or Connect
AppleInsider › Forums › Mobile › iPhone › Apple touts secure design of iOS as Google chief admits Android is best target for malicious hackers
New Posts  All Forums:Forum Nav:

Apple touts secure design of iOS as Google chief admits Android is best target for malicious hackers - Page 2

post #41 of 85
Quote:
Originally Posted by Zaim2 View Post

The quote the article is based on has been debunked: http://techcrunch.com/2014/02/27/no-googles-sundar-pichai-didnt-say-androids-openness-makes-it-less-insecure/

This is another example of where news needs to have a cooling off period. We need to try and give it a day or two before reacting to it. This happens all the time:

Breaking news! Something that you're going to react to totally happened!
Reaction ensues immediately.
Original source less than 2 days later: Oh, my bad, it didn't happen after all, never mind.

It's good that it's happening against Google this time at least but the focus should be on the real world infection rates. The WSJ published a study recently that showed ~7 million Android devices got infected last quarter:

http://online.wsj.com/article/PR-CO-20140129-904928.html

This represented 60% of mobile infections. The other ~40% were Windows PCs, which they included in the test. iOS and Blackberry were under 1%.

It's not really the prevalence of malware that's the problem. If Android is stopping it then that's fine. Google's choice is they'd rather have the wide distribution and the 7 million people affected are acceptable collateral damage to them. They'd rather have an OS that allows you to install a bitcoin app and accept the possibility that malware can steal the coins:

http://www.eset.com/int/about/press/articles/article/advanced-banking-trojan-hesperbot-which-can-steal-bitcoins-has-new-targets-germany-and-australia/

With iOS, you don't get the apps but your coins can't be stolen on the platform either. Both choices are good, one has a higher unit volume potential, the other higher quality and security potential.

Apple could have the best of both using the equivalent of a virtual machine. Think of a VMWare-like sandbox that you would be allowed to install apps from anywhere and run on your phone but that had no access at all to the hardware-level OS and filesystem. This can be used by developers to run self-signed apps. It could take up more space if it copied the entire OS files but it's no more than 4GB and the people needing this functionality would be happy to compromise this much space. This space would have no access to contacts or root level apps and data - possibly limited/throttled access to mobile data. This would allow 3rd party stores and it wouldn't matter if there was a security issue as it would be contained in the VM. Apple would simple say, if something messes up, reset the VM and that's where their support ends.

Most people won't install the VM and it takes away the desire to jailbreak the OS via security flaws, Apple doesn't need to open source the OS and doesn't need to support 3rd party security vulnerabilities.
post #42 of 85
Quote:
Originally Posted by Marvin View Post

This is another example of where news needs to have a cooling off period. We need to try and give it a day or two before reacting to it. This happens all the time:

Breaking news! Something that you're going to react to totally happened!
Reaction ensues immediately.
Original source less than 2 days later: Oh, my bad, it didn't happen after all, never mind.

It's good that it's happening against Google this time

2nd time is a week too. Remember the story about Google bidding multiple billions for WhatsApp.? Not true either as we found out just a couple of days later. In fact they didn't make any buy-out offer to WhatsApp according to them, much less a multi-$B one.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #43 of 85
Quote:
Originally Posted by Marvin View Post

Apple could have the best of both using the equivalent of a virtual machine. Think of a VMWare-like sandbox that you would be allowed to install apps from anywhere and run on your phone but that had no access at all to the hardware-level OS and filesystem. This can be used by developers to run self-signed apps. It could take up more space if it copied the entire OS files but it's no more than 4GB and the people needing this functionality would be happy to compromise this much space. This space would have no access to contacts or root level apps and data - possibly limited/throttled access to mobile data. This would allow 3rd party stores and it wouldn't matter if there was a security issue as it would be contained in the VM. Apple would simple say, if something messes up, reset the VM and that's where their support ends.

Most people won't install the VM and it takes away the desire to jailbreak the OS via security flaws, Apple doesn't need to open source the OS and doesn't need to support 3rd party security vulnerabilities.

 

You're essentially describing an Android app with no manifest permissions. It's sandboxed, run under its own UID, given no access to anything but its own storage.

 

The problem is that kernel exploits are harder to prevent, and the update issue bites again. Apple surely could fix this but what motivation do they have to do it? No matter what hypervisor you use, there's lots of potential exploits that would permit elevation. I'm not au fait with iOS' sandboxing but I believe it is pretty similar in extent to Android's and both are still broken on a fairly regular basis (rooting, jailbreaking etc)

 

Second class apps are never a good idea, Apple has (AFAIK) abandoned using private APIs everywhere too because it is generally a poor design choice so I feel that really it's all or nothing. Apple could certainly limit 'third party' apps from having access to say iCloud APIs, but not even having access to location or accelerometer would limit apps excessively.

post #44 of 85
Quote:
Originally Posted by ItsTheInternet View Post

You're essentially describing an Android app with no manifest permissions. It's sandboxed, run under its own UID, given no access to anything but its own storage.

Not really as it still directly accesses the root OS APIs, an app in a virtual machine accesses a virtual copy of those so it's one layer removed from the root OS so anything like a keylogger would only work inside the VM.
Quote:
Originally Posted by ItsTheInternet View Post

No matter what hypervisor you use, there's lots of potential exploits that would permit elevation.

Is there Windows malware that allows VMWare to exploit OS X? Maybe that's down to the volume of users but it seems like it would be pretty safe.
post #45 of 85
Quote:
Originally Posted by Marvin View Post


Not really as it still directly accesses the root OS APIs, an app in a virtual machine accesses a virtual copy of those so it's one layer removed from the root OS so anything like a keylogger would only work inside the VM.

In the Android case I believe the APIs it has access to are pretty much wrapped versions of the underlying Linux ones. I'm not much of an Android developer though.

 

Quote:
Is there Windows malware that allows VMWare to exploit OS X? Maybe that's down to the volume of users but it seems like it would be pretty safe.

