Apple touts secure design of iOS as Google chief admits Android is best target for malicious hackers

Posted:
in iPhone edited April 2014
Speaking at Mobile World Conference, Google's new Android chief Sundar Pichai admitted that security plays second fiddle to "freedom" in the design and implementation of Google's mobile operation system, exposing Android users to an overwhelming, disproportionate share of malware vulnerabilities.

Android's malware monopoly

Last month, a report by Cisco detailed that 99 percent of mobile malware targets Android, echoing the "staggering rate" of malware growth observed last summer by Juniper Networks in a report that noted that "77 percent of Android's threats could be largely eliminated today if all Android devices had the latest OS. Currently only 4 percent do."

When asked about Android's malware problems, Pichai (the Chrome OS executive who replaced Andy Rubin as the head of Google's Android development early last year) answered by saying that Android is not really "designed to be safe" but rather to provide "freedom."

His comments, reported by French site Frandroid.com translated: "We do not guarantee that Android is designed to be safe; its format was designed to give more freedom. When they talk about 90% of malicious programs for Android, they must of course take into account the fact that it is the most used operating system in the world. If I had a company dedicated to malware, I would also send my attacks to Android."

Android's problems due to a lack of security updates, not due to popularity

While creating an apparent comparison with the role of Microsoft's Windows on PCs over the previous decade, Pichai did not actually address the root cause of malware issues as highlighted by Juniper: the failure of Google and its partners to make security updates broadly available to the platform's users.

Last July, a U.S. Government report titled "Threats to Mobile Devices Using the Android OS" warned that Android "continues to be a primary target for malware attacks due to its market share and open source architecture," and stated that this "makes it more important than ever to keep mobile OS patched and up-to-date."

Yet months later, Google still reports that more than 20 percent of active Android users accessing Google Play are still using a "Gingerbread" or older edition of Android dating back to 2011 that, as the government's report noted, still "have a number of security vulnerabilities that were fixed in later versions."



While the Gingerbread figure has ostensibly improved over the past several months (Google also changed how it counts "active" users), the number of new exploits discovered in subsequent editions of Android has put the platform's security at even greater at risk. One recently reported flaw is serious enough to have prompted security researchers to publicly issue an exploit tool with the intention of forcing Google to fix the bug for its users.

So far, only 27 percent of Google's active Android users are running an Android version that addresses that particular flaw, leaving 73 percent of Android users vulnerable to the critical security flaw in Google's WebView that gives malicious users the freedom to remotely control users' devices.

Apple focuses on security as more important than "freedom"

For Apple's users, encountering an actual security flaw is rare enough to be deemed newsworthy. While only 1.8 percent of Google's users are on the latest KitKat version of Android, an overwhelming 82 percent of iOS users now have iOS 7 installed, even though both OS versions were released around the same time last fall.

Additionally, Apple continues to release easy to install, free updates addressing problems found not only in its latest iOS 7, but also for customers still using iOS 6. That, includes those who bought the original iPad back in 2010, a product released nearly a year before Google's still vulnerable, unpatched Android 2.3 Gingerbread was even announced.

Yesterday, Apple outlined its focus on security in iOS in a white paper providing more detail on Touch ID and the Secure Enclave processor core built into its A7 Application Processor. In addition to talking about hardware, Apple noted that it "designed the iOS platform with security at its core."

The document stated, "when we set out to create the best possible mobile OS, we drew from decades of experience to build an entirely new architecture. We thought about the security hazards of the desktop environment, and established a new approach to security in the design of iOS. We developed and incorporated innovative features that tighten mobile security and protect the entire system by default. As a result, iOS is a major leap forward in OS security."

Apple further noted that its design for iOS "protects not only the device and its data at rest, but the entire ecosystem, including everything users do locally, on networks, and with key Internet services." Nowhere in the document does Apple even use the word "freedom."

Among the topics that the document does detail is Secure Boot, which limits "freedom" by preventing the installation of older versions of iOS that contain known security vulnerabilities. But the feature also helps prevent thieves from being able to downgrade the software on a stolen device in order to expose and exploit any known, patched flaws and therefore bypass Apple's latest protections that secure users' data, messages and passwords.

That's a real problem on Android, where a design focused on permissive freedom has also made securing the devices effectively impossible. Samsung has attempted to address this problem for corporate users with Knox, a layer designed to limit Android's freedom and therefore give it a layer of security closer to iOS. However, most of Samsung's smartphones don't even support Knox, rendering the majority of Android device shipments impossible to secure.

Samsung Knox

Apple benefitting from a differentiated focus on security

Apple's design of iOS "with security at its core" has resulted in an overwhelming advantage in the market. While IDC, Gartner and Strategy Analytics focus on global unit shipments, Apple's iOS share among enterprise, government and education users is dwarfing the adoption of Android.

