Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×

How Apple's iOS Went From Insecure To Most Secure 312

GMGruman writes "There's no such thing as a perfectly secure operating system, but security experts agree — somewhat grudgingly in some cases — that iOS, Apple's mobile operating system, is the most secure commercial OS today, mobile or desktop. It didn't start that way of course, and Robert Lemos explains what Apple did to go from insecure to most secure."
This discussion has been archived. No new comments can be posted.

How Apple's iOS Went From Insecure To Most Secure

Comments Filter:
  • by Anonymous Coward on Tuesday June 07, 2011 @01:22PM (#36365382)

    Wait... aren't we talking about the same iOS that gets jailbroken like clockwork still?

    • by poetmatt ( 793785 ) on Tuesday June 07, 2011 @01:27PM (#36365438) Journal

      not only that, but the comments are hilarious as are the arguments:

      * A sandbox isolates programs, and iOS's memory organization makes exploitation more difficult.
              * Applications that run on the iOS are vetted by Apple and can be removed if found to be malicious.
              * Patches can be quickly applied to the iPhone and iPad to close security holes in the operating system.
              * The software is regularly reviewed, especially its open source components.
              * The platform has the advantage of attacker psychology -- attackers still target smartphones far less than desktop systems.

      This is hilarious, considering that the sandbox is the only true thing. Patching is known to break things continually (and done to break things - hello anti-jailbreak?), apple doesn't vet third party apps - you think they vet the browsers or MS office on mac? Said things are open and known security breaches. Same argument can be made for microsoft and google's first party apps being vetted (no shit) on that, and I'm not even a microsoft fan.
      Attacker psychology? What joke of a phrase is that? That's as anecdotal as it gets.

      So in summary, the thing apple does right is put things in a sandbox. that is all. Infoworld sure does have a hardon for apple sometimes.

      • Re: (Score:3, Insightful)

        It's amazing how people lose all objectivity when they've fallen for Apple. Love is blind. The fact is that they love their Apple gear so much they love it and discount all flaws and shortcomings and never stop begging for more.
      • It updates without asking people..  it disables things without asking people...  certain types of useful software are internally prevented from ever running on it..  it steals information about me - such as my geographical location and uploads it to a server without me asking..  it won't work unless it has my credit card number..

        if a hacker did that to my laptop, I'd hunt him down and punch his fucking head in.
        • It updates without asking people.. it disables things without asking people... certain types of useful software are internally prevented from ever running on it..

          Prior to iOS 5, the only OTA updates that you received were carrier settings updates which is "normal" for smartphones. Maybe a dumb phone is s better fit for you. Settings in the past were disabled by carrier updates. If you have a problem with AT&T, take it up with them. I don't have a problem with the software vetting process especially for something that can access the cellular radio.

          it steals information about me - such as my geographical location and uploads it to a server without me asking..

          Do you understand how web services work? You have to supply some information to the service in order to get back info

      • apple doesn't vet third party apps - you think they vet the browsers or MS office on mac

        Yes, the article is lame, but it's about iOS, and not Mac OS X

      • by PhilHibbs ( 4537 )

        This is hilarious, considering that the sandbox is the only true thing. Patching is known to break things continually (and done to break things - hello anti-jailbreak?), apple doesn't vet third party apps - you think they vet the browsers or MS office on mac?

        Mac? This is iOS he's talking about. I am interested though, what apps have been broken by patches apart from jailbreaking?

    • Jailbreaking is not really a security problem. Firstly, because "jailbreaking" just means allowing unsigned code to run. Secondly, I don't think you have ever been able to Jailbreak an iPhone remotely, you have to be in possession of it. If you give a hacker unlimited time with a device, they will find a way to do what they want.
      • by mini me ( 132455 )

        Jailbreaking uses security flaws to run unsigned code. The same flaws can be used for malicious purposes. It is most definitely a security issue.

        While most jailbreaking methods do require the phone to be tethered to a computer which greatly reduces the chances of infection in the wild, there have been at least two well known untethered jailbreak methods that could have been used to install malicious code quite easily.

