Accountability, Not Code Quality, Makes iOS Safer Than Android

chicksdaddy writes "Threatpost is reporting on a new study of mobile malware that finds accountability, not superior technology, has kept Apple's iOS ecosystem free of viruses, even as the competing Android platform strains under the weight of repeated malicious code outbreaks. Dan Guido of the firm Trail of Bits and Michael Arpaia of iSEC Partners told attendees at the SOURCE Boston Conference on Thursday about an empirical analysis of existing malicious programs for the Android and iOS platforms which shows that Google is losing the mobile security contest badly — every piece of malicious code the two identified was for the company's Android OS, while Apple's iOS remained free of malware, despite owning 30% of the mobile smartphone market in the U.S. Apple's special sauce? Policies that demand accountability from iOS developers, and stricter controls on what applications can do once they are installed on Apple devices."

Is this Covert Advertising for Apple's Ecosystem?

[dryriver]

Last time I checked, there were plenty of reports of malicious iOS apps clandestinely hoovering up your private data/contacts, and sending that bundle to the app's developers, who will use it for Lord-knows-what-nefarious-purpose. With this being the case, how can anyone possibly claim that iOS is "secure & malware free". The malware doesn't have to be a Trojan or Virus. It can also be a nasty little app that secretly sends your private data to a server somewhere that you don't even suspect exists. ----- I don't understand why Apple fans need to maintain a strange belief into the "infallibility" of Apple's ecosystem. Apple is plenty fallible in my humble opinion. And this is just another snide attempt to advertise the "Extra-Special-Specialness" of using Apple products.

Re:what counts as malware..

[pankkake]

Malware has been accepted in the Apple App Store, TFA is bullshit.

Re:But the Apple factor?

[flyneye]

Don't you remember being a lil kid? Anything you want to do is safe as long as you have someone to blame.
Accountablility=safety.
Oh a security breach! It's Norms fault, Fire him!
Problem solved, you're all safe now that Norm isn't coding for us anymore.
For Security, just think different.

Re:This just in

[Lehk228]

There already is a secure and fairly libertarian phone out there, blackberry. You can only load signed RIM OS's however you can loa any signed RIM image compatable with your phone, there are betas in the wild to play with, and you can install apps from the browser or the PC software that comes with it. You also have a detailed list of what you will and will not allow. You can allow wifi and bluetooth but block mobile, you can allow SD card but block email and contacts

Re:You have to be kidding

[mysidia]

Since when is the iOS more secure? The latest Android has a very stable code and a solid permission system that allows the user to set exactly what an app can or can't do.

The reason there are fewer iOS malware infections has to do with something totally separate from security of the device.

There is a 'more efficient' distribution channel for Android platform malware.

Developing for the Apple platform requires a security certificate from Apple to sign applications, paying money to apple, signing a contract, and approval from Apple and review to be listed on the pap store, which makes the app store a less efficient means of distributing malware than the Android marketplace.

An operating system can be extremely insecure, but if there is no useful distribution channel, or no network connection, it is not likely to be infected.

Re:waiting for a clue

[Anonymous Coward]

'Cept that if you read the comments in TFA, the original article had "wait" in it and was corrected.

Re:You have to be kidding

[cyber-vandal]

No it isn't, the firmware's been out for a long time now.

Re:You have to be kidding

[BasilBrush]

Since when is the iOS more secure? ...an OS that can be rooted by a fucking website.

If that is your measure, the answer to the question you pose is July 15th 2011. That was when the last version of iOS that could be rooted via a website was replaced.

4.3.3 could be jailbroken via website, 4.3.4 would not.

5.x has been out since Oct 2011.

Personally I'd say a better measure is the amount of malware. And on that measure, Android has always been many times worse than iOS.

Re:You have to be kidding

[wvmarle]

Afaik most Android malware is not from the Play Store, but from third-party Android stores.

And besides Play Store does have accountability: every developer has to register, and pay a small one-off registration fee as form of identification.