I doubt there is, but you're 'pretty safe' regardless on Android unless you install apps that want ridiculous permissions. That's the vast majority of 'malware' anyway, people ignoring that the wallpaper app can send SMSs and read their contacts. That and dodgy ad networks trying to harvest information. I'm just pointing out there are no real safeguards that can be ultimately relied upon, Apple's review process has let malicious software through before as well.

post #46 of 85
Quote:
Originally Posted by ItsTheInternet View Post
 

 

Uh, Android has a signed boot chain, signed packages, external packages off by default and a manifest based permission framework.

 

Perhaps before saying what lessons have been learned, you should actually go take those lessons yourself and learn the differences. Windows XP etc were nightmares for security because users would trivially elevate programs to Administrator as it had to be run so often even for things like deleting desktop icons.

 

Android by default does not permit Administrator level access. Honestly you're completely wrong.

 

...and if you want to use one of the 500 other program repositories for Android?

 

This is when "users trivially elevate programs", mainly because they want free (pirated) stuff, like their friends.

 

I've lost track of the number of people who equate "openness" with the ability to run torrent software on their phone.

 

Google don't give a shit as long as they can serve their ads.

Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #47 of 85
Quote:
Originally Posted by hill60 View Post
 

 

...and if you want to use one of the 500 other program repositories for Android?

 

They for the most part, still have to present permissions lists to the user, which the user has to ignore.

 

Once you have a user ignoring what the screen says, you're left with no other choice but to go with Apple's plan or accept that people can get themselves into trouble. I don't have a problem with the latter as the former is never perfect.

post #48 of 85
Quote:
Originally Posted by ItsTheInternet View Post
 

 

They for the most part, still have to present permissions lists to the user, which the user has to ignore.

 

Once you have a user ignoring what the screen says, you're left with no other choice but to go with Apple's plan or accept that people can get themselves into trouble. I don't have a problem with the latter as the former is never perfect.

 

So you choose the fingers in the ears, this is not really happening approach.

 

Meanwhile Apple released this a pdf which gets pretty heavily into the cryptography behind things like iMessage, iCloud and Keychain.

Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #49 of 85
Quote:
Originally Posted by hill60 View Post
 

 

So you choose the fingers in the ears, this is not really happening approach.

Where did I say that? People do get infected with malware, but the majority of these are trying to install pirated apps or games. This isn't the experience of the 'average' user. It's pointless dumbing things down until there's 0 possibility of attack because that also means there's 0 functionality. As we've recently seen, a single errant line of code can completely destroy a whole series of important security mechanisms for tens if not hundreds of millions of users.

 

Quote:
Meanwhile Apple released this a pdf which gets pretty heavily into the cryptography behind things like iMessage, iCloud and Keychain.

Apple's crypto work is generally above par, and it's a real shame that this bug was introduced. Clearly there's some better coding standards that need to be maintained and perhaps a stronger testing process, but these sorts of bugs unfortunately happen everywhere. That's my point in general, that no system is ultimately secure, malware has gotten into all app stores including the pre app-store package repositories used by Linux distributions. It's just a fact of life and permitting free installation is a perfectly viable strategy as long as it's restricted like Google do.

post #50 of 85
Quote:
Originally Posted by hill60 View Post

...and if you want to use one of the 500 other program repositories for Android?

This is when "users trivially elevate programs", mainly because they want free (pirated) stuff, like their friends.

I've lost track of the number of people who equate "openness" with the ability to run torrent software on their phone.

Google don't give a shit as long as they can serve their ads.

Between Verify Apps which checks even side-loaded applications and the official Google Play scans (still called Bouncer AFAIK) there's really a miniscule chance that the average Android user will ever encounter an app that causes them harm even straying once in awhile from Google Play. I doubt you personally know of even a single Android user who suffered actual harm from malware despite your apparent wish that it was widespread

EDIT: Google responds to new malware even quicker than I realized according to this article.
http://blogs.computerworld.com/android/23590/google-android-security
and Verify Apps just got another update, now continuously monitoring.
Edited by Gatorguy - 2/28/14 at 4:25pm
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #51 of 85
Quote:
Originally Posted by ItsTheInternet View Post

People do get infected with malware, but the majority of these are trying to install pirated apps or games. This isn't the experience of the 'average' user.

Do you have any stats to back that up or are you assuming this? Some of the malware came from the Google Play Store. What percentage of the 7 million infections last quarter are from Google Play and what percentage are people who experienced malware via email or SMS and what percentage got it from piracy?
Quote:
Originally Posted by ItsTheInternet View Post

no system is ultimately secure, malware has gotten into all app stores

You are conveniently putting aside the differences in the level of security. It's much the same as 'everybody copies product features'. They aren't all to the same degree. Apple's setup is more secure and the results of that are clear from the infection rates. This idea that everybody who got infected on Android deserved what they got doesn't hold up, not least because you can't claim that allowing 3rd party installs is a benefit of Android's openness and then when someone becomes a victim of malware, suggest it's because they were too dumb that they actually used the feature and should have restricted their buying to Google's own walled garden.
post #52 of 85
Are you guys relying on an Alcatel-Lucent product promo piece for the claims of millions of mobile device malicious app installs? That's the only one I found that sounds remotely similar. Would you expect them to do anything but over-dramatize the threat of mobile malware when trying to sell a network security product they've created? In fact they've been saying essentially the same thing for several years. The 2011 report is here:
http://www.kindsight.net/en/blog/2011/12/21/was-mobile-malware-problem-in-2011

"Not only is Android the largest smartphone market, unlike iPhone and Blackberry, it allows apps to be loaded from third party sites. This provides cybercriminals with an un-policed mechanism to distribute their malware which can easily evade detection by device-based anti-virus. Thus, in 2013 we saw an increased trend towards operators offering network based anti-virus security to subscribers as a service."

And gosh gee-whiz they just happen to be demoing a cloud-based network security product as a service. Whoda thunk?
"Alcatel-Lucent with be exhibiting its cloud-based Kindsight Security Solution at Mobile World Congress in Barcelona, Spain, February 24-27, 2014, Hall #3, Booth #3K10 at at the Fira Gran Via."

