Linked by Thom Holwerda on Mon 1st Apr 2013 12:25 UTC
Apple "Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online. The conventional wisdom is that this was a run-of-the-mill software security issue. [...] It isn't. It's a troubling symptom that suggests Apple's self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn't going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple's entire ecosystem of devices, stores, software, and services."
Thread beginning with comment 557283
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: it happens to everyone
by Tony Swash on Mon 1st Apr 2013 23:01 UTC in reply to "RE: it happens to everyone"
Tony Swash
Member since:
2009-08-22

Of course, the difference is that those were relatively new flaws, while Apple has consistently released products with security vulnerabilities that everyone else learned how to avoid years (if not decades) ago. That, and Microsoft/Google tend to fix those issues quickly, as opposed to Apple's approach of "steadfastly deny that the problem even exists, then maybe get around to fixing it after 2-3 weeks of bad press."


The fact that Apple could do more on security and the fact that Apple, like everyone in the tech business, faces escalating and mutating threats which they sometimes initially fail to spot is obviously true, but I find the way that Google and Microsoft are held up as paragons of security virtue to be risible. One of those companies makes the desktop PC OS upon which 90% plus of actual real world malware exploits takes place and the other makes the mobile OS upon which 90% plus of actual real world malware exploits takes place.

As far as consumers are concerned Microsoft systematically and comprehensively lost it's reputation in relation to security because of the vast global ecosystem of criminal malware that developed on it's platform. Slamming the barn door after that horse bolted will not get that reputation back, it's probably gone for good.

Because in the real world almost no Apple desktop customers ever experienced any actual security problems Apple created a premium brand in relation to security which it will only lose if there is a sustained and serious real world malware outbreak on any of it's products that adversely effects large numbers of it's customers. Apple managed to carry over that solid security reputation into the mobile arena and the security benefits of the curated App store model only enhanced it further. One reason why the iOS app ecosystem grew so vertiginously was because the apps were cheap and safe.

Google and Android are skating on this ice because the rapidly escalating scale of malware on the Android platform has not yet seriously dented it's brand, but it could hit a tipping point and then it's reputation could seriously suffer.

Because Apple has a premium brand, and one part of that brand is a premium reputation for security amongst the general public, any security weakness is bound to attract a lot of media attention. Apple seem to be taking security very seriously given the scale of corporate hires and investment related to security. iTunes is now the world's largest digital vendor by quite a margin and so is a juicy target and it is partly successful for it's ease and convenience so any beefed up security must be as unobtrusive as possible.

I wonder what Apple will do with this technology and when?

http://www.reuters.com/article/2012/07/27/us-authentec-acquisition-...

Reply Parent Score: -3

RE[3]: it happens to everyone
by Alfman on Tue 2nd Apr 2013 00:21 in reply to "RE[2]: it happens to everyone"
Alfman Member since:
2011-01-28

Tony Swash,

Do you have evidence at all that IOS as an operating system is technically more secure than any of the other mobile platforms or are you claiming things merely because they fit within your world view? It's a serious question. Please provide a source with real details explaining exactly how the IOS operating system is more secure without any of the usual apple fanboy spin-doctored BS.


As for the walled garden, the iphone store moderators are notorious for scrutinizing applications based on morality and banned functionality, but what indication do you have that applications get any attention from a qualified security expert?

It's not like vulnerable iphone applications are unfounded or rare. I'm citing a few examples here, but known IOS app vulnerabilities are not rare. These aren't apple's own vulnerabilities, but it does show that apple's guardians are not doing a great job of vetting app security in the apple store. It would seem apple isn't as good at security as independent security auditors.

http://seclists.org/fulldisclosure/2013/Feb/91
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2012-10/msg0...
http://packetstormsecurity.com/files/120397/VL-864.txt
http://seclists.org/fulldisclosure/2013/Mar/8
http://www.exploit-db.com/exploits/24484/
http://cxsecurity.com/issue/WLB-2013020090

Apple's own IOS software has had it's own history of serious vulnerabilities as well. Some of these flaws are actually what permit us to jailbreak the iphone(s) in the first place.

http://browsers.about.com/b/2007/08/02/iphone-update-fixes-serious-...
http://blogs.mcafee.com/mcafee-labs/iphone-dos-vulnerability
http://securitywatch.pcmag.com/apple/283835-iphone-ipad-jailbreak-w...
http://www.pcworld.com/article/169436/Black_Hat_Reveals_iPhone_SMS_...
http://www.computerweekly.com/news/1280090073/Apple-races-to-fix-iP...
http://theiphonewiki.com/wiki/AT+XAPP_Vulnerability


I'm not a security researcher myself, so I cannot say how IOS stacks up to android or anything. But the OP was onto something when he said it happens to everyone.

Reply Parent Score: 6

Tony Swash Member since:
2009-08-22

Tony Swash,

Do you have evidence at all that IOS as an operating system is technically more secure than any of the other mobile platforms or are you claiming things merely because they fit within your world view? It's a serious question. Please provide a source with real details explaining exactly how the IOS operating system is more secure without any of the usual apple fanboy spin-doctored BS.


First of all a general point. Apple screens all software before allowing it to appear in the iOS app store. Google does not screen apps before allowing it to appear in Google Play.

I think that checking for malware is more likely to detect malware than not checking for it even though checking for it is not infallible.

Clearly with the volume of apps being processed mistakes can and will be made and malware could get through any screening process. However it appears that the number of malware apps getting through the iOS screening process are vanishingly small and are quickly removed on detection.

Generally I think that the way to assess the relative security performance of operating systems or platforms is to look for independent and reasonable competent measurements of actual real world security breaches and malware exploits based on large samples and large data sets. All too often debates about relative security performance wanders into the theoretical and focusses on the obscure security potential of issues associated with particular pieces of code or particular security arrangements whilst ignoring the real world security performance of different systems and platforms. It's all very well being concerned that security breach 'X' on one platform is in theory worse than security breach 'Y' on another but if it turns out that in the real world security breach 'Y' has been actually used 100,000 times on actual victims and breach 'X' has never been used on any actual victims then I would consider it reasonable to say that security breach 'Y' is a worse security problem.

In the realm of mobile platforms there are independent studies conducted at regular intervals using large data sets that attempt to measure the relative amounts of malware on different mobile platforms. The conclusions of all these studies by different security companies are all broadly the same, which is that mobile malware is overwhelming a problem of the Android OS and is vanishingly small on the iOS platform.

This pdf of the Mobile Threat Report from the F-Secure Labs dated Q4 2012 is representative of the sorts of results you see from many such reports

http://www.f-secure.com/static/doc/labs_global/Research/Mobile%...

As you can see from the report is says that observed malware by platform at the end of 2012 was as follows:

Android 79%
Symbian 19%
iOS 0.7%

The fact that the pattern of many different reports on real world security problems on mobile platforms broadly paints the same picture means, I think, one can have a high confidence that they are broadly accurate in two important conclusions:

Malware on mobile is an Android problem.

Malware on Android is getting worse.

Edited 2013-04-02 11:47 UTC

Reply Parent Score: 1