So in January you certainly seemed to believe those stats looked to be correct with truly malicious Android malware no longer a major concern as in years past and Google is doing the right thing by trying to be less restrictive.
What thing of significance changed your mind in the past 30 days or so, or did you change your mind?
Like I said, the new stats came out later. If Google can retain security with less restriction then of course it's better but the new stats suggest there are millions of infections. That data wasn't released before, the other reports didn't mention higher infection rates and they are different reports. Just because one report doesn't find significant infection rates, if a separate report does then it can't be discounted just because another one doesn't.
If tomorrow 50 million Android devices get infected by a new trojan, are you going to suggest that because Google said everything was ok last October that people shouldn't use the new data to counter it?
Like I said, the new stats came out later. If Google can retain security with less restriction then of course it's better but the new stats suggest there are millions of infections. That data wasn't released before, the other reports didn't mention higher infection rates and they are different reports. Just because one report doesn't find significant infection rates, if a separate report does then it can't be discounted just because another one doesn't.
If tomorrow 50 million Android devices get infected by a new trojan, are you going to suggest that because Google said everything was ok last October that people shouldn't use the new data to counter it?
What comparative stats came out in the last month that should have changed your mind Marvin? Google's statistics you were using in your argument had to do with apps that could potentially cause actual harm to an Android owner. They broke down various categories of "malware" into percentages to help readers understand what the various forms are and what they do. The Alcatel report doesn't break those out instead referring to the general and very broad category of "malware" as a whole which would be anything from relatively benign but undisclosed ad delivery or contact colection to premium SMS messaging to email phishing attacks that don't even rely on Android per-se. Alcatels collection certainly doesn't suggest Google statistics are wrong. They don't try to break it down enough to even compare the two except in the broadest sense.
IMO the stats that really matter, the ones to pay attention to, speak to the potential for actual damage from malicious Android app installs rather than the Alcatel report of assorted undisclosed activity from both harmless and harmful apps mixed with phishing-type schemes which aren't reliant on any particular platform.
Pretty surprised your opinions waver with the winds so much. Now you seem to be falling back in line with "most people here (who) naturally want Android to fail in some regard." Anyway, I don't expect to change your mind, but I am curious what prompted you to change yours so quickly. Certainly shouldn't have been that Alcatel report since it never touched on the detail that Google offered and that you had found so compelling.
What comparative stats came out in the last month that should have changed your mind Marvin? Google's statistics you were using in your argument had to do with apps that could potentially cause actual harm to an Android owner. They broke down various categories of "malware" into percentages to help readers understand what the various forms are and what they do. The Alcatel report doesn't break those out instead referring to the general and very broad category of "malware" as a whole which would be anything from relatively benign but undisclosed ad delivery or contact colection to premium SMS messaging to email phishing attacks that don't even rely on Android per-se. Alcatels collection certainly doesn't suggest Google statistics are wrong. They don't try to break it down enough to even compare the two except in the broadest sense.
Oh, you're taking issue with the lack of a breakdown of what the malware is rather than the infection count. Well, here's something a little more definitive:
Oh, you're taking issue with the lack of a breakdown of what the malware is rather than the infection count. Well, here's something a little more definitive:
No, I actually questioned your sudden change of view. You still didn't explain what lead to it but no big deal. It's not my business.
As I understand Verify Apps any attempt to scam a user via that premium SMS trick would be flagged to the user as long as they're on Gingerbread or better. That's essentially all current Android phones. A user might download an app that has a hidden premium SMS function thus technically "infected" but I don't think they'll suffer a loss since Verify Apps is designed to recognize it. With that said of course "malware" exists. It does on every platform. The job of the OS engineers is to catch 'em. I think Google is doing a fine job on that front especially considering all the low-life's trying to get in. http://blogs.computerworld.com/android/23590/google-android-security
How do you really track malware in iOS? You can't!!
Why? Because only apple can as ios is a closed system. I doubt apple is going to blast it's mouth to say how many were infected. How many were affected with the huge ssl security hole? How long was it there before apple finally admitted it.
I feel more secure with Android as it is open and being scrutinize rigorously by the community instead of ios which is a total black box.
How many were affected with the huge ssl security hole?
Lots of Microsoft and Android users were affected - they got really excited by Apple having a problem. The bug is only useful for targeted attacks where the attacker has a privileged network position.
How long was it there before apple finally admitted it.
Do you mean how long after they discovered it or how long after the bug was put into the system? It was introduced in September 2012 with iOS 6. Considering it was 1 line of code, I imagine it was addressed immediately. They probably had an investigation into who added the code. Fortsall was fired in 2012, it might have been him. He could use the login of one of the lower level staff and commit the change. He might even have used it to spy on inter-office communications to see what people were saying about him.
It doesn't sound like you feel more secure considering you're on an Apple forum. If you felt more secure, why wouldn't you be on an Android forum? It's only when you feel insecure that you have to justify your choices to people who you think might have made better choices than you.