No doubt harmful apps exist and almost certainly more so on Android than iOS. No doubt either IMHO that their prevalence is severely overstated. Evidence for millions upon millions of actual harmful app installs is suspiciously lacking and not everything they call malware is malicious in the first place.
Edited by Gatorguy - 2/28/14 at 5:14pm
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #53 of 85
Quote:
Originally Posted by Gatorguy View Post

Are you guys relying on an Alcatel-Lucent product promo piece for the claims of millions of mobile device malicious app installs? That's the only one I found that sounds remotely similar. Would you expect them to do anything but dramatize the threat of mobile malware when trying to sell a new network security product they've created?

I could ask 'Are you guys relying on Google's promo piece for the claims that Android is secure? That's the only one I found that sounds remotely similar. Would you expect them to do anything but downplay the threat of mobile malware when trying to sell a product they've created?'

What's the real infection rate?
post #54 of 85
Quote:
Originally Posted by Marvin View Post


Do you have any stats to back that up or are you assuming this? Some of the malware came from the Google Play Store. What percentage of the 7 million infections last quarter are from Google Play and what percentage are people who experienced malware via email or SMS and what percentage got it from piracy?

 

I believe Gatorguy posted the details either on this thread or another about how something like 0.001% of apps are potentially harmful and that users will still click through the warnings. As he also said, I'm not sure I trust those statistics, I can find no solid stats at all on infection vectors. However I have confirmed some of this personally by inspecting the contents of APKs that generally come with a webpage urging you to disable your device's security.

 

Quote:
You are conveniently putting aside the differences in the level of security. It's much the same as 'everybody copies product features'. They aren't all to the same degree. Apple's setup is more secure and the results of that are clear from the infection rates. This idea that everybody who got infected on Android deserved what they got doesn't hold up, not least because you can't claim that allowing 3rd party installs is a benefit of Android's openness and then when someone becomes a victim of malware, suggest it's because they were too dumb that they actually used the feature and should have restricted their buying to Google's own walled garden.

I have no idea what copying has to do with anything. I also didn't say that people deserved what they got, just that the average user is not installing random extra app stores for pirated media and ignoring the warnings on their screen.

 

The irony of your statement is that Apple chooses almost exactly the same model for OSX as Google does for Android. Third party installs blocked by default but possible manually. This is a perfectly valid system and so I cannot see where your criticism is coming from. Of course more people will be infected if they have the option to ignore safeguards.

 

Consider

vs

post #55 of 85
Quote:
Originally Posted by Marvin View Post

I could ask 'Are you guys relying on Google's promo piece for the claims that Android is secure? That's the only one I found that sounds remotely similar. Would you expect them to do anything but downplay the threat of mobile malware when trying to sell a product they've created?'

What's the real infection rate?

Well there ya go, tho if I recall you cited that same report as support for an argument you were making not all that long ago.

Edit: I did recall correctly
http://forums.appleinsider.com/t/161673/apples-phil-schiller-plugs-security-report-showing-99-of-mobile-malware-targets-android/40#post_2460927
You didn't say it shouldn't be trusted then. In fact you said you couldn't find stats that indicated Google's stats shouldn't be considered t valid. I saw it as one of your more straightforward and unbiased appraisals. Commendable but potentially inviting attack as it went against the popular notions pushed by some forum members.

Mel did much the same thing yesterday, publicly stating an opinion that was sure to be unpopular with some of the most vocal AI members. It's not an easy thing to do and he deserves respect for having the courage to post it just as you do. But courage is wasted if conviction is lacking when that unpopular opinion is challenged.

I can't imagine you've now changed your outlook so quickly since your opinions generally appear to be well-considered and supportable.
Edited by Gatorguy - 2/28/14 at 5:55pm
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #56 of 85
Quote:
Originally Posted by ItsTheInternet View Post

Where This isn't the experience of the 'average' user.

Define what you mean by Android's "average user"?

Chances are they are using an older version of Android on a cheap, low powered device where things like hardware encryption are left out to cut costs.
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #57 of 85
Quote:
Originally Posted by Gatorguy View Post

Are you guys relying on an Alcatel-Lucent product promo piece for the claims of millions of mobile device malicious app installs? That's the only one I found that sounds remotely similar. Would you expect them to do anything but over-dramatize the threat of mobile malware when trying to sell a network security product they've created? In fact they've been saying essentially the same thing for several years. The 2011 report is here:
http://www.kindsight.net/en/blog/2011/12/21/was-mobile-malware-problem-in-2011

"Not only is Android the largest smartphone market, unlike iPhone and Blackberry, it allows apps to be loaded from third party sites. This provides cybercriminals with an un-policed mechanism to distribute their malware which can easily evade detection by device-based anti-virus. Thus, in 2013 we saw an increased trend towards operators offering network based anti-virus security to subscribers as a service."

And gosh gee-whiz they just happen to be demoing a cloud-based network security product as a service. Whoda thunk?
"Alcatel-Lucent with be exhibiting its cloud-based Kindsight Security Solution at Mobile World Congress in Barcelona, Spain, February 24-27, 2014, Hall #3, Booth #3K10 at at the Fira Gran Via."

No doubt harmful apps exist and almost certainly more so on Android than iOS. No doubt either IMHO that their prevalence is severely overstated. Evidence for millions upon millions of actual harmful app installs is suspiciously lacking and not everything they call malware is malicious in the first place.

Well gosh, gee it sounds like the crap Google touts in denial come up with when denying there is an issue.

I've said it once, I'll say it again, Google don't give a shit as long as they can sell ads, theirs is a bums on seats game.
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #58 of 85
Quote:
Originally Posted by Marvin View Post

I could ask 'Are you guys relying on Google's promo piece for the claims that Android is secure? That's the only one I found that sounds remotely similar. Would you expect them to do anything but downplay the threat of mobile malware when trying to sell a product they've created?'

What's the real infection rate?

