How Apple's iOS Went From Insecure To Most Secure 312
GMGruman writes "There's no such thing as a perfectly secure operating system, but security experts agree — somewhat grudgingly in some cases — that iOS, Apple's mobile operating system, is the most secure commercial OS today, mobile or desktop. It didn't start that way of course, and Robert Lemos explains what Apple did to go from insecure to most secure."
Frist to get jailbroken... (Score:5, Insightful)
Wait... aren't we talking about the same iOS that gets jailbroken like clockwork still?
Re:Frist to get jailbroken... (Score:5, Informative)
not only that, but the comments are hilarious as are the arguments:
This is hilarious, considering that the sandbox is the only true thing. Patching is known to break things continually (and done to break things - hello anti-jailbreak?), apple doesn't vet third party apps - you think they vet the browsers or MS office on mac? Said things are open and known security breaches. Same argument can be made for microsoft and google's first party apps being vetted (no shit) on that, and I'm not even a microsoft fan.
Attacker psychology? What joke of a phrase is that? That's as anecdotal as it gets.
So in summary, the thing apple does right is put things in a sandbox. that is all. Infoworld sure does have a hardon for apple sometimes.
Re: (Score:3, Insightful)
Re: (Score:2)
It only looks like blind attacks to people who have bought into the hype.
Believe it or not, when someone tells you that your shit stinks, it's not that they're "hating" you -- it's just that they're tired of smelling your shit.
--Jeremy
Re: (Score:2)
It only looks like blind defence to people who have bought into the anti-hype.
Believe it or not, when someone tells you that your nose isn't working right and that that's flowers, not shit, it's not that they're "blind" it's that they have a working nose ;).
The point being not that you're wrong, but that your argument has no substance and that you are falling for the exact same hyped up bullshit as the other guy. Go look at the products... objectively... without looking through {shit | flower} tinted glass
Re: (Score:2)
I'll call your bluff. Bogus!!
Re: (Score:2)
By what argument? What's bogus about it? What argument do you have to show that it's bogus?
Re: (Score:2)
Re: (Score:2)
There's reasons for both points of view; the trouble comes when can can't see at least a little of both.
Mod parent up. I'm satisfied with my iPhone but I think it'd be a lot farther behind if Android hadn't lit a fire under them. I can't believe we've gone this long without an update to the notification system.
Re: (Score:2)
So you are saying that Apple innovated?
It's pwned before you get it out of the box.. (Score:2, Insightful)
if a hacker did that to my laptop, I'd hunt him down and punch his fucking head in.
Re: (Score:2)
It updates without asking people.. it disables things without asking people... certain types of useful software are internally prevented from ever running on it..
Prior to iOS 5, the only OTA updates that you received were carrier settings updates which is "normal" for smartphones. Maybe a dumb phone is s better fit for you. Settings in the past were disabled by carrier updates. If you have a problem with AT&T, take it up with them. I don't have a problem with the software vetting process especially for something that can access the cellular radio.
it steals information about me - such as my geographical location and uploads it to a server without me asking..
Do you understand how web services work? You have to supply some information to the service in order to get back info
Re:It's pwned before you get it out of the box.. (Score:4, Informative)
It updates without asking people..
No it doesn't. You have to connect the device to your computer, launch iTunes, choose 'Download and Install' when prompted and follow the onscreen instructions.
it disables things without asking people...
Are you referring to the 'kill switch' built into the operating system? That's never been used. Conversely, the Android kill switch was used in March this year. To kill malware that had been downloaded from the Android marketplace.
certain types of useful software are internally prevented from ever running on it..
Which useful software is 'internally' prevented from ever running on it? Apps must be vetted by Apple in order to be included in the App Store, but I can't recall the last time an app was rejected for being too useful. Similarly, I can't recall the last time Apple had to throw a kill switch to kill malware downloaded from the App Store.
it steals information about me - such as my geographical location and uploads it to a server without me asking..
No it doesn't. The iPhone stores information about nearby WiFi access points and cellular towers. That information is stored in an on board cache. When you sync with iTunes, that information is transferred to your computer, in order that it can be synced back with other iOS devices you own. The locations of WiFi access points and cellular towers is sent to Apple, but not before it has been anonymised. Apple has no details of where you are, unless you implicitly opt in to sharing your location.
it won't work unless it has my credit card number
It works fine without your credit card number. I don't even own a credit card, and yet my iPhone functions perfectly. The sleep/wake button works, the volume buttons work, the SMS and Mail apps work, the Phone app works, the iPod, iTunes and App Store apps all work.
certain types of software includes any programming language
Really? http://itunes.apple.com/us/app/basic/id362411238?mt=8 [apple.com]
or anything which "duplicates functionality"
Quite. Because something which duplicates functionality is extremely useful, isn't it.
storing your geographical location without telling you.. er, you didn't know about that? at least it does google. See if you can find it.