      • by Enry ( 630 ) <enry@@@wayga...net> on Tuesday June 07, 2011 @01:42PM (#36365658) Journal

        Jailbreaking is not really a security problem. Firstly, because "jailbreaking" just means allowing unsigned code to run.

        Why don't you re-read that and tell me where your logic flaw is.

        • Beat me to it. First thing I thought when I read it was "how is the ability to run unsigned code in a closed platform not a security problem?"
          • Jailbreaking is not really a security problem. Firstly, because "jailbreaking" just means allowing unsigned code to run.

            Why don't you re-read that and tell me where your logic flaw is.

            Beat me to it. First thing I thought when I read it was "how is the ability to run unsigned code in a closed platform not a security problem?"

            I suppose it's not a security problem if the source of the unsigned code is benevolent, such as, oh say, you.

            I suggest that this issue has more to do with the security of Apple's business model than with the security of the OS.

          • by tepples ( 727027 )

            First thing I thought when I read it was "how is the ability to run unsigned code in a closed platform not a security problem?"

            Relying on the obscurity of a closed platform is itself the security problem. For example, the article points out that the developer of a flashlight application was able to sneak tethering past the iOS App Store curators. And there are ways to limit the damage an application can do without requiring $99 per year from each person who wants to run applications that Apple hasn't approved; look up OLPC Bitfrost on Google for one method that I found interesting.

        • Jailbreaking is not really a security problem. Firstly, because "jailbreaking" just means allowing unsigned code to run.

          Why don't you re-read that and tell me where your logic flaw is.

          So, it's a security problem, except when your OS completely lacks code or driver signing, then its a feature. I see whats going on here.

    • by Karlt1 ( 231423 )

      How is it a "security flaw" that you can hack your own device purposefully that you have physical access to?

  • by dmt0 ( 1295725 ) on Tuesday June 07, 2011 @01:24PM (#36365400)
    An ultimately secure OS would be the one that does not do anything at all. No inputs and no outputs. Perhaps iOS is closer to that ideal than any other.
  • So much mobile fanboy trollbait on the 'dot this morning.

  • Most Secure? (Score:2, Insightful)

    by OKK77 ( 683209 )
    Most Secure? And the security is in the App Store? I don't know why the author's trying so hard to bullshit his way through. Sensationalist headlines just to get a few more ad impressions, eh.
    • Re: (Score:3, Funny)

      by jo_ham ( 604554 )

      It's just the reverse of the enormously slanted "Apple is definitely phasing out OS X and locking it down and will force people to only buy from the App Store" article earlier, just with the "anti-Apple" bias changed to "pro-Apple".

      There must be balance in the ad-impression linkbait, lest the universe implode.

  • Agreed. (Score:3, Funny)

    by Anonymous Coward on Tuesday June 07, 2011 @01:25PM (#36365422)

    Sent from your iPhone.

    • Original sent from my Windows PC, reply sent from my Android. ;) I own no iPoop.

      • Ditto. I love my Google Apps cloud-based life (gMail, Picasa, Google Music, Google Docs). If my android gets run over by a car I buy a new one and all my contacts, photos, music, email, docs sync back down to my droid. And I'm not limited to 10 Android devices either. Been enjoying this for years now. Also, if I were over at your house I could pick up your iPhone, iPad or OSX device and access all of my stuff from your Apple gear. So apple people are not tethered by a white cable anymore. But Apple people m
        • I do this too, I call it a "home server." Handles my email, streams music and syncs docs and pictures without handing them to Google. How awesome is that?

        • Yeah, yeah. We know ALL about this. And you.

          In fact, we know a lot about you.

          Signed, your friends at Google.
  • Grudging (Score:5, Insightful)

    by Altus ( 1034 ) on Tuesday June 07, 2011 @01:29PM (#36365490) Homepage

    Any expert that holds a grudge like that is no expert I ever care to hear from.