The ONLY apps Google are interested in removing from their repository are ad blockers which interfere with their only source of revenue.
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #59 of 85
Quote:
Originally Posted by TheOtherGeoff View Post
 

...

I thought the /S, which I did not post, would have been evident.

Sorry.

post #60 of 85
Android will be dead by 2017. People are catching on to this crap

“What would I do? I’d shut Apple down and give the money back to the shareholders”

Michael Dell - 1997

Reply

“What would I do? I’d shut Apple down and give the money back to the shareholders”

Michael Dell - 1997

Reply
post #61 of 85
Quote:
Originally Posted by ItsTheInternet View Post

I also didn't say that people deserved what they got, just that the average user is not installing random extra app stores for pirated media and ignoring the warnings on their screen.

But you have no stats to back that up, that's just what you assume to be the case. It's a lot like the assumptions people make about jailbreakers not doing it for the piracy. There's no stats to back it up so they just make a decision about it and then repeat it as fact.
Quote:
Originally Posted by ItsTheInternet View Post

The irony of your statement is that Apple chooses almost exactly the same model for OSX as Google does for Android. Third party installs blocked by default but possible manually. This is a perfectly valid system and so I cannot see where your criticism is coming from. Of course more people will be infected if they have the option to ignore safeguards.

There's no irony there, OS X is less secure than iOS too. The point is that iOS is more secure than Android from a user's point of view and my criticism is that Android promoters use statements like 'there's been malware in the App Store too' to try and put everything on equal ground. The agenda being to highlight Apple's 'closed' approach as having no tangible benefit.
Quote:
Originally Posted by Gatorguy 
Well there ya go, tho if I recall you cited that same report as support for an argument you were making not all that long ago.

Edit: I did recall correctly
http://forums.appleinsider.com/t/161673/apples-phil-schiller-plugs-security-report-showing-99-of-mobile-malware-targets-android/40#post_2460927
You didn't say it shouldn't be trusted then. In fact you said you couldn't find stats that indicated Google's stats shouldn't be considered t valid. I saw it as one of your more straightforward and unbiased appraisals. Commendable but potentially inviting attack as it went against the popular notions pushed by some forum members.

Mel did much the same thing yesterday, publicly stating an opinion that was sure to be unpopular with some of the most vocal AI members. It's not an easy thing to do and he deserves respect for having the courage to post it just as you do. But courage is wasted if conviction is lacking when that unpopular opinion is challenged.

I can't imagine you've now changed your outlook so quickly since your opinions generally appear to be well-considered and supportable.

The report mentioned above is a different report for late 2013. I couldn't have used it in the post you linked to as the data wasn't published until later:

http://online.wsj.com/article/PR-CO-20140129-904928.html

Data changes, opinions change, unless you're the kind to stick to opinions and assume the facts fit. All I said before was that there was no data at the time with evidence of infection rates. There is at least some now. You haven't shown anything to counter it besides suggesting their data isn't credible.
post #62 of 85
Quote:
Originally Posted by Marvin View Post


The report mentioned above is a different report for late 2013. I couldn't have used it in the post you linked to as the data wasn't published until later:

http://online.wsj.com/article/PR-CO-20140129-904928.html

Data changes, opinions change, unless you're the kind to stick to opinions and assume the facts fit. All I said before was that there was no data at the time with evidence of infection rates. There is at least some now. You haven't shown anything to counter it besides suggesting their data isn't credible.
Nope. The .001% harmful infection rate I quoted and that you suggested could be turned around like Alcatel's stats came from the exact same security report you were using to bolster your argument. Just look at the SecurityLedger link you offered.

Your quote:
"It's expected that Google will choose the most flattering stats but there doesn't appear to be stats that say otherwise:

https://securityledger.com/2013/10/googles-data-say-android-is-safe-but-is-that-the-whole-story/

"data collected by the Verify Apps service, which logs events involving a hazardous applications, found that only 1,200 of 1.5 billion application install attempts were incidents in which “potentially harmful applications” ended up being installed on an Android device.

...Although most people here naturally want Android to fail in some regard, I'd say it's better if Google proves they can run a less restricted distribution service safely. That's what we have on OS X already."

So in January you certainly seemed to believe those stats looked to be correct with truly malicious Android malware no longer a major concern as in years past and Google is doing the right thing by trying to be less restrictive.

What thing of significance changed your mind in the past 30 days or so, or did you change your mind?
Edited by Gatorguy - 3/1/14 at 7:52am
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #63 of 85
Quote:
Originally Posted by Gatorguy View Post

So in January you certainly seemed to believe those stats looked to be correct with truly malicious Android malware no longer a major concern as in years past and Google is doing the right thing by trying to be less restrictive.

What thing of significance changed your mind in the past 30 days or so, or did you change your mind?

Like I said, the new stats came out later. If Google can retain security with less restriction then of course it's better but the new stats suggest there are millions of infections. That data wasn't released before, the other reports didn't mention higher infection rates and they are different reports. Just because one report doesn't find significant infection rates, if a separate report does then it can't be discounted just because another one doesn't.

If tomorrow 50 million Android devices get infected by a new trojan, are you going to suggest that because Google said everything was ok last October that people shouldn't use the new data to counter it?
post #64 of 85
Quote:
Originally Posted by Marvin View Post

Like I said, the new stats came out later. If Google can retain security with less restriction then of course it's better but the new stats suggest there are millions of infections. That data wasn't released before, the other reports didn't mention higher infection rates and they are different reports. Just because one report doesn't find significant infection rates, if a separate report does then it can't be discounted just because another one doesn't.

If tomorrow 50 million Android devices get infected by a new trojan, are you going to suggest that because Google said everything was ok last October that people shouldn't use the new data to counter it?

What comparative stats came out in the last month that should have changed your mind Marvin? Google's statistics you were using in your argument had to do with apps that could potentially cause actual harm to an Android owner. They broke down various categories of "malware" into percentages to help readers understand what the various forms are and what they do. The Alcatel report doesn't break those out instead referring to the general and very broad category of "malware" as a whole which would be anything from relatively benign but undisclosed ad delivery or contact colection to premium SMS messaging to email phishing attacks that don't even rely on Android per-se. Alcatels collection certainly doesn't suggest Google statistics are wrong. They don't try to break it down enough to even compare the two except in the broadest sense.