I can find it just fine. Now, see if you can find it. (Tip: http://www.apple.com/pr/library/2011/04/27location_qa.html [apple.com])
Re: (Score:3)
apple doesn't vet third party apps - you think they vet the browsers or MS office on mac
Yes, the article is lame, but it's about iOS, and not Mac OS X
Re: (Score:2)
This is hilarious, considering that the sandbox is the only true thing. Patching is known to break things continually (and done to break things - hello anti-jailbreak?), apple doesn't vet third party apps - you think they vet the browsers or MS office on mac?
Mac? This is iOS he's talking about. I am interested though, what apps have been broken by patches apart from jailbreaking?
Re: (Score:2)
Uhhh, iOS sandboxes each application in its own sandbox too, and I have no idea how you got to the number 6.
Re: (Score:2)
My immediate thoughts were: What security experts? Where's the research? Who funded it?
It is not likely that Apple's iOS is even in the running for security. It's obscurity that keeps it out of the minds of most. A billion PCs is a much bigger target, by far.
Re: (Score:3)
hahaha. they refuse third party apps is more like what they do. How's that firefox/chrome doing on iOS?
Also, how's all those apps that are arbitrarily refused [lifehacker.com] and/or apps that clearly were not vetted. You think they vet every google app that comes across or can actually control what is used?? [intomobile.com] Hello HTML5 on that.
Re: (Score:3)
Re: (Score:2)
Re: (Score:3)
Jailbreaking uses security flaws to run unsigned code. The same flaws can be used for malicious purposes. It is most definitely a security issue.
While most jailbreaking methods do require the phone to be tethered to a computer which greatly reduces the chances of infection in the wild, there have been at least two well known untethered jailbreak methods that could have been used to install malicious code quite easily.
Re:Frist to get jailbroken... (Score:5, Funny)
Jailbreaking is not really a security problem. Firstly, because "jailbreaking" just means allowing unsigned code to run.
Why don't you re-read that and tell me where your logic flaw is.
Re: (Score:2)
Re: (Score:2)
Jailbreaking is not really a security problem. Firstly, because "jailbreaking" just means allowing unsigned code to run.
Why don't you re-read that and tell me where your logic flaw is.
Beat me to it. First thing I thought when I read it was "how is the ability to run unsigned code in a closed platform not a security problem?"
I suppose it's not a security problem if the source of the unsigned code is benevolent, such as, oh say, you.
I suggest that this issue has more to do with the security of Apple's business model than with the security of the OS.
Re: (Score:2)
First thing I thought when I read it was "how is the ability to run unsigned code in a closed platform not a security problem?"
Relying on the obscurity of a closed platform is itself the security problem. For example, the article points out that the developer of a flashlight application was able to sneak tethering past the iOS App Store curators. And there are ways to limit the damage an application can do without requiring $99 per year from each person who wants to run applications that Apple hasn't approved; look up OLPC Bitfrost on Google for one method that I found interesting.
Re: (Score:2)
Jailbreaking is not really a security problem. Firstly, because "jailbreaking" just means allowing unsigned code to run.
Why don't you re-read that and tell me where your logic flaw is.
So, it's a security problem, except when your OS completely lacks code or driver signing, then its a feature. I see whats going on here.
Re: (Score:2)
Re: (Score:2)
3.0 was the last full jailbreak that worked on jailbreakme, after 3.x you lost various bits of functionality until 3.2 or so, at which point I think that was the end of it, I know it took long enough after 3.2 that I stopped bothering to look. Besides, 3.0 with custom provisioning profiles so you can tether without getting AT&T raped in the process was the last time I bothered futzing with my phone, there pretty much is an app on the app store to do anything else you want.
I don't really see the point i
Re: (Score:2)
Re: (Score:2)
How is it a "security flaw" that you can hack your own device purposefully that you have physical access to?
Re:Frist to get jailbroken... (Score:5, Interesting)
And while jailbreaks for iOS happen for almost every point release, they are getting tougher and tougher to find (as in it takes the dev-team more and more time to find a patch).
