained level, on a per-app or per publisher basis. The downside to that, though, is that if your app isn't well written, the permissions exception will kill it, which is a big no-no on a phone.

    You can do automatic static analysis to determine which APIs the app calls, which provides a list of permissions it might request, but doing analysis to check that it copes with permission denied exceptions is much harder, so you can understand their choice.

    What really sticks in my craw is that despite doing this static analysis, and providing this information on the Android market, you can't filter the listings based on the permissions that an app requests.

    Anecdote : my wife wanted a bible reader app. I couldn't find a single one, paid or free, that didn't want what I considered an unnecessary level of permissions for something that is essentially an offline eBook reader. What the hell does a bible app need SMS, or contact list access for? In the end, she just installed the one she liked the look of the most, even though I couldn't say I approved of any of them. And I'm sure most people won't even consider it, and click through.

  • by Anonymous Coward on Saturday April 21, 2012 @06:07PM (#39758555)

    6. Because it's amusingly easy to publish an app on Google Play--any app that does any darn thing. You just...publish it. Done. OTOH, you need to get your app past an actual human reviewer and Apple's automated software checkers to publish on the App Store. It's not just a little harder to publish crap on the App Store than Google Play, it's a lot harder.
    7. Because Apple is usually pretty quick for a giant monoculture to jump on actual malware apps. While Google has a history from day 0 of letting malware slide and slide and slide until it's a serious problem and then letting it slide a little longer.
    8. Because the Android Faithful like yourself are quick to defend Google's Wild West policies towards apps and their market. rather than decry those policies. Google Play is a mess, a stinking mess. If you really love Android, you should be the first to complain about that mess, rather than defend it.

Aren't you glad you're not getting all the government you pay for now?

Working...