Accountability, Not Code Quality, Makes iOS Safer Than Android

chicksdaddy writes "Threatpost is reporting on a new study of mobile malware that finds accountability, not superior technology, has kept Apple's iOS ecosystem free of viruses, even as the competing Android platform strains under the weight of repeated malicious code outbreaks. Dan Guido of the firm Trail of Bits and Michael Arpaia of iSEC Partners told attendees at the SOURCE Boston Conference on Thursday about an empirical analysis of existing malicious programs for the Android and iOS platforms which shows that Google is losing the mobile security contest badly — every piece of malicious code the two identified was for the company's Android OS, while Apple's iOS remained free of malware, despite owning 30% of the mobile smartphone market in the U.S. Apple's special sauce? Policies that demand accountability from iOS developers, and stricter controls on what applications can do once they are installed on Apple devices."

You have to be kidding

[Anonymous Coward]

Since when is the iOS more secure? The latest Android has a very stable code and a solid permission system that allows the user to set exactly what an app can or can't do. This in contrast to an OS that can be rooted by a fucking website.

what counts as malware..

[gl4ss]

..and how would they detect it on the ios? they just said that there is _zero_ malware, yet there's plenty of ios games/apps which leak all your contact info?(as is there for android).

(and the accountability part is that it takes a little more checks to get yourself identified as a publisher for itunes appstore.. however.. it doesn't take that much, there is and has been plenty of unauthorized distribution of asian comics etc there)

I haven't identified any iOS malware either, but that could be because I haven't looked for any(just not my field).

Freedom has it's risks

[Zico]

Guess what?! Freedom comes with risks! I don't make any decision until I weigh the pros and cons and do a bit of research, and yes, this includes any and all apps I may want to use.

Re:You have to be kidding

[ircmaxell]

This. Very much this.

This article is pure FUD. Plain and simple.

Malware, by its very definition [us-cert.gov] is:

Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent.

Android requires that you give consent, since it tells you what permissions the application needs prior to installing it. So by very definition, these data leakages on Android are not malware. The user said it was ok for that application to collect that data.

Re:Freedom has it's risks

[Anonymous Coward]

Freedom has little risks compared to looking to be "taken care of".

Re:Freedom has it's risks

[vakuona]

And that is why the Android model is flawed. Not fatally mind you, but flawed nonetheless.

You can't expect people to have to audit every bit of software that they install on their smartphone. In fact, it ought to be reasonable for users to expect software they download off the official repositories (App Store, Market) to be malware free.

And yes freedom comes with risks. But freedom also allows users to choose a phone that doesn't require them to expend more effort than necessary to be able to do what they require. Don't forget, a smartphone is a luxury, not a necessity.

Re:You have to be kidding

[Anonymous Coward]

and what percentage of phones out there have the latest Android release? My Galaxy S2 is still waiting...

Re:Apple Fanboi article

[Sponge Bath]

I would not be so quick to label it Apple Fanboy.

FTA: "despite accounting for <strike>more than 40%</strike> 30% of the same market."

Seems like a jab at falling market share. I think the real motivation behind the article is inflammatory statements to get views.

This just in

[GameboyRMH]

Crushing authoritarianism leads to lower crime, worth the misery? Film at 11.

Re:You have to be kidding

[Anonymous Coward]

Could you post the link, please? Seriously. I have an iPhone 3GS which I want to jailbreak to use with another phone carrier, but it has been updated to ios 5.1 and nothing I find (whited00r, redsn0w, tinyumbrella etc) seems to work. The most I've been able to is make the phone boot with a non-working 3G/Wifi radio, which defeats the device being a mobile. Fucking Apple support doesn't want to make it free, and my old operator says it has been freed (my ass).

Please, post the link, it would have saved me a week of failed hacking attempts so far!