Re: (Score:2)
Actually that was a MINOR jailbreak because it was easily and quickly patched and so didn't last long. The major jailbreaks are the ones that exploit flaws in the bootrom code. Those are at once more difficult for Apple to patch because they require new hardware to be put out there and they are also impossible to exploit remotely, requiring physical access.
Re: (Score:2)
I find it a bit odd that the Android folks are claiming a 'jailbreak' is a major security flaw, while ignoring the fact that rooting an android phone is the same thing. I have little worries about any jailbreak that requires physical access to the phone. If it gets to that point, you've already lost your data. I'm more interested in remote hacks like the PDF exploit.
I will say that Apple quickly patches it's vulnerabilities, and it doesn't suffer from the issue with Android phones where the handsets are at
Re: (Score:2)
Re: (Score:2)
I'm not sure why the sync method applies to security so I'll pass that one by. As to updates themselves, they aren't slow to come in most cases, they simply don't come at all. Unfortunately, hacks to the OS (which is what the article is about) are the very piece that doesn't get updated on various handsets using Android.
The argument about 'not on the market' is invalid as well, since there is only the curated App Store for Apple, whereas on an android phone, one need only uncheck a box, and that happens a b
Re: (Score:2)
What does a previous version have to do with *this* version mentioned in the article?
Maybe nothing, maybe something. With a closed-source OS, all you have is their word. My personal opinion? I would wager Apple cares more about closing up the "jailbreak" part of it than the "modify files via remote exploit".
Re: (Score:2)
Re:Frist to get jailbroken... (Score:4, Insightful)
Ah, there it is. Just a few stories ago, there was the headline about Apple putting some desktop and laptop machines behind the walled garden and maybe phasing out OSX altogether.
And then..."iOS is the most secure".
You can start to see the outline of a marketing campaign that will convince people that they really don't need to have anything on their Mac that didn't come from Apple, one way or another.
As a long-time Mac user and owner of several Mac Pro and MacBook Pro machines, I find this transformation of "machines to make things with" to "machines you can consume content with" quite offensive. It may be good business for Apple, and good for Apple shareholders, but for the future of personal computing for people who don't use Windows or Linux, it kind of sucks.
Re: (Score:2)
You can start to see the outline of a marketing campaign that will convince people that they really don't need to have anything on their Mac that didn't come from Apple, one way or another.
I feel that way about Debian. It's an exaggeration, to be sure, but the mindset is the same. If I can't manage it with apt, why bother with it?
-l
Re: (Score:3)
Re: (Score:2)
Because you can package it and then manage it with apt (if it's worth the trouble).
Re: (Score:2)
Sometimes that's a boatload of trouble (c.f., IBM's OpenAdminTool for Informix). I did end up installing it. But pretty much, if it's some brand new garbage on freshmeat, I can't be bothered until a Debian developer thinks it's worth his/her time to bundle it.
-l
Re: (Score:2)
You can manage multiple repositories with apt, just add a new line to your /etc/apt/sources.list. It's not the same.
Re: (Score:2)
The mindset is the same. Get it in Debian and you don't have to bother your users with adding repositories — sorta like getting your code in the kernel. It's just there, by default, and you slurp down what you want with impunity.
I do use multiple repositories out of necessity. But I do point an upturned eyebrow at Joe's Random Apt Shack. Apple's App Store is similar. It's an authoritative source with vetting, like Debian, and unlike Joe's Random Apt Shack, or worse, JRandom.exe from random website.
Thu
Re: (Score:2)
The ability to jailbreak a device has little to do with it's security.
Agreed. Jailbreaking the OS is like signing a release before you skydive out of an airplane: you're admitting you don't want to play it safe and voluntarily take on all possible risks yourself.
Re: (Score:2)
You just essentially said that rooting a device has nothing to do with security.
Couldn't you jailbreak your iphone at one time simply by visiting a webpage? That sounds secure.
Re: (Score:2)
If you used a four-digit numerical password, somebody sells a program that can brute-force it. That's not really "cracking" it.
Re: (Score:2)
Is this the one you type in the lock screen? I just found and read the article and it's unclear. If so, I thought the iPhone makes you wait longer and longer after consecutive failed attempts which would slow down a brute-force attack quite a bit. Also, I can't remember if it was an Exchange policy, a feature on the iPhone (or of Android), but I thought I remember seeing a setting that would wipe the phone after 10 consecutive failed attempts.
