Linked by Thom Holwerda on Mon 1st Apr 2013 12:25 UTC
Apple "Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online. The conventional wisdom is that this was a run-of-the-mill software security issue. [...] It isn't. It's a troubling symptom that suggests Apple's self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn't going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple's entire ecosystem of devices, stores, software, and services."
Thread beginning with comment 557338
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[5]: it happens to everyone
by Alfman on Tue 2nd Apr 2013 15:55 UTC in reply to "RE[4]: it happens to everyone"
Member since:

Tony Swash,

"First of all a general point. Apple screens all software before allowing it to appear in the iOS app store. Google does not screen apps before allowing it to appear in Google Play."

I asked about "IOS as an operating system" specifically because I wanted to know whether there is anything IOS is really doing better with regards to security. I'm going to interpret the evasive response as a "no, there are no technical security advantages within IOS itself". Please correct me with specifics if this is wrong, but spare me the fanboy spin.

"I think that checking for malware is more likely to detect malware than not checking for it even though checking for it is not infallible"

Of course I think security screening can help catch malware, but I'm not even sure there's much of that going on in apple's store. Consider that even if the Q/A process has no security checks whatsoever, merely testing whether the application does what it advertises can significantly raise the barrier for malware authors who don't want to write fully functional applications as part of their malware scheme. Do you know for a fact (with credible sources) that apps in apple's store undergo any security checks at all?

"Generally I think that the way to assess the relative security performance of operating systems or platforms is to look for independent and reasonable competent measurements of actual real world security breaches and malware exploits based on large samples and large data sets."

That's true in principal, but all too often someone ends up comparing apples and oranges, especially when one party is transparent about disclosing information and the other party is actively covering it up. Open source systems often set a very high bar for full disclosure (every single breach is public information). When other platforms aren't as forthcoming it can easily paint a false picture. I don't know how to solve this asymmetric disclosure conundrum or even how to measure the extent of the problem.

"Malware on mobile is an Android problem."

There's no doubt many malware authors are targeting the android store because of it's lenient store policies. If android tightened up it's store, more malware authors would probably spread their efforts elsewhere.

"Malware on Android is getting worse."

How do you know that?

I've said this before, but my opinion is that the best approach to app stores (for both google and apple) would be to have one repository for certified / well tested apps, and another more inclusive repository for "use at your own risk" apps. This would appease both types of crowds and give consumers the benefit of making up their own minds how to use their own devices: either within the confine's of the walled garden, or allowed to explore the forest beyond.

Edited 2013-04-02 16:03 UTC

Reply Parent Score: 2