Re:You have to be kidding

[jsvk]

the exploit you're talking about existed for 1 or 2 minor version numbers, and can no longer be exploited (including by the device owner) due to the OS version(s) no longer being installable without jumping through some hoops (apple's server no longer signs off on the installation). It was a bug in the PDF renderer for safari, for anyone wondering.

Rooting iOS devices remains a hunt for exploits in every version release, and no one's ever sure if and when the next version's exploit will be released. Many 4S/iPad users on iOSv5.1 are have been stuck using a jailed, but perfectly secure device for months now, with no guarantee that the jailbreak will come anytime soon.

Each version makes iOS more and more secure, and there's no guarantee Apple won't eventually release a perfectly secure, jailed OS, and I hope at that point this OS dies off, but that may be asking too much.

Re:"has kept Apple's iOS ecosystem free of viruses

[kthreadd]

Flashback is a trojan, not a virus. And it only affects OS X, not iOS. If someone knows of an actual virus for iOS (and for OS X too by the way) I'm very interested to know about it.

Rampant Fanboyism

[Thumper_SVX]

Wow... the last time I saw such rampant fanboyism is when I badmouthed the original iPad here on Slashdot on the day of release. Of course, every one of my comments was completely on the mark... and this from someone who still has an original iPad that gets used when I take business trips and almost no other time in my life. But I digress.

Seriously? I had to do a doubletake when I read the summary, and had to take a few more when I read the article. I have run an Android phone for over a year now and I am seriously happy with it. It's not failing under the "crushing weight of viruses" any more than my aging but still useful iPhone 3GS is (I use it as an iPod because I bought into the iTunes ecosystem years ago and it happens to integrate beautifully with my car). I install apps on both depending on my utilization and needs, and neither has been unduly burdened with malware. Of course, my Android phone actually tells me what an application wants to do while I install it, thus providing the knowledgeable user some modicum of security. And yes, every app I install I read those and make a decision whether the app is asking for appropriate rights or not. And yes, I've refused some apps because of it. Of course, I AM a knowledgeable user and that kind of security doesn't help Joe Schmoe with his free smartphone with a 2 year contract and no lube... but one of the central tenets of security is that people are the weakest link in any security chain and that will never change.

So far I've found my only complaint with Android is that it fails under the crushing weight of battery technology that can't cash the check the manufacturers of the device wrote. But at least with Android I can have a second battery hanging around that I can swap in at any time... can't do that with an iPhone unless you're a really determined hardware hacker. Yes, I can improve it slightly by turning off all my antennae but then I am running a dumb phone with games on it... I have a smartphone so it can be connected anywhere at any time. Of course, many of the apps I install probably don't help... but that's a choice I make. Because the charging port is completely standard I just took my charger and left it at work; I use my Kindle's charger at home to keep my phone charged at night because really... how often do I need my Kindle?

As a past and current iOS user (sometimes), AND an Android user I find the article FUD. Actually, can I mod it trollbait?

Re:"has kept Apple's iOS ecosystem free of viruses

[Entrope]

That is a distinction that the study apparently did not make, because it talks about "malicious code" rather than viruses. In fact, most of the malicious apps that one hears about are spyware or trojans rather than viruses.

Re:You have to be kidding

[PapayaSF]

And besides Play Store does have accountability: every developer has to register, and pay a small one-off registration fee as form of identification.

But as the article points out, Apple requires verification of a developer's identity, and Google does not, so a malware author who gets banned from Play can just sign up under a new identity.

Plus:

Beyond that, Guido said that Apple's iOS ecosystem has put controls in place that squeeze malware authors in other ways. An automated and manual application vetting system includes static analysis of compiled binaries that make it very difficult for developers to merely repackage malicious or legitimate applications for sale on the AppStore. That prevents infections of Trojaned applications like the DroidDream malware, which frequently popped up on Google's Android Market.

Re:You have to be kidding

[BasilBrush]

You're showing your ignorance again. Apple did care about it, and that's what got the rule about asking for user permission before uploading contact details came from. A rule which Path now adheres to, which is why it's still in the App Store.