An ultimately secure OS (Score:5, Funny)
Re: (Score:2)
Re:An ultimately secure OS (Score:4, Funny)
The Ultimate Machine: http://www.youtube.com/watch?v=Gw2Bq0HYu1M [youtube.com]
Re: (Score:2)
The Ultimate Machine: http://www.youtube.com/watch?v=Gw2Bq0HYu1M [youtube.com]
Your Ultimate Machine has NOTHING on this one:
http://www.youtube.com/watch?v=UmQ5LsNMXZ4 [youtube.com]
Re: (Score:2)
http://www.guyswhocuttheirownhair.com/images/uploads/applebrick.jpg
Re: (Score:2)
Re: (Score:2)
Like living next to a bridge testing ground... (Score:2, Troll)
So much mobile fanboy trollbait on the 'dot this morning.
Most Secure? (Score:2, Insightful)
Re: (Score:3, Funny)
It's just the reverse of the enormously slanted "Apple is definitely phasing out OS X and locking it down and will force people to only buy from the App Store" article earlier, just with the "anti-Apple" bias changed to "pro-Apple".
There must be balance in the ad-impression linkbait, lest the universe implode.
Agreed. (Score:3, Funny)
Sent from your iPhone.
Re: (Score:2)
Original sent from my Windows PC, reply sent from my Android. ;) I own no iPoop.
Re: (Score:2)
Re: (Score:2)
I do this too, I call it a "home server." Handles my email, streams music and syncs docs and pictures without handing them to Google. How awesome is that?
Re: (Score:2)
In fact, we know a lot about you.
Signed, your friends at Google.
Grudging (Score:5, Insightful)
Any expert that holds a grudge like that is no expert I ever care to hear from.
Security is a big selling point (Score:5, Insightful)
Apple is going after the market of users who are sick of dealing with security issues/malware/etc. They've done it by created a closed system. And while us geeks hate that, it has a strong appeal to most people. When they go to a closed system on Mac's (and they will), that's who they're going to be appealing to. "Buy a computer where all your software is pre-screened through our App Store and you don't have to worry about viruses" is a powerful (and potentially very profitable) message in a time when malware and assorted hacks have become so common.
Re:Security is a big selling point (Score:4, Insightful)
Re: (Score:2)
Nonsense. We don't need coders in the US, that's like manufacturing. We'll just have someone in India or China do it. We're an information economy here in the States, where our information is enforced consumption of music, movies, and Apps (developed in India and China.)
Re: (Score:2)
Correction: Apple is going after the market of users who are sick of dealing with security issues and could never be bothered to dump Windows.
PhoneOS is nothing special in terms of security. Although it is pretty fascist and unecessarily so.
Re: (Score:2)
Re: (Score:2)
Apple is going after the market of users who are sick of dealing with security issues/malware/etc.
Rubbish. I run IT for fashion company whose employees are all the cool kids. Apple rules here for only one reason, it looks cool. The iphone looks cool, the touch screen looks cool, a 27" iMac looks cool sitting on your desk, and a Macbook air looks cool under your arm. These people pay $300 for a pair of jeans for the same reason. They don't even know what words malware, open source, or proprietary mean.
Re: (Score:2)
Easily Fixable (Score:4, Interesting)
More people need to pay attention to http://slashdot.org/firehose.pl [slashdot.org] and mod stories like this into oblivion.
Re: (Score:2)
Cool, can we mod the "Apple is definitely phasing out OS X" stories too?
Re: (Score:2)
Re: (Score:2)
More people need to pay attention to http://slashdot.org/firehose.pl [slashdot.org] and mod stories like this into oblivion.
If you are going to be that way, I suggest that you go to a site like digg or reddit where they like for bury stories and comments that they don't like instead of coming up with an intelligent rebuttal. I for one, come here to slashdot in the hope of seeing some modicum of intelligent discourse.
Nobody is holding a gun to your head to stay on slashdot or comment on stories that you don't like. You can simply just ignore them.
Completely useless (Score:2)
Great. A sandboxed environment with limited functionality and a vendor stranglehold on apps is "more secure" than a fully functional PC OS where the use can run any app (or even another OS) that they desire.
Big fricking whoop.
That's like saying that a car that spent the entirety of it's life parked in a little old lady's garage was safer to drive than another car that has spent the last 10-15 years as someone's daily driver.
Re: (Score:2)
Re: (Score:3)
functionality
You keep saying that word. But I do not think it means what you think it means. -- Inigo Montoya
Comment removed (Score:4, Interesting)
Re: (Score:3)
I'll preface this reply with: I have an iPhone developer account so I'm not a normal user, however, your list of things aren't on the list of things that normal users give a shit about so I'll follow up anyway.