Enterprise vendor Good Technology has consistently reported landslide iOS adoption rates, giving Apple 73 percent share among mobile devices and reporting that its iPad now makes up 91.4 percent of enterprise tablets. The scale of those numbers are resulting in iOS getting the vast majority of serious custom development among corporate users.

It's not just big firms, vast government agencies and entire school districts that are adopting iOS for security reasons. The results of a Clio study of mostly smaller law offices shows a definite trend toward iOS adoption over the last four years. Since 2010, Apple's share in mobile devices among these users has expanded 24 percentage points from 50 percent to 74 percent last year, while Android has only seen adoption climb 8 percentage points from 10 percent to 18 percent.

Among the same population of users, adoption of Macs as a "primary operating system" has also grown from 55 percent in 2010 to 66 percent last year, while the use of Windows has shrunk from 45 percent to just 34 percent over the same period.

Apple Get A Mac


While Google's Pichai drew a parallel between the ubiquitous availability of Android and Windows and the security issues each platform has faced as a result, he failed to address that it was Windows' permissive security problems, from invasive spyware to annoying ad popups, that helped fuel popular interest in Apple's original "Get A Mac" campaign, which helped to ignite the rapid growth in Mac sales over the past decade as users actively rejected a broadly open platform in favor of a secure one that "just worked."

In contrast, no amount of ideological evangelism about "freedom" has generated any real interest among corporations or individuals in Linux as a desktop or mobile platform. Linux primarily made inroads on servers because it was free. In failing to focus on security and leaving its users on their own, Google's Android's faces the prospect of suffering the same platform erosion that Windows suffered for the same reasons, while at the same time earning the same revenues as Linux.
«1345

Comments

  • Reply 1 of 84
    I just can't waste time reading these puff pieces anymore. Next.
  • Reply 2 of 84
    What no comments yet? Where are all those Android fanboys screaming about hack/cracks/shims & boot loaders?
    Oh yeah...the 99% malware option kicked in and now they need to restore their phones if they are even able to.

    It appears the Android/Google have given their customers the royal middle finger (again). Instead of patching every phone properly, they rely on a multi-level patch process that takes months to deploy effectively, so many handsets never get the updates they require, never mind complete Android system upgrades.

    Google is screaming "we're #1, we're #1" in malware infections.
    They should be screaming "we hate our customers". That would be more truthful.
  • Reply 3 of 84
    hill60hill60 Posts: 6,989member
    Quote:
    Originally Posted by SpamSandwich View Post



    I just can't waste time reading these puff pieces anymore. Next.

     

    Why?

     

    It's good to have some balance after all the crap about Apple patching the "glaring" goto flaw, which was never actively exploited by anyone conducting man in the middle attacks.

  • Reply 4 of 84
    hill60hill60 Posts: 6,989member
    Quote:
    Originally Posted by cfugle View Post



    What no comments yet? Where are all those Android fanboys screaming about hack/cracks/shims & boot loaders?

    Oh yeah...the 99% malware option kicked in and now they need to restore their phones if they are even able to.



    It appears the Android/Google have given their customers the royal middle finger (again). Instead of patching every phone properly, they rely on a multi-level patch process that takes months to deploy effectively, so many handsets never get the updates they require, never mind complete Android system upgrades.



    Google is screaming "we're #1, we're #1" in malware infections.

    They should be screaming "we hate our customers". That would be more truthful.

     

    Google love their customers, they make lots of money selling them information on their product users...

     

    ...oh, you confused Android users with Google's "customers", a common enough mistake.

  • Reply 5 of 84
    solipsismxsolipsismx Posts: 19,566member
    Planning for security is great and having data that shows your system has more known malware is nice but the keyword is known. Let's not forget this is coming awfully fast on the heels of an 18 month-long bug that would all all dumped data from iOS and Mac backups, syncing and Safari usage otherwise thought secure to be read by even a novice hacker. You wouldn't even need to target any Apple device because the data was being sent across the globe from device to server for a year-and-half. We will likely never know if any government was aware and expelling this data, or if anyone after the fact will start trawling though network packet dumps looking for personal information. I haven't even yet heard if Mac and iOS App Store apps also use Apple's SSL implementation.

    I just can't waste time reading these puff pieces anymore. Next.

    I barely read most of the articles here. I come for the commenters.

    rickfaced wrote: »
    Samsung is not going to be happy about this article.

    They can at least be comforted by having the only Android-based devices on the safe list.
  • Reply 6 of 84

    No confusion here at all. The Google "experience" of Android is based on a strict software code that hardware manufacturers must implement or risk losing access to Android. Google is selling the experience whether the device is Samsung or Sony. The software is what touch the "customers" hands, the shell is the hardware fluff.  Hardware does not get infected with malware, software does. What don't you understand in this symbiotic relationship that isolates Google  from being a better service provider? Their locked in code should protect the clients better. Simple solution. It should have been designed from day one to cater to the customer and not the telecom provider or hardware manufacturer. Is Apple IOS perfect...by gosh no..but it does ever me down with functionality issues or viral/malware attacks. Developers may have hated the sandboxing but us consumers love it. My day keeps moving forward without the hassles of a buggered up handset.