  • by elrous0 ( 869638 ) * on Tuesday June 07, 2011 @01:30PM (#36365492)

    Apple is going after the market of users who are sick of dealing with security issues/malware/etc. They've done it by created a closed system. And while us geeks hate that, it has a strong appeal to most people. When they go to a closed system on Mac's (and they will), that's who they're going to be appealing to. "Buy a computer where all your software is pre-screened through our App Store and you don't have to worry about viruses" is a powerful (and potentially very profitable) message in a time when malware and assorted hacks have become so common.

    • by kevinmenzel ( 1403457 ) <kevinmenzel@@@gmail...com> on Tuesday June 07, 2011 @01:38PM (#36365594)
      Agreed - the eventual limited machines... "consoles" essentially, though for 'work' instead of 'games', will be quite popular. Which does kind of suck for geeks, because our specialty hardware will no longer benefit from the economies of scale, at least not to the same degree.
      • Nonsense. We don't need coders in the US, that's like manufacturing. We'll just have someone in India or China do it. We're an information economy here in the States, where our information is enforced consumption of music, movies, and Apps (developed in India and China.)

    • by jedidiah ( 1196 )

      Correction: Apple is going after the market of users who are sick of dealing with security issues and could never be bothered to dump Windows.

      PhoneOS is nothing special in terms of security. Although it is pretty fascist and unecessarily so.

    • Apple is going after the market of users who are sick of dealing with security issues/malware/etc.

      Rubbish. I run IT for fashion company whose employees are all the cool kids. Apple rules here for only one reason, it looks cool. The iphone looks cool, the touch screen looks cool, a 27" iMac looks cool sitting on your desk, and a Macbook air looks cool under your arm. These people pay $300 for a pair of jeans for the same reason. They don't even know what words malware, open source, or proprietary mean.

  • Easily Fixable (Score:4, Interesting)

    by chill ( 34294 ) on Tuesday June 07, 2011 @01:33PM (#36365524) Journal

    More people need to pay attention to http://slashdot.org/firehose.pl [slashdot.org] and mod stories like this into oblivion.

    • by jo_ham ( 604554 )

      Cool, can we mod the "Apple is definitely phasing out OS X" stories too?

      • Yes. Please. Why not get rid of ALL the useless stories and actually focus on those which actually add value?
    • More people need to pay attention to http://slashdot.org/firehose.pl [slashdot.org] and mod stories like this into oblivion.

      If you are going to be that way, I suggest that you go to a site like digg or reddit where they like for bury stories and comments that they don't like instead of coming up with an intelligent rebuttal. I for one, come here to slashdot in the hope of seeing some modicum of intelligent discourse.

      Nobody is holding a gun to your head to stay on slashdot or comment on stories that you don't like. You can simply just ignore them.

  • Great. A sandboxed environment with limited functionality and a vendor stranglehold on apps is "more secure" than a fully functional PC OS where the use can run any app (or even another OS) that they desire.

    Big fricking whoop.

    That's like saying that a car that spent the entirety of it's life parked in a little old lady's garage was safer to drive than another car that has spent the last 10-15 years as someone's daily driver.

    • by paanta ( 640245 )
      iOS doesn't have any less functionality than any other operating system. Security *is* functionality. A single managed source for new applications *is* functionality. It's functionality that, like all functionality, comes with huge tradeoffs.
      • by Chas ( 5144 )

        functionality

        You keep saying that word. But I do not think it means what you think it means. -- Inigo Montoya

      • Comment removed (Score:4, Interesting)

        by account_deleted ( 4530225 ) on Tuesday June 07, 2011 @02:35PM (#36366306)
        Comment removed based on user account deletion
        • I'll preface this reply with: I have an iPhone developer account so I'm not a normal user, however, your list of things aren't on the list of things that normal users give a shit about so I'll follow up anyway.

          Oh, so you can run emulator software on it now, can you?

          Yep, use my own circuit simulators and I've been working on an ATmega simulator for shits and giggles. No they'd never be sold on the appstore, but I can run them just fine without doing anything against Apples rules.

          Or compile source code into packages that you can install onto it?