Re:Is this Covert Advertising for Apple's Ecosyste

[Clsid]

Call it whatever you want, but we just got the first major malware outbreak in OS X recently after so many years. On the iPhone that is unheard of. Much as in the Windows world and the much hated Vista security system that kept asking you, do you want to do this, or allow that?, that security model is fail since regular users will start saying yes to everything and then end up with a problem. Call Apple what it is, an overpriced hardware/software company that likes to keep the lid closed, but as far as their products running trouble free in general, I will have to agree with the article. But hey, everybody is free to think whatever they want.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:You have to be kidding

[Black Parrot]

This article is pure FUD. Plain and simple.

Can't imagine that a company called "iSEC" would be biased on this matter.

Re:Freedom has it's risks

[QuasiSteve]

It's pretty easy to determine that a game does not need to capture your keystrokes, and if a cool tool to change the wall paper needs "access to your Google account" then there's obviously something odd going on.

Certainly, but even when setting aside that people ignore this all too easily because they simply want the shiny, your examples are obvious.

What if a chat app wants access to the internet, your contacts, and your phone?
Well the internet makes sense - can't very well expect an app that is intended for chatting to not have that connectivity.

Contacts also makes sense because in combination with the phone, it allows the app to send a text message if you have no internet connectivity or simply choose to use SMS instead of its internet-based chat functionality.

So you install the app, and the app sends all your text for datamining to China, all of your contacts to some company in Bulgaria, and sends a bunch of texts to expensive SMS service numbers.
Oh, and it also lets you chat with people, so as far as you know, it's doing exactly as advertised.

This is no different on any other platform, of course. It may have been different in the early days of the iPhone, but I rather doubt that they still check each and every app before making them available and instead rely on exactly what the article says.. accountability.. you only get away with malware once unless you also manage to fool Apple into allowing you a new account. But to the end-user(s), the damage is already done anyway.

Re:But the Apple factor?

[wvmarle]

Being accountable does help keeping people honest. Knowing you will get away with taking a fistful of dollars from the cash register versus knowing that the management will realise that there is money missing from your cash register makes a big difference.

Security is all about layers. Accountability is just one of them, and it is an important one.

Re:what counts as malware..

[BasilBrush]

As a tul of thumb:

Uploading your contact data for the purposes of expected social connections within the app is not malware. It's not the way it should be done, and poses a security risk if the server is compromised. But there is no mal-intent there. Nevertheless such practice is now explicitly banned without asking the users permission via a dialog at the time.

Uploading your contact details to a server for the purposes of mailing lists, tracking outside of the intended application domain would be malware.

The former is what was flagged up for iOS.

Android meanwhile suffers from both, and much, much worse, such as malware sending premium rate SMSs, thus potentially causing users severe financial losses.

Re:Freedom has it's risks

[BasilBrush]

Guess what?! Freedom comes with risks! I don't make any decision until I weigh the pros and cons and do a bit of research, and yes, this includes any and all apps I may want to use.

That's a pretty high cost. A bit like living in a ghetto, and having to consider your personal safety every time you go out, versus living in a nice, safe, pleasant community.

Re:You have to be kidding

[Anonymous Coward]

There's a number of things you're missing. Most importantly: practically everyone would consider trojan horses to be malware, or at least an important security issue. Just because the user checked a box somewhere doesn't mean that trojans don't count.
Beyond that, trojan horses are due to their very nature less useful in an environment where accountability is higher. This is definitely the case with Apple/iOS, and has lead to a large number of false positives and censorship by Apple, both of which have been discussed at length here on slashdot.
Thirdly, unlike Android, I haven't seen any major and widely-reported breaches of apple devices, despite widely-available jailbreaking tools. This surprises me quite a bit. According to the iPhone users I've asked about this they claim that the cause is that most jailbreaks these days work through a physical connection (ie. with a computer).

Android may be more secure in capable hands, but the average user is safer in an environment where available software is code-signed and strictly supervised, either by a single entity such as Apple's iOS market or by the community such as the debian repositories.

Re:You have to be kidding

[Anonymous Coward]

Sure, but if the user is asked for every app whether to share data, the act of sharing data then becomes a standard part of the install. Very technically aware users will make use of this, but for most users it's effectively worthless: it's just another mind-numbingly annoying button you click for the app to run, like EULAs almost no one reads. (Just to be clear, I'm not really arguing about Android vs. iOS, I'm just pointing out the generally low value of relying on users giving consent for an install.)

