Linked by Thom Holwerda on Mon 1st Apr 2013 12:25 UTC
Apple "Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online. The conventional wisdom is that this was a run-of-the-mill software security issue. [...] It isn't. It's a troubling symptom that suggests Apple's self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn't going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple's entire ecosystem of devices, stores, software, and services."
Thread beginning with comment 557314
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: it happens to everyone
by Tony Swash on Tue 2nd Apr 2013 11:41 UTC in reply to "RE[3]: it happens to everyone"
Tony Swash
Member since:
2009-08-22

Tony Swash,

Do you have evidence at all that IOS as an operating system is technically more secure than any of the other mobile platforms or are you claiming things merely because they fit within your world view? It's a serious question. Please provide a source with real details explaining exactly how the IOS operating system is more secure without any of the usual apple fanboy spin-doctored BS.


First of all a general point. Apple screens all software before allowing it to appear in the iOS app store. Google does not screen apps before allowing it to appear in Google Play.

I think that checking for malware is more likely to detect malware than not checking for it even though checking for it is not infallible.

Clearly with the volume of apps being processed mistakes can and will be made and malware could get through any screening process. However it appears that the number of malware apps getting through the iOS screening process are vanishingly small and are quickly removed on detection.

Generally I think that the way to assess the relative security performance of operating systems or platforms is to look for independent and reasonable competent measurements of actual real world security breaches and malware exploits based on large samples and large data sets. All too often debates about relative security performance wanders into the theoretical and focusses on the obscure security potential of issues associated with particular pieces of code or particular security arrangements whilst ignoring the real world security performance of different systems and platforms. It's all very well being concerned that security breach 'X' on one platform is in theory worse than security breach 'Y' on another but if it turns out that in the real world security breach 'Y' has been actually used 100,000 times on actual victims and breach 'X' has never been used on any actual victims then I would consider it reasonable to say that security breach 'Y' is a worse security problem.

In the realm of mobile platforms there are independent studies conducted at regular intervals using large data sets that attempt to measure the relative amounts of malware on different mobile platforms. The conclusions of all these studies by different security companies are all broadly the same, which is that mobile malware is overwhelming a problem of the Android OS and is vanishingly small on the iOS platform.

This pdf of the Mobile Threat Report from the F-Secure Labs dated Q4 2012 is representative of the sorts of results you see from many such reports

http://www.f-secure.com/static/doc/labs_global/Research/Mobile%...

As you can see from the report is says that observed malware by platform at the end of 2012 was as follows:

Android 79%
Symbian 19%
iOS 0.7%

The fact that the pattern of many different reports on real world security problems on mobile platforms broadly paints the same picture means, I think, one can have a high confidence that they are broadly accurate in two important conclusions:

Malware on mobile is an Android problem.

Malware on Android is getting worse.

Edited 2013-04-02 11:47 UTC

Reply Parent Score: 1

Thom_Holwerda Member since:
2005-06-29

The quoted study is being misinterpreted all over the web in yet another shining example of modern journalists and bloggers not having a single f--king clue about statistics and numbers.

That "79%" sounds very scary indeed. However, all it means is that 79% of the encountered malware families occurred on Android. That's it. The report has NOTHING, and I repeat, NOTHING, to say about how many Android devices were actually infected by malware. Still, idiots present it as such, which is exactly what F-Secure - an antivirus peddler - knew it would do.

In simpler terms: saying that 79% of flu strains affect humans is completely irrelevant information when you want to know how many humans are affected by flu strains.

If, after all these years, someone still present numbers from antivirus peddlers as-is, you know said someone is either stupid, or has an agenda.

Edited 2013-04-02 11:50 UTC

Reply Parent Score: 4

Tony Swash Member since:
2009-08-22

If, after all these years, someone still present numbers from antivirus peddlers as-is, you know said someone is either stupid, or has an agenda.


Sounds a bit complacent to me. I wonder what your position would have been if it was reported that 79% of malware was found on iOS? Less complacent I suspect.

A report from www.mobilesandbox.org, a site that collects information about malware on Android found that out of the 300,000 new Android apps on Android stores in 2012 it found 43,000 malicious apps in 115 different malware families. Most of the fake apps were downloaded from Russian and Asian third-party app stores, but 13 malware families were also found on the official Google Play Store. It's possible to assume that very few people are downloading those apps and hence that the actual rate of malware infections is very low, but I would like to understand the reasons for assuming such a thing and the evidential basis supporting such reasoning.

