Linked by Thom Holwerda on Mon 1st Apr 2013 12:25 UTC
Apple "Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online. The conventional wisdom is that this was a run-of-the-mill software security issue. [...] It isn't. It's a troubling symptom that suggests Apple's self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn't going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple's entire ecosystem of devices, stores, software, and services."
Thread beginning with comment 557286
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: it happens to everyone
by Alfman on Tue 2nd Apr 2013 00:21 UTC in reply to "RE[2]: it happens to everyone"
Alfman
Member since:
2011-01-28

Tony Swash,

Do you have evidence at all that IOS as an operating system is technically more secure than any of the other mobile platforms or are you claiming things merely because they fit within your world view? It's a serious question. Please provide a source with real details explaining exactly how the IOS operating system is more secure without any of the usual apple fanboy spin-doctored BS.


As for the walled garden, the iphone store moderators are notorious for scrutinizing applications based on morality and banned functionality, but what indication do you have that applications get any attention from a qualified security expert?

It's not like vulnerable iphone applications are unfounded or rare. I'm citing a few examples here, but known IOS app vulnerabilities are not rare. These aren't apple's own vulnerabilities, but it does show that apple's guardians are not doing a great job of vetting app security in the apple store. It would seem apple isn't as good at security as independent security auditors.

http://seclists.org/fulldisclosure/2013/Feb/91
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2012-10/msg0...
http://packetstormsecurity.com/files/120397/VL-864.txt
http://seclists.org/fulldisclosure/2013/Mar/8
http://www.exploit-db.com/exploits/24484/
http://cxsecurity.com/issue/WLB-2013020090

Apple's own IOS software has had it's own history of serious vulnerabilities as well. Some of these flaws are actually what permit us to jailbreak the iphone(s) in the first place.

http://browsers.about.com/b/2007/08/02/iphone-update-fixes-serious-...
http://blogs.mcafee.com/mcafee-labs/iphone-dos-vulnerability
http://securitywatch.pcmag.com/apple/283835-iphone-ipad-jailbreak-w...
http://www.pcworld.com/article/169436/Black_Hat_Reveals_iPhone_SMS_...
http://www.computerweekly.com/news/1280090073/Apple-races-to-fix-iP...
http://theiphonewiki.com/wiki/AT+XAPP_Vulnerability


I'm not a security researcher myself, so I cannot say how IOS stacks up to android or anything. But the OP was onto something when he said it happens to everyone.

Reply Parent Score: 6

Tony Swash Member since:
2009-08-22

Tony Swash,

Do you have evidence at all that IOS as an operating system is technically more secure than any of the other mobile platforms or are you claiming things merely because they fit within your world view? It's a serious question. Please provide a source with real details explaining exactly how the IOS operating system is more secure without any of the usual apple fanboy spin-doctored BS.


First of all a general point. Apple screens all software before allowing it to appear in the iOS app store. Google does not screen apps before allowing it to appear in Google Play.

I think that checking for malware is more likely to detect malware than not checking for it even though checking for it is not infallible.

Clearly with the volume of apps being processed mistakes can and will be made and malware could get through any screening process. However it appears that the number of malware apps getting through the iOS screening process are vanishingly small and are quickly removed on detection.

Generally I think that the way to assess the relative security performance of operating systems or platforms is to look for independent and reasonable competent measurements of actual real world security breaches and malware exploits based on large samples and large data sets. All too often debates about relative security performance wanders into the theoretical and focusses on the obscure security potential of issues associated with particular pieces of code or particular security arrangements whilst ignoring the real world security performance of different systems and platforms. It's all very well being concerned that security breach 'X' on one platform is in theory worse than security breach 'Y' on another but if it turns out that in the real world security breach 'Y' has been actually used 100,000 times on actual victims and breach 'X' has never been used on any actual victims then I would consider it reasonable to say that security breach 'Y' is a worse security problem.

In the realm of mobile platforms there are independent studies conducted at regular intervals using large data sets that attempt to measure the relative amounts of malware on different mobile platforms. The conclusions of all these studies by different security companies are all broadly the same, which is that mobile malware is overwhelming a problem of the Android OS and is vanishingly small on the iOS platform.

This pdf of the Mobile Threat Report from the F-Secure Labs dated Q4 2012 is representative of the sorts of results you see from many such reports

http://www.f-secure.com/static/doc/labs_global/Research/Mobile%...