Re:what counts as malware..

[chrb]

..and how would they detect it on the ios?

Good point. The security researchers who identified some of the Android malware visited third party Android app stores and downloaded all of the apps so that they could build up a huge app corpus, which they could then scan (static analysis) for malware suggestive signatures. They stated that they couldn't do the same with the iPhone because Apple prohibits mass downloading of iPhone apps in order to build an iPhone app corpus. So the only people who can look for malware across the whole range of iPhone apps is Apple, and it seems unlikely that they would announce if they found any malware, when they can instead just silently remove it from the app store.

Re:You have to be kidding

[kthreadd]

I like Android, but what has kept me away from it is that I have not found an Android phone that consistently gets new updates after they are released for a long period of time. Sure, Apple makes mistakes like this but the important thing is that they shipped an update and basically all affected phones got it even if they were a couple of years old.

Let's say that the same thing happened to Android. How large percentage of Android phones would even get the update at all?

Re:You have to be kidding

[mkraft]

I'm not sure why this was modded insightful, let alone +5 since if you read TFA you'd know that they weren't saying that iOS is more secure, only that there are virtually no delivery mechanism for malware because of Apple's app store policies of requiring real world identification of an app author to publish apps in the app store. That and iOS apps are more restricted in what they can do over Android apps.

That's the problem when articles like this hit Slashdot. Rabid fanboys (Apple and Google) start posted without even reading the article. The same thing with modders.

Re:Freedom has it's risks

[BasilBrush]

You CHOSE to upgrade your iPhones to the latest iOS version, that iOS version wasn't supported by the version of iTunes you had on your computer, so you CHOSE to upgrade iTunes too.

The fact that one software product is only compatible with certain version numbers of another software product doesn't make for a forced upgrade.

Re:You have to be kidding

[MacDork]

What about the Path app. [arstechnica.com] It would steal your address book and private photos. It's recent and very high profile. That's not malware?

I find it very suspicous that their "empirical analysis" didn't uncover a single bit of "malware" on iOS. Mod article Troll.

Re:You have to be kidding

[Deorus]

Wow! What a fair and unbiased comparison! A year old iOS version that anyone with an at least 3 year old iPhone could and should have upgraded from, versus the latest Android version that most people can't upgrade to! Rated Insightful, of course, because there's a lot of circle jerk insight in that nonsense of a post!

This is not even to mention that the article has nothing to do with the security of the platform itself but rather its exposure to malware, but hell, let us make it about security and debate the merits of each platform, shall we?

I find it interesting how ignorant some Android fanboys are regarding iOS' sandbox, which is extremely restrictive and does not, by design, allow apps to do anything too fishy even if all permissions are granted. At most an app may be able to pull up your contacts without your permission or access call information, but not much beyond that without the user being notified unless they pierce through the sandbox. An app can't keep itself running in the background for longer than 10 minutes (unless specific profiles that permit so are chosen and approved by Apple for each app), run any kind of code not present during the approval process (meaning it's not OK to download code unless it's an in-app purchase, which may be free, and this includes interpreting code other than HTML and Javascript on Safari, which is why emulators are not permitted), launch or interact directly with other applications unless they register themselves as resource handlers (even running a secondary executable within your own application will result in iOS completely obliterating it without even bothering to inform any attached debuggers of what happened).

In essence, the article hits the spot by claiming that it is the screening process and its walled gardens that keep the nastiness away. It's simply not worth developing malware for iOS, you don't have much to gain by doing it, either you pierce through the sandbox and your app will be rejected (with potential consequences to your developer and / or publisher certificates) or you can be easily detected by any user. There are exceptions, of course, but compared to Android, they are very few in number.

Re:But the Apple factor?

[Tore S B]

Actually, human beings are social animals, and accountability can actually worsen security if it weakens a perception of a bond of trust, which might very well be more effective. Accountability can be circumvented, expectations of honesty cannot. In terms of the cash register, keeping the balance is probably a good idea, but there are other situations and I just wanted to nuance this very American notion that interpersonal trust is equal to weakness.