IMO the stats that really matter, the ones to pay attention to, speak to the potential for actual damage from malicious Android app installs rather than the Alcatel report of assorted undisclosed activity from both harmless and harmful apps mixed with phishing-type schemes which aren't reliant on any particular platform.

Pretty surprised your opinions waver with the winds so much. Now you seem to be falling back in line with "most people here (who) naturally want Android to fail in some regard." Anyway, I don't expect to change your mind, but I am curious what prompted you to change yours so quickly. Certainly shouldn't have been that Alcatel report since it never touched on the detail that Google offered and that you had found so compelling.
Edited by Gatorguy - 3/1/14 at 10:29am
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #65 of 85
Quote:
Originally Posted by Gatorguy View Post

What comparative stats came out in the last month that should have changed your mind Marvin? Google's statistics you were using in your argument had to do with apps that could potentially cause actual harm to an Android owner. They broke down various categories of "malware" into percentages to help readers understand what the various forms are and what they do. The Alcatel report doesn't break those out instead referring to the general and very broad category of "malware" as a whole which would be anything from relatively benign but undisclosed ad delivery or contact colection to premium SMS messaging to email phishing attacks that don't even rely on Android per-se. Alcatels collection certainly doesn't suggest Google statistics are wrong. They don't try to break it down enough to even compare the two except in the broadest sense.

Oh, you're taking issue with the lack of a breakdown of what the malware is rather than the infection count. Well, here's something a little more definitive:

http://pandalabs.pandasecurity.com/new-malware-attack-through-google-play/
post #66 of 85
Quote:
Originally Posted by Marvin View Post

Oh, you're taking issue with the lack of a breakdown of what the malware is rather than the infection count. Well, here's something a little more definitive:

http://pandalabs.pandasecurity.com/new-malware-attack-through-google-play/

No, I actually questioned your sudden change of view. You still didn't explain what lead to it but no big deal. It's not my business.

As I understand Verify Apps any attempt to scam a user via that premium SMS trick would be flagged to the user as long as they're on Gingerbread or better. That's essentially all current Android phones. A user might download an app that has a hidden premium SMS function thus technically "infected" but I don't think they'll suffer a loss since Verify Apps is designed to recognize it. With that said of course "malware" exists. It does on every platform. The job of the OS engineers is to catch 'em. I think Google is doing a fine job on that front especially considering all the low-life's trying to get in.
http://blogs.computerworld.com/android/23590/google-android-security
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #67 of 85
How do you really track malware in iOS? You can't!!

Why? Because only apple can as ios is a closed system. I doubt apple is going to blast it's mouth to say how many were infected. How many were affected with the huge ssl security hole? How long was it there before apple finally admitted it.

I feel more secure with Android as it is open and being scrutinize rigorously by the community instead of ios which is a total black box.
post #68 of 85
Quote:
Originally Posted by zerobim08 View Post

How do you really track malware in iOS? You can't!!

Why? Because only apple can as ios is a closed system.

3rd parties can download whatever apps they want from the store and scan them just like with Google Play.
Quote:
Originally Posted by zerobim08 View Post

How many were affected with the huge ssl security hole?

Lots of Microsoft and Android users were affected - they got really excited by Apple having a problem. The bug is only useful for targeted attacks where the attacker has a privileged network position.
Quote:
Originally Posted by zerobim08 View Post

How long was it there before apple finally admitted it.

Do you mean how long after they discovered it or how long after the bug was put into the system? It was introduced in September 2012 with iOS 6. Considering it was 1 line of code, I imagine it was addressed immediately. They probably had an investigation into who added the code. Fortsall was fired in 2012, it might have been him. He could use the login of one of the lower level staff and commit the change. He might even have used it to spy on inter-office communications to see what people were saying about him.
Quote:
Originally Posted by zerobim08 View Post

I feel more secure with Android as it is open

It doesn't sound like you feel more secure considering you're on an Apple forum. If you felt more secure, why wouldn't you be on an Android forum? It's only when you feel insecure that you have to justify your choices to people who you think might have made better choices than you.
post #69 of 85
Quote:
Originally Posted by Marvin View Post


But you have no stats to back that up, that's just what you assume to be the case. It's a lot like the assumptions people make about jailbreakers not doing it for the piracy. There's no stats to back it up so they just make a decision about it and then repeat it as fact.

Well for example, if you read the f-secure report, all the malware they list is found in 'third party app stores'. There's Google's official statements and then there's simple anecdotes. I have many friends who use Androids on a regular basis and I have seen the attempts to get them to install malware. They are all almost identical to OSX.

 

Quote:
There's no irony there, OS X is less secure than iOS too. The point is that iOS is more secure than Android from a user's point of view and my criticism is that Android promoters use statements like 'there's been malware in the App Store too' to try and put everything on equal ground. The agenda being to highlight Apple's 'closed' approach as having no tangible benefit.

Because it has no tangible benefit as long as you read warnings. The idea that OSX is less secure than iOS because I might permit a virus to be installed is silly. Yes in theory it has the potential of being less secure, but that's it. We know for a fact malware has made it into all app stores. We know that iOS has suffered its fair share of major security bugs. Contacts / SMSs being uploaded through the web browser seems a pretty apt one.

 

Security is not as simple as locking down installation. As you've seen, a single errant line of code and iOS has been less secure than any other platform for months if not longer. Trying to act as if security is simply a matter of how restricted your platform is is clearly not accurate.

 

The major benefactor of Apple's closed approach is Apple.

post #70 of 85
Quote:
Originally Posted by Marvin View Post

Lots of Microsoft and Android users were affected - they got really excited by Apple having a problem. The bug is only useful for targeted attacks where the attacker has a privileged network position.