          Yes, thats exactly what ALL iOS developers do, thats what gets distributed to your

      • And here I was thinking that "Functionality" meant being able to do something useful.

        Using a solid lead window makes it a very secure window, but you're not going to say its 'functional' are you?

  • Why grudgingly? It either is or it isn't. If you have to begrudge the truth, go find something else to do.

  • by Nemyst ( 1383049 ) on Tuesday June 07, 2011 @01:52PM (#36365772) Homepage

    Sensationalist, baseless claim? Check.
    Short article "sourced" entirely off in-house artices? Check.
    Forces to use print version to avoid ad overload? Check.

    Yep, it's InfoWorld alright.

  • Let me save you 5 minutes of your time. This bit from TFA is really all there is to it:

    The security is in the app store.
    It's not surprising, then, that security professionals pointed not to Apple's design but to the company's gated App Store [11] and its required code review before publishing as a major security advantage. "The closed ecosystem makes the model pretty safe," says Trend Micro's Genes. "It is not because the iOS is completely safe. From a system design standpoint, Android is safer."

  • by mccrew ( 62494 ) on Tuesday June 07, 2011 @01:57PM (#36365840)
    from TFA:

    Although iOS has a lot of security going on underneath the hood, its safety could be due in large part to the fact that attackers have not focused on compromising the devices because there is no economic incentive to attack them, says Lookout's Mahaffey.

    Really? No economic incentive?

    Unlike PCs and Macs, every cell phone is directly associated with a credit card. Essentially a cell phone IS money. Bad actors can - and do - monetize this with malware that places calls to sketchy and high-cost phone numbers, or send texts to subscribe to "information services," resulting in (fraudulent) charges showing up each month. And good luck trying to dispute charges with your cellular provider on those. They will just tell you that their hands are tied by federal law and that they can't help you, but nonetheless will turn around and threaten you with collection if you don't pay.

    There's definitely economic incentive to attack mobile phones.

  • Um.. No (Score:5, Insightful)

    by sl4shd0rk ( 755837 ) on Tuesday June 07, 2011 @01:58PM (#36365848)

    OpenBSD has been at it a lot longer. Even as a Linux Zealot, I would choose OpenBSD for security. IOS is a closed Black-Box that nobody but Stevie knows what's inside. Historically we tend to find *cough*siemens*cough* that closed source, proprietary *cough*secureid*cough* offerings do not necessarily equate to a trustworthy or "secure" system. What seems to happen is closed source options provide a layer of obscurity which allow the governing company *cough*dropbox*cough* to take inexcusable risks with customers assets because, basically, they don't need to show anybody. As long as they never get caught, they save a lot of money not having to implement a system to keep them honest.

  • by Haedrian ( 1676506 ) on Tuesday June 07, 2011 @01:59PM (#36365864)

    I think apple iOS is the most secure (tehehe) because of all the people searching for flaws to Jailbreak it with. Its like free security testing.

  • As we speak comments from the Apple Lovers and Haters are filling up comment sections everywhere. Also bloggers are coming up with more flametastic headlines to lure your eyeball to their website.

    Enjoy it while you can since it lasts... well... Never mind it's a regular occurrence here on Slashdot :P

  • Comment removed based on user account deletion
  • Somehow I think Theo will disagree with this article, though Netcraft confirms he is dead.
  • If you need address space randomization, you're already broken. It just makes the dumber stack overflow exploits crash more.

    The real question is "how much can an application do?". You have to assume that applications are hostile. Some of them will be. Some of them will have back doors. Some of them will have adware, spyware, remote updating, and similar attack vectors.

    You need an OS that can reliably say no to an application. Apparently by "sandbox" the original author means "protected-mode operating

  • Apple always knows where you are and what you are doing?
  • Blackberry OS is the only secure mobile OS
  • ...some of these /. headlines only make it through the firehose so that we can all get a good laugh out of them? Also, "security experts agree" needs a big fat [citation needed]. TFA got like 2 or 3 "experts" that didn't even strongly agree with their conclusions.

No spitting on the Bus! Thank you, The Mgt.

Working...