Oh, so you can run emulator software on it now, can you?
Yep, use my own circuit simulators and I've been working on an ATmega simulator for shits and giggles. No they'd never be sold on the appstore, but I can run them just fine without doing anything against Apples rules.
Or compile source code into packages that you can install onto it?
Yes, thats exactly what ALL iOS developers do, thats what gets distributed to your
Re: (Score:2)
And here I was thinking that "Functionality" meant being able to do something useful.
Using a solid lead window makes it a very secure window, but you're not going to say its 'functional' are you?
Re: (Score:2)
Huh? (Score:2)
Why grudgingly? It either is or it isn't. If you have to begrudge the truth, go find something else to do.
Sigh. (Score:3)
Sensationalist, baseless claim? Check.
Short article "sourced" entirely off in-house artices? Check.
Forces to use print version to avoid ad overload? Check.
Yep, it's InfoWorld alright.
Short answer: walled garden (Score:2)
Let me save you 5 minutes of your time. This bit from TFA is really all there is to it:
The security is in the app store.
It's not surprising, then, that security professionals pointed not to Apple's design but to the company's gated App Store [11] and its required code review before publishing as a major security advantage. "The closed ecosystem makes the model pretty safe," says Trend Micro's Genes. "It is not because the iOS is completely safe. From a system design standpoint, Android is safer."
"no economic incentive to attack" iPhones? (Score:5, Insightful)
Although iOS has a lot of security going on underneath the hood, its safety could be due in large part to the fact that attackers have not focused on compromising the devices because there is no economic incentive to attack them, says Lookout's Mahaffey.
Really? No economic incentive?
Unlike PCs and Macs, every cell phone is directly associated with a credit card. Essentially a cell phone IS money. Bad actors can - and do - monetize this with malware that places calls to sketchy and high-cost phone numbers, or send texts to subscribe to "information services," resulting in (fraudulent) charges showing up each month. And good luck trying to dispute charges with your cellular provider on those. They will just tell you that their hands are tied by federal law and that they can't help you, but nonetheless will turn around and threaten you with collection if you don't pay.
There's definitely economic incentive to attack mobile phones.
Re: (Score:2)
1. 'hacker' writes paid for application, gets said app accepted to the market.
2. 'hacker' then commands his droves of exploited iDevices to purchase said app.
3. 'hacker' profits.
Um.. No (Score:5, Insightful)
OpenBSD has been at it a lot longer. Even as a Linux Zealot, I would choose OpenBSD for security. IOS is a closed Black-Box that nobody but Stevie knows what's inside. Historically we tend to find *cough*siemens*cough* that closed source, proprietary *cough*secureid*cough* offerings do not necessarily equate to a trustworthy or "secure" system. What seems to happen is closed source options provide a layer of obscurity which allow the governing company *cough*dropbox*cough* to take inexcusable risks with customers assets because, basically, they don't need to show anybody. As long as they never get caught, they save a lot of money not having to implement a system to keep them honest.
Re: (Score:2)
Jailbreaking is a hardly an argument. If anything, it's an indicator of a larger security problem.
I disagree (Score:3)
I think apple iOS is the most secure (tehehe) because of all the people searching for flaws to Jailbreak it with. Its like free security testing.
It's the annual WWDC click bait fest! (Score:2)
As we speak comments from the Apple Lovers and Haters are filling up comment sections everywhere. Also bloggers are coming up with more flametastic headlines to lure your eyeball to their website.
Enjoy it while you can since it lasts... well... Never mind it's a regular occurrence here on Slashdot :P
Re: (Score:2)
Theo (Score:2)
Yeah, right. (Score:2)
If you need address space randomization, you're already broken. It just makes the dumber stack overflow exploits crash more.
The real question is "how much can an application do?". You have to assume that applications are hostile. Some of them will be. Some of them will have back doors. Some of them will have adware, spyware, remote updating, and similar attack vectors.
You need an OS that can reliably say no to an application. Apparently by "sandbox" the original author means "protected-mode operating
Secure in that... (Score:2)
blackberry (Score:2)
So I guess... (Score:2)
Re: (Score:2)
1. Forbid legitimate purchasers and owners of the device from doing ANYTHING you don't homogenize, pre-approve, pre-chew, and charge for.
I think this [eatliver.com] is the analogy you're looking for.
Re: (Score:2)
Sour grapes.
Re: (Score:2)