 

Not at all. I can attach my laptop to an open wifi network and automatically poison every HTTPS request, intercept it with mitmproxy and log all private data.

 

I don't understand why you're so insistent on saying all other manufacturer's users are paranoid or 'insecure'. If this bug was a bug in Android I feel confident in saying the mocking on this forum would be widespread, yet when it is one of the most serious possible bugs on iOS you brush it off as if it were nothing.

 

Every platform has security bugs, Android had the master key vulnerability, Windows is Windows etc. Apple picked a strategy that works best for them but it doesn't mean they are somehow exempt from criticism. If you're willing to ignore warnings and simply install whatever you're told to install then iOS is in theory more resistant to damage, but I don't think you are this type of person and neither am I, so claiming this as an advantage is relatively pointless I feel.

post #71 of 85
Quote:
Originally Posted by ItsTheInternet View Post
 

 

Because it has no tangible benefit as long as you read warnings. The idea that OSX is less secure than iOS because I might permit a virus to be installed is silly. Yes in theory it has the potential of being less secure, but that's it. We know for a fact malware has made it into all app stores. We know that iOS has suffered its fair share of major security bugs. Contacts / SMSs being uploaded through the web browser seems a pretty apt one.

 

It would seem backwards for OS X to have less real-world security than iOS given that OS X sees more mission-critical applications. Many companies, such as Google, use OS X as their primary computing platform. People are more likely to file their taxes and store sensitive financial documents on their Mac than on their IPhone. A security breach on OS X would likely have far greater impact than one for iOS.


Edited by d4NjvRzf - 3/2/14 at 12:40pm
post #72 of 85
Quote:
Originally Posted by ItsTheInternet View Post

Well for example, if you read the f-secure report, all the malware they list is found in 'third party app stores'.

According to Gatorguy, security companies aren't credible so anything they say has to be dismissed as suspect. You can't just pick out the statements you like and ignore the ones you don't. Clearly whatever f-secure report you're referring to hasn't included the recent malware from the Google Play Store:

http://pandalabs.pandasecurity.com/new-malware-attack-through-google-play/
Quote:
Originally Posted by ItsTheInternet View Post

The idea that OSX is less secure than iOS because I might permit a virus to be installed is silly. Yes in theory it has the potential of being less secure, but that's it. We know for a fact malware has made it into all app stores. We know that iOS has suffered its fair share of major security bugs. Contacts / SMSs being uploaded through the web browser seems a pretty apt one.

There you go again trying to equate everything. We know that sample malware from security researchers has made it into the App Store. It pales in comparison to the amount of malware deployed for Android and the infections encountered.
Quote:
Originally Posted by ItsTheInternet View Post

Security is not as simple as locking down installation. As you've seen, a single errant line of code and iOS has been less secure than any other platform for months if not longer. Trying to act as if security is simply a matter of how restricted your platform is is clearly not accurate.

If the SSL bug made it less secure than any platform for months then you'd have seen more exploits. None have been reported.
Quote:
Originally Posted by ItsTheInternet View Post

The major benefactor of Apple's closed approach is Apple.

Seems like the major benefactor is Google's and Samsung's PR machine.
Quote:
Originally Posted by ItsTheInternet 
Not at all. I can attach my laptop to an open wifi network and automatically poison every HTTPS request, intercept it with mitmproxy and log all private data.

You need a lot of conditions to happen for that to be worthwhile. Firstly you need the right setup like so:

http://blog.philippheckel.com/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-traffic-of-your-phone/

You need for someone to be willing to connect to the wifi hotspot and for them to be doing something meaningful enough for it to be worth intercepting the data.
Quote:
Originally Posted by ItsTheInternet View Post

I don't understand why you're so insistent on saying all other manufacturer's users are paranoid or 'insecure'. If this bug was a bug in Android I feel confident in saying the mocking on this forum would be widespread, yet when it is one of the most serious possible bugs on iOS you brush it off as if it were nothing.

This is an Apple forum, I'm not sure how many times that has to be explained, it's right there in the title. Apple users here likely would mock problems with an Android product. They'd be insecure if they were going to Android and Windows forums to promote their own preferred products among people who don't give two sh*ts about them and denigrate products they don't own.
post #73 of 85
Quote:
Originally Posted by Marvin View Post


According to Gatorguy, security companies aren't credible so anything they say has to be dismissed as suspect. You can't just pick out the statements you like and ignore the ones you don't. Clearly whatever f-secure report you're referring to hasn't included the recent malware from the Google Play Store:

http://pandalabs.pandasecurity.com/new-malware-attack-through-google-play/

I don't believe you are genuinely making this point. You know there's a lot of difference between 'security company hyping the danger to sell products' and 'security company lying about malware sources for some reason to benefit Google'. You're implying the latter, wheras the reasonable position is the former.

 

Nowhere did I deny that Google Play has had malware attacks. In fact I explicitly said that they had. Why is it that I am constantly having to defend myself from things I never said?

 

Quote:
There you go again trying to equate everything. We know that sample malware from security researchers has made it into the App Store. It pales in comparison to the amount of malware deployed for Android and the infections encountered.

Do you think for some reason that malware on iOS and malware on Android is incomparable? Of course I equate 'everything' because that's the right way to see the reality of the situation. How many times do we have to go through this, you seem to take personal offence if I don't individually thank and praise Apple for whatever they're doing, even if it's not even noteworthy. I'll say it again. The iOS security model is such that even if you ignore what the screen tells you you should never be able to do anything Apple does not approve of. This is not the case on OSX or Android.

 

Quote:
If the SSL bug made it less secure than any platform for months then you'd have seen more exploits. None have been reported.

Not true at all. The SSL bug did make it less secure, there's no possible argument you can make against that, and no reporting would be possible as the exploit it enabled was data theft. There would be literally no way to tie it together unless logs of this information were kept, and I have seen no indication of that either.

 

Quote:
You need a lot of conditions to happen for that to be worthwhile. Firstly you need the right setup like so:
http://blog.philippheckel.com/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-traffic-of-your-phone/
You need for someone to be willing to connect to the wifi hotspot and for them to be doing something meaningful enough for it to be worth intercepting the data.