  • Reply 7 of 84
    bobschlobbobschlob Posts: 1,074member
    Outee

  • Reply 8 of 84
    Quote:
    Originally Posted by AppleInsider View Post

     


    One recently reported flaw is serious enough to have prompted security researchers to publicly issue an exploit tool with the intention of forcing Google to fix the bug for its users.



    So far, only 27 percent of Google's active Android users are running an Android version that addresses that particular flaw, leaving 73 percent of Android users vulnerable to the critical security flaw in Google's WebView that gives malicious users the freedom to remotely control users' devices.

     

    Here's an Ars article on this particular flaw (http://arstechnica.com/security/2014/02/e-z-2-use-attack-code-exploits-critical-bug-in-majority-of-android-phones/). One bit of information relevant to this article is that although there are lots of android devices stuck with the webview bug, the openness of the platform also enables more third-party mitigation strategies than would be possible if a similar bug were discovered in the iOS UIWebview. Android browsers such as Chrome and Firefox typically pack their own rendering engines and are not affected by this bug. In contrast, if the iOS webview were found to contain a security flaw, the only recourse for third-party browsers would be to wait for an OS update since they are required to use the system UIWebview. Although Apple issues OS updates more promptly compared to Android OEMs, the iOS security model also relies more heavily on OS updates since Apple is often the only party that can fix things.

  • Reply 9 of 84
    Quote:
    Originally Posted by hill60 View Post

     

     

    Why?

     

    It's good to have some balance after all the crap about Apple patching the "glaring" goto flaw


    This very article explains why Apple took a beating for that. Apple are held to a higher standard because they hold themselves to a higher standard. Nobody writes articles about Samsung producing low build-quality devices / security flaws in Android because it's not newsworthy: Samsung / Google don't tout the build quality / security of their devices as a best-in-class selling point. 

     

    Apple does, and that's why everyone expects more from them.

     

    Quote:

     which was never actively exploited by anyone conducting man in the middle attacks


    Is there anything resembling a source for that, or did you just make it up?

     

    edit: Why do lots of the links in this article go to tangentially related opinion pieces that we have to hunt through to find a link to the actual source?

  • Reply 10 of 84
    solipsismx wrote: »
    Planning for security is great and having data that shows your system has more known malware is nice but the keyword is known. Let's not forget this is coming awfully fast on the heels of an 18 month-long bug that would all all dumped data from iOS and Mac backups, syncing and Safari usage otherwise thought secure to be read by even a novice hacker. You wouldn't even need to target any Apple device because the data was being sent across the globe from device to server for a year-and-half. We will likely never know if any government was aware and expelling this data, or if anyone after the fact will start trawling though network packet dumps looking for personal information. I haven't even yet heard if Mac and iOS App Store apps also use Apple's SSL implementation.
    Sol, I would say the biggest beneficiary of this will be the NSA and GCHQ class threats. The point DED was trying to make it is that any script kiddy with spare time on their hands can exploit Android holes, the older the better.

    As you mentioned in other threads, we should change our passwords, but it won't help the data stored in Bluffdale or the UK equivalent.

    I'm pretty mad about it but there is literally nothing we can do about it except move on.
  • Reply 11 of 84
    chris_cachris_ca Posts: 2,543member

    Security through obscurity.

    With Android having 275% and Apple losing more of what little market share it does have every day, of course hackers want to target Android.

    Why waste time doing anything on an OS that only one company with -23% market share uses?

  • Reply 12 of 84
    sflocalsflocal Posts: 4,383member
  • Reply 13 of 84
    hill60hill60 Posts: 6,989member
    Quote:
    Originally Posted by DarkLite View Post

     

    Is there anything resembling a source for that, or did you just make it up?

     


     

    If you want to provide a source for the flaw being used by anyone.

     

    ACTIVELY

  • Reply 14 of 84
    iqatedoiqatedo Posts: 1,593member
    Quote:
    Originally Posted by AppleInsider View Post



    Speaking at Mobile World Conference, Google's new Android chief Sundar Pichai admitted that security plays second fiddle to "freedom" in the design and implementation of Google's mobile operation system...

     

    His comments, reported by French site Frandroid.com translated: "We do not guarantee that Android is designed to be safe; its format was designed to give more freedom. When they talk about 90% of malicious programs for Android, they must of course take into account the fact that it is the most used operating system in the world. If I had a company dedicated to malware, I would also send my attacks to Android."