As you can see from the report is says that observed malware by platform at the end of 2012 was as follows:

Android 79%
Symbian 19%
iOS 0.7%

The fact that the pattern of many different reports on real world security problems on mobile platforms broadly paints the same picture means, I think, one can have a high confidence that they are broadly accurate in two important conclusions:

Malware on mobile is an Android problem.

Malware on Android is getting worse.

Edited 2013-04-02 11:47 UTC

Reply Parent Score: 1

Thom_Holwerda Member since:
2005-06-29

The quoted study is being misinterpreted all over the web in yet another shining example of modern journalists and bloggers not having a single f--king clue about statistics and numbers.

That "79%" sounds very scary indeed. However, all it means is that 79% of the encountered malware families occurred on Android. That's it. The report has NOTHING, and I repeat, NOTHING, to say about how many Android devices were actually infected by malware. Still, idiots present it as such, which is exactly what F-Secure - an antivirus peddler - knew it would do.

In simpler terms: saying that 79% of flu strains affect humans is completely irrelevant information when you want to know how many humans are affected by flu strains.

If, after all these years, someone still present numbers from antivirus peddlers as-is, you know said someone is either stupid, or has an agenda.

Edited 2013-04-02 11:50 UTC

Reply Parent Score: 4

JAlexoid Member since:
2009-05-19

Generally I think that the way to assess the relative security performance of operating systems or platforms is to look for independent and reasonable competent measurements of actual real world security breaches and malware exploits based on large samples and large data sets.


Yes. Security breaches and exploits. Of which Android has suffered no more or less than iOS.(Even if you include such blunders as full RAM access by Samsung)

But obviously, you will count user negligence as a security breach or exploit against your opponents when it suites you. You know, discounting social engineering that results in hundreds of dollars lost via IAP on iOS. Because user negligence is not the same as social engineering, when it comes to Apple...

The fact is - malware on Android is a regional and very localized problem. Much more so than even Windows. Google can't and shouldn't solve it. At most they can do malware scanning in the Play Store.

And the fact that F-Secure didn't state the level of threat coming from Play Store tells us that Google is doing a damn good job. Otherwise the title of that report would have been "Google Play Store is infested with malware - run for your lives!!! or buy our product..."

Reply Parent Score: 3

RE[5]: it happens to everyone
by Alfman on Tue 2nd Apr 2013 15:55 in reply to "RE[4]: it happens to everyone"
Alfman Member since:
2011-01-28

Tony Swash,

"First of all a general point. Apple screens all software before allowing it to appear in the iOS app store. Google does not screen apps before allowing it to appear in Google Play."

I asked about "IOS as an operating system" specifically because I wanted to know whether there is anything IOS is really doing better with regards to security. I'm going to interpret the evasive response as a "no, there are no technical security advantages within IOS itself". Please correct me with specifics if this is wrong, but spare me the fanboy spin.



"I think that checking for malware is more likely to detect malware than not checking for it even though checking for it is not infallible"

Of course I think security screening can help catch malware, but I'm not even sure there's much of that going on in apple's store. Consider that even if the Q/A process has no security checks whatsoever, merely testing whether the application does what it advertises can significantly raise the barrier for malware authors who don't want to write fully functional applications as part of their malware scheme. Do you know for a fact (with credible sources) that apps in apple's store undergo any security checks at all?


"Generally I think that the way to assess the relative security performance of operating systems or platforms is to look for independent and reasonable competent measurements of actual real world security breaches and malware exploits based on large samples and large data sets."


That's true in principal, but all too often someone ends up comparing apples and oranges, especially when one party is transparent about disclosing information and the other party is actively covering it up. Open source systems often set a very high bar for full disclosure (every single breach is public information). When other platforms aren't as forthcoming it can easily paint a false picture. I don't know how to solve this asymmetric disclosure conundrum or even how to measure the extent of the problem.


"Malware on mobile is an Android problem."

There's no doubt many malware authors are targeting the android store because of it's lenient store policies. If android tightened up it's store, more malware authors would probably spread their efforts elsewhere.

"Malware on Android is getting worse."

How do you know that?


I've said this before, but my opinion is that the best approach to app stores (for both google and apple) would be to have one repository for certified / well tested apps, and another more inclusive repository for "use at your own risk" apps. This would appease both types of crowds and give consumers the benefit of making up their own minds how to use their own devices: either within the confine's of the walled garden, or allowed to explore the forest beyond.

Edited 2013-04-02 16:03 UTC

Reply Parent Score: 2