Those 'lot of conditions' is to have a computer with a supported wifi chipset. I literally have one sitting on top of my keyboard right now. Getting people to connect to a "Free Internet" WiFi hotspot is trivial, and if your security depends on "doing something meaningful" then that's no security at all. What more evidence do you need than the widespread criticism from the security community? Perhaps this will change your mind? http://corte.si/posts/security/cve-2014-1266.html

 

Quote:
This is an Apple forum, I'm not sure how many times that has to be explained, it's right there in the title. Apple users here likely would mock problems with an Android product. They'd be insecure if they were going to Android and Windows forums to promote their own preferred products among people who don't give two sh*ts about them and denigrate products they don't own.

Except the nature of an Apple forum doesn't inherently mean you must dismiss or minimise problems at Apple. I may own an Android as my primary phone but I don't dismiss or minimise the reality of problems on that platform at all. Both platforms have their own issues, and Apple's review process fundamentally cannot catch all potential malware, nor is the platform fully secure (see: jailbreaks). This is just the nature of computing in general.

post #74 of 85
Quote:
Originally Posted by ItsTheInternet View Post

Nowhere did I deny that Google Play has had malware attacks. In fact I explicitly said that they had.

Now take it one step further and admit that the malware has made it to user's devices in large numbers where in the case of iOS it has not and that answers the following point.
Quote:
Originally Posted by ItsTheInternet View Post

Do you think for some reason that malware on iOS and malware on Android is incomparable? Of course I equate 'everything' because that's the right way to see the reality of the situation.
Quote:
Originally Posted by ItsTheInternet View Post

Not true at all. The SSL bug did make it less secure, there's no possible argument you can make against that

The argument I was making was against your statement that it made iOS less secure than any other platform. For outgoing data sure but not anything else and even at that, the outgoing data was hard to exploit harmfully. For someone using devices in their own home or at work with people they can trust, they weren't at risk.
Quote:
Originally Posted by ItsTheInternet View Post

Those 'lot of conditions' is to have a computer with a supported wifi chipset. I literally have one sitting on top of my keyboard right now.

Why does that not surprise me. There's more conditions than that as you need to be on the same network as someone with the vulnerability and you need to exploit the flaw:

http://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/

- Trick you into visting an imposter HTTPS site, e.g. by using a poisoned public Wi-Fi access point.
- Force your browser (or other software) into using forward secrecy, possible because the server decides what encryption algorithms it will support.
- Force your browser (or other software) into using TLS 1.1, possible because the server decides what TLS versions it will allow.
- Supply a legitimate-looking TLS certificate with a mismatched private key.

That doesn't sound as trivial and automatic as you want people to believe, especially if you have to do it in the timeframe of a real-time scenario not knowing what data a user is accessing. If you have a working demo that takes less effort, describe how you set it up.
Quote:
Originally Posted by ItsTheInternet View Post

Getting people to connect to a "Free Internet" WiFi hotspot is trivial, and if your security depends on "doing something meaningful" then that's no security at all.

There you go with the hyperbole again. The security doesn't depend solely on someone doing something meaningful, it depends on someone doing something meaningful while connected to your dodgy free wifi and the above steps so it is a level of security that is not "no security at all".
Quote:
Originally Posted by ItsTheInternet View Post

What more evidence do you need than the widespread criticism from the security community? Perhaps this will change your mind? http://corte.si/posts/security/cve-2014-1266.html

"With a tool like mitmproxy in the right position". Why doesn't he mention what that position is? Likely because it means installing mitmproxy on an intermediate server or configuring devices accessing a router in a certain way. He is trying to promote mitmproxy as he's one of the developers. Security researchers get excited when things like this happen, that guy was tweeting every 3 minutes that Apple hadn't issued an update.
Quote:
Originally Posted by ItsTheInternet View Post

Except the nature of an Apple forum doesn't inherently mean you must dismiss or minimise problems at Apple. I may own an Android as my primary phone but I don't dismiss or minimise the reality of problems on that platform at all.

What it means is that if you have no interest in being positive about the subject of the forum then you're specifically here to be a nuisance poster and yes you do dismiss and minimise the reality of problems with Android.
post #75 of 85
Quote:
Originally Posted by Marvin View Post


Now take it one step further and admit that the malware has made it to user's devices in large numbers where in the case of iOS it has not and that answers the following point.

Have I not 'admitted' this before this point? I'm absolutely positive that plenty of Android devices have been attacked. I don't know how many different ways I really need to say this. I have no idea if there's been any significant malware on iOS devices. I certainly haven't heard of any and I'm sure Apple would remove them promptly if they did get through.

 

If you read back to the start of this discussion, you'll see that I was only making the point that this security is limited to there being no exploits and Apple's detection process being perfect. That obviously is never the case in any of these systems, and so that's why I compared Android to OSX.

 

Quote:
What it means is that if you have no interest in being positive about the subject of the forum then you're specifically here to be a nuisance poster and yes you do dismiss and minimise the reality of problems with Android.

How? I have been as relentlessly even in my criticisms and praise as I can be. I've taken care to make sure what I post is not just noise and I have very few negative things to say about Apple, mostly in relation to a couple of lawsuits. You seem to be reading all sorts of intentions and subtexts into posts that don't exist.

 

Quote:

The argument I was making was against your statement that it made iOS less secure than any other platform. For outgoing data sure but not anything else and even at that, the outgoing data was hard to exploit harmfully. For someone using devices in their own home or at work with people they can trust, they weren't at risk.
Why does that not surprise me. There's more conditions than that as you need to be on the same network as someone with the vulnerability and you need to exploit the flaw:

 

Yes, there are steps that must be taken, but this is about as serious a security bug as you can get short of remote code execution. This is just a simple fact and I can provide you endless third party sources to say so.

 

Quote:
That doesn't sound as trivial and automatic as you want people to believe, especially if you have to do it in the timeframe of a real-time scenario not knowing what data a user is accessing. If you have a working demo that takes less effort, describe how you set it up.