According to a recent report from the security firm Kaspersky, 99 percent of all new malware attacked the Android platform last year. That was a continuation of the trend from 2011, which registered an explosive growth in Android malware.

During 2011, an average of 800 new types of malicious programs were discovered every month, and this figure rose in 2012 to a whopping 6,300 programs.

"Android is the world's most widely used smartphone operating system, so it is not surprising that it is also the hacker's favorite goal. But it has probably surprised many people, including myself, that it's as much as 99 percent", security expert Kevin Freij from MYMobileSecurity said.

Again one could assume that all those malware programs on Android are failing to actually infect any end user, even though the writers of Android malware seem to be increasing their efforts hence the explosive growth, but again I would like to understand the reasons for assuming such a thing and the evidential basis supporting such reasoning.

It's perfectly fine to argue that it is better for various reasons if one does not lock the door to ones house but it is mendacious to suggest that leaving ones door unlocked is as secure as locking it.

Reply Parent Score: 1

JAlexoid Member since:
2009-05-19

Generally I think that the way to assess the relative security performance of operating systems or platforms is to look for independent and reasonable competent measurements of actual real world security breaches and malware exploits based on large samples and large data sets.


Yes. Security breaches and exploits. Of which Android has suffered no more or less than iOS.(Even if you include such blunders as full RAM access by Samsung)

But obviously, you will count user negligence as a security breach or exploit against your opponents when it suites you. You know, discounting social engineering that results in hundreds of dollars lost via IAP on iOS. Because user negligence is not the same as social engineering, when it comes to Apple...

The fact is - malware on Android is a regional and very localized problem. Much more so than even Windows. Google can't and shouldn't solve it. At most they can do malware scanning in the Play Store.

And the fact that F-Secure didn't state the level of threat coming from Play Store tells us that Google is doing a damn good job. Otherwise the title of that report would have been "Google Play Store is infested with malware - run for your lives!!! or buy our product..."

Reply Parent Score: 3

RE[5]: it happens to everyone
by Alfman on Tue 2nd Apr 2013 15:55 in reply to "RE[4]: it happens to everyone"
Alfman Member since:
2011-01-28

Tony Swash,

"First of all a general point. Apple screens all software before allowing it to appear in the iOS app store. Google does not screen apps before allowing it to appear in Google Play."

I asked about "IOS as an operating system" specifically because I wanted to know whether there is anything IOS is really doing better with regards to security. I'm going to interpret the evasive response as a "no, there are no technical security advantages within IOS itself". Please correct me with specifics if this is wrong, but spare me the fanboy spin.



"I think that checking for malware is more likely to detect malware than not checking for it even though checking for it is not infallible"

Of course I think security screening can help catch malware, but I'm not even sure there's much of that going on in apple's store. Consider that even if the Q/A process has no security checks whatsoever, merely testing whether the application does what it advertises can significantly raise the barrier for malware authors who don't want to write fully functional applications as part of their malware scheme. Do you know for a fact (with credible sources) that apps in apple's store undergo any security checks at all?


"Generally I think that the way to assess the relative security performance of operating systems or platforms is to look for independent and reasonable competent measurements of actual real world security breaches and malware exploits based on large samples and large data sets."


That's true in principal, but all too often someone ends up comparing apples and oranges, especially when one party is transparent about disclosing information and the other party is actively covering it up. Open source systems often set a very high bar for full disclosure (every single breach is public information). When other platforms aren't as forthcoming it can easily paint a false picture. I don't know how to solve this asymmetric disclosure conundrum or even how to measure the extent of the problem.


"Malware on mobile is an Android problem."

There's no doubt many malware authors are targeting the android store because of it's lenient store policies. If android tightened up it's store, more malware authors would probably spread their efforts elsewhere.

"Malware on Android is getting worse."

How do you know that?


I've said this before, but my opinion is that the best approach to app stores (for both google and apple) would be to have one repository for certified / well tested apps, and another more inclusive repository for "use at your own risk" apps. This would appease both types of crowds and give consumers the benefit of making up their own minds how to use their own devices: either within the confine's of the walled garden, or allowed to explore the forest beyond.

Edited 2013-04-02 16:03 UTC

Reply Parent Score: 2