     

    The old 'security by obscurity' argument creeping in... 'freedom' under a state of anarchy is not quite what it is cracked up to be, hilarious.

  • Reply 15 of 84
    alfiejralfiejr Posts: 1,524member
    Quote:

    Originally Posted by sflocal View Post

     

    But...but...  Does this mean Schmidt was LYING??


     

    Schmidt embodies the true soul of Google: lie, cheat, and steal - aka "open."

     

    the poor top Google engineer that spilled the beans in France - his career is over.

  • Reply 16 of 84
    Quote:

    Originally Posted by Chris_CA View Post

     

    Security through obscurity.

    With Android having 275% and Apple losing more of what little market share it does have every day, of course hackers want to target Android.

    Why waste time doing anything on an OS that only one company with -23% market share uses?


     

    two comments come to mind, and I'll try not to feed the trolls too much

     

    "If you are one of two people being chased by a bear... you don't have to outrun the bear, you just have to outrun the other guy"

     

    "Willie, why do you rob banks?"  Willie Sutton: "Because that's where the money is"

     

    The mashup of those basically shows your misunderstanding...  and gets to the crux of the Pichia's comment: It's good to have good security... relative to your competitors in the general malware space.  If the space is large and easy to attack, the malware bear will just catch it and sit and munch on the carcass.  Why work harder than you need?

     

    BUT... to your second point: while I grant you  that Apple has a smaller (closer to 40% of smartphones) share of the phone market, it's where the money is, in terms of who is spending it mobilely.    That's where your theory breaks down. and you fail to see another reason why Apple doesn't care about selling to everyone.  

     

    If you value security, you're spending iPhone class money on your phone.    Those that don't.... well, now your running as fast as all the slow people... and your only hope is the bear doesn't single you out.

  • Reply 17 of 84
    chipsychipsy Posts: 287member
    Let's put things into perspective shall we. What DED forgets to do here is to detail how many of this malware actually is from the Play Store. By far the largest part of this malware is from non-official app stores and/or come from side loading apps downloaded from torrent sites and such.
    By my estimations (based on the total Android malware and that present on the Play Store) less than 5% comes from Play Store (and if installed still can be stopped by the app verifier). If you then take into account that the threats are reduced by 77% if you are on the most recent version I think this issue is less of an issue as purported if you only install Play Store apps (like most people do).

    Don't get me wrong the fact that so many Android phones are running older versions is a problem but it is not as big a problem when it comes down to malware (when using Play Store) as is argued here.
  • Reply 18 of 84
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by Chris_CA View Post

     

    Security through obscurity.

    With Android having 275% and Apple losing more of what little market share it does have every day, of course hackers want to target Android.

    Why waste time doing anything on an OS that only one company with -23% market share uses?


    For the same reason that robbers hold up banks instead of mugging homeless people on the street. It might be easy to mug a homeless person but they don't have any money. iOS users are much more affluent so they have more to protect than average Android users.

  • Reply 19 of 84
    Throwing the word "freedom" around tech circles is like ringing the dinner bell for salivating ideologues.
  • Reply 20 of 84
    rob53rob53 Posts: 1,974member
    Quote:

    Originally Posted by Chipsy View Post



    Let's put things into perspective shall we. What DED forgets to do here is to detail how many of this malware actually is from the Play Store. By far the largest part of this malware is from non-official app stores and/or come from side loading apps downloaded from torrent sites and such.

    By my estimations (based on the total Android malware and that present on the Play Store) less than 5% comes from Play Store (and if installed still can be stopped by the app verifier). If you then take into account that the threats are reduced by 77% if you are on the most recent version I think this issue is less of an issue as purported if you only install Play Store apps (like most people do).



    Don't get me wrong the fact that so many Android phones are running older versions is a problem but it is not as big a problem when it comes down to malware (when using Play Store) as is argued here.

    http://www.pcworld.com/article/2099421/report-malwareinfected-android-apps-spike-in-the-google-play-store.html (not an Apple-friendly website)

    "In 2011, there were approximately 11,000 apps in Google’s mobile marketplace that contained malicious software capable of stealing people’s data and committing fraud, according to the results of a study published Wednesday by RiskIQ, an online security services company. By 2013, more than 42,000 apps in Google’s store contained spyware and information-stealing Trojan programs, researchers said."

     

    If 42K is 5% that would mean 840K apps. http://www.appbrain.com/stats/number-of-android-apps says there are 1.1M so your figure looks reasonable. The problem is 42K malicious apps in the designated Android app store is still way too many, no matter how your spin statistics. This doesn't include all the malicious apps found in the "open" Android stores. When you compare Android's number to the number found in the (real) App Store, there's no comparison because if there are any in the Apple App Store the number is probably below 10. Google is simply following Microsoft's process of not really caring about malware, spawning a huge third-party malware prevention industry.

Sign In or Register to comment.