 

It requires a few patches to mitmproxy because it's designed for a straight substitution. I can't really say any more than that but it does require some reasonable cryptography / programming expertise. I'm not sure if I could manage it on my own but any coordinated hacking group would easily have the talent. I know for a fact that as soon as the news was made public at least two groups were working on this.

 

Quote:
There you go with the hyperbole again. The security doesn't depend solely on someone doing something meaningful, it depends on someone doing something meaningful while connected to your dodgy free wifi and the above steps so it is a level of security that is not "no security at all".

Ok sure, but it's pretty tenuous security. Of course it's fixed now, and of course similar bugs have existed on everything from Android to Debian.

 

Quote:
"With a tool like mitmproxy in the right position". Why doesn't he mention what that position is? Likely because it means installing mitmproxy on an intermediate server or configuring devices accessing a router in a certain way. He is trying to promote mitmproxy as he's one of the developers. Security researchers get excited when things like this happen, that guy was tweeting every 3 minutes that Apple hadn't issued an update.

He doesn't mention it because it's a normal part of security research to explore what sort of capabilities you have on a local network. For example, perhaps you can arp poison and have local devices send their packets to you. Perhaps you plug a wifi card into a Linux box and advertise an SSID.

 

There's an endless list of potentials I could provide, but potential impacts are great. Banking information, usernames/passwords, apparently keychain events could all be passively sniffed. This isn't me hating on Apple, it's just the reality of an unfortunate bug.

post #76 of 85
This needs far more coverage in the media. For all the "lack of innovation" that Apple gets accused of I, for one, am extremely happy they get the structural stuff right, their internal review processes work and they are open about the problems they are working to fix.

What does Google offer? They "scan" their store for known versions of malware. Really? Because antivirus software has been such an overwhelming success in the PC world. /s

It's pretty clear to me that Android has been developed with a profit first, user last mentality (like every soulless implementation of windows PC).

In my opinion Apple mostly achieves the right balance of user control. It would be nice to set alternate apps for particular functions (like email) but not to the extent that android phones give 3rd party access to critical information (like a replacement keyboard being able to log keystrokes when you use a banking app!!!).
post #77 of 85
Quote:
Originally Posted by Dunks View Post

This needs far more coverage in the media. For all the "lack of innovation" that Apple gets accused of I, for one, am extremely happy they get the structural stuff right, their internal review processes work

 

You might want to wait until a few weeks after their most major security bug to date before you say this. Otherwise I mostly agree that it's down to the user which choice they prefer.

post #78 of 85
Quote:
Originally Posted by ItsTheInternet View Post

I'm absolutely positive that plenty of Android devices have been attacked. I have no idea if there's been any significant malware on iOS devices.

So there's no possible way to reach the conclusion that there's no tangible benefit to Apple's setup. Until you know that real-world exploits have affected users in large numbers in iOS, as far as the data currently shows, iOS is more secure from a user's perspective.
Quote:
Originally Posted by ItsTheInternet View Post

How? I have been as relentlessly even in my criticisms and praise as I can be. I've taken care to make sure what I post is not just noise and I have very few negative things to say about Apple, mostly in relation to a couple of lawsuits. You seem to be reading all sorts of intentions and subtexts into posts that don't exist.

Just take a look at the last post you made. "You might want to wait until a few weeks after their most major security bug to date before you say this". It's not their most major security bug because you just said that it's less serious than bugs that allow arbitrary code execution, which have been in previous iOS versions.

You say a lot of the same things many posters who are no longer members have said over the years. The claim is always that you're just being impartial but the comments you make are laced with the usual propaganda promoting alternatives to the forum subject. When you keep making the subtle jabs at every opportunity, it's known as trolling and it irritates a lot of people.

It wouldn't be appropriate for an Apple user to sign up to an Android forum and starting talking about malware, Google's privacy policies and fragmentation and then keep mentioning alternatives that have a different setup but offer benefits.
post #79 of 85
Quote:
Originally Posted by ItsTheInternet View Post
 

 

Uh, Android has a signed boot chain, signed packages, external packages off by default and a manifest based permission framework.

 

Perhaps before saying what lessons have been learned, you should actually go take those lessons yourself and learn the differences. Windows XP etc were nightmares for security because users would trivially elevate programs to Administrator as it had to be run so often even for things like deleting desktop icons.

 

Android by default does not permit Administrator level access. Honestly you're completely wrong.

I never said it does, but it has hole to be exploited by hackers, and you took one sentence out my entire comment, which is google has so may threads of android floating around even as they find the holes and fix them they can not ever get to everyone who has Android on their devices. This was the same issue M$ had early on, people and company could or would not update to the new fixes for a long list of reasons which allow all the hacks to continue on.

 

As M$ did and google is doing, they open the system so people can see inside anyone could see inside and therefore allow the hackers to find all the holes. Even apple with all is concerns about security first, still have a very small group of people who know how hack the iphone and jailbreak it, it does take the user being involved, but it can be done. Andriod just makes it a lot easier for less dedicated hacker.

post #80 of 85
Quote:
Originally Posted by Maestro64 View Post
 

 

 

As M$ did and google is doing, they open the system so people can see inside anyone could see inside and therefore allow the hackers to find all the holes. Even apple with all is concerns about security first, still have a very small group of people who know how hack the iphone and jailbreak it, it does take the user being involved, but it can be done. Andriod just makes it a lot easier for less dedicated hacker.

1) When did MS ever open source its software? MS is far more closed than Apple, which at least uses open source foundations for its OS.

2) Open source is inherently no less secure than closed-source software. Linux for example has a much stronger security record than Windows despite its source code being completely open for everyone to see. Ever heard of the principle, "given enough eyeballs, all bugs are shallow"?

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • Apple touts secure design of iOS as Google chief admits Android is best target for malicious hackers
AppleInsider › Forums › Mobile › iPhone › Apple touts secure design of iOS as Google chief admits Android is best target for malicious hackers