But you have no stats to back that up, that's just what you assume to be the case. It's a lot like the assumptions people make about jailbreakers not doing it for the piracy. There's no stats to back it up so they just make a decision about it and then repeat it as fact.
Well for example, if you read the f-secure report, all the malware they list is found in 'third party app stores'. There's Google's official statements and then there's simple anecdotes. I have many friends who use Androids on a regular basis and I have seen the attempts to get them to install malware. They are all almost identical to OSX.
Quote:
There's no irony there, OS X is less secure than iOS too. The point is that iOS is more secure than Android from a user's point of view and my criticism is that Android promoters use statements like 'there's been malware in the App Store too' to try and put everything on equal ground. The agenda being to highlight Apple's 'closed' approach as having no tangible benefit.
Because it has no tangible benefit as long as you read warnings. The idea that OSX is less secure than iOS because I might permit a virus to be installed is silly. Yes in theory it has the potential of being less secure, but that's it. We know for a fact malware has made it into all app stores. We know that iOS has suffered its fair share of major security bugs. Contacts / SMSs being uploaded through the web browser seems a pretty apt one.
Security is not as simple as locking down installation. As you've seen, a single errant line of code and iOS has been less secure than any other platform for months if not longer. Trying to act as if security is simply a matter of how restricted your platform is is clearly not accurate.
The major benefactor of Apple's closed approach is Apple.
Lots of Microsoft and Android users were affected - they got really excited by Apple having a problem. The bug is only useful for targeted attacks where the attacker has a privileged network position.
Not at all. I can attach my laptop to an open wifi network and automatically poison every HTTPS request, intercept it with mitmproxy and log all private data.
I don't understand why you're so insistent on saying all other manufacturer's users are paranoid or 'insecure'. If this bug was a bug in Android I feel confident in saying the mocking on this forum would be widespread, yet when it is one of the most serious possible bugs on iOS you brush it off as if it were nothing.
Every platform has security bugs, Android had the master key vulnerability, Windows is Windows etc. Apple picked a strategy that works best for them but it doesn't mean they are somehow exempt from criticism. If you're willing to ignore warnings and simply install whatever you're told to install then iOS is in theory more resistant to damage, but I don't think you are this type of person and neither am I, so claiming this as an advantage is relatively pointless I feel.
Because it has no tangible benefit as long as you read warnings. The idea that OSX is less secure than iOS because I might permit a virus to be installed is silly. Yes in theory it has the potential of being less secure, but that's it. We know for a fact malware has made it into all app stores. We know that iOS has suffered its fair share of major security bugs. Contacts / SMSs being uploaded through the web browser seems a pretty apt one.
It would seem backwards for OS X to have less real-world security than iOS given that OS X sees more mission-critical applications. Many companies, such as Google, use OS X as their primary computing platform. People are more likely to file their taxes and store sensitive financial documents on their Mac than on their IPhone. A security breach on OS X would likely have far greater impact than one for iOS.
Well for example, if you read the f-secure report, all the malware they list is found in 'third party app stores'.
According to Gatorguy, security companies aren't credible so anything they say has to be dismissed as suspect. You can't just pick out the statements you like and ignore the ones you don't. Clearly whatever f-secure report you're referring to hasn't included the recent malware from the Google Play Store:
The idea that OSX is less secure than iOS because I might permit a virus to be installed is silly. Yes in theory it has the potential of being less secure, but that's it. We know for a fact malware has made it into all app stores. We know that iOS has suffered its fair share of major security bugs. Contacts / SMSs being uploaded through the web browser seems a pretty apt one.
There you go again trying to equate everything. We know that sample malware from security researchers has made it into the App Store. It pales in comparison to the amount of malware deployed for Android and the infections encountered.
Security is not as simple as locking down installation. As you've seen, a single errant line of code and iOS has been less secure than any other platform for months if not longer. Trying to act as if security is simply a matter of how restricted your platform is is clearly not accurate.
If the SSL bug made it less secure than any platform for months then you'd have seen more exploits. None have been reported.
Not at all. I can attach my laptop to an open wifi network and automatically poison every HTTPS request, intercept it with mitmproxy and log all private data.
You need a lot of conditions to happen for that to be worthwhile. Firstly you need the right setup like so:
You need for someone to be willing to connect to the wifi hotspot and for them to be doing something meaningful enough for it to be worth intercepting the data.
I don't understand why you're so insistent on saying all other manufacturer's users are paranoid or 'insecure'. If this bug was a bug in Android I feel confident in saying the mocking on this forum would be widespread, yet when it is one of the most serious possible bugs on iOS you brush it off as if it were nothing.
This is an Apple forum, I'm not sure how many times that has to be explained, it's right there in the title. Apple users here likely would mock problems with an Android product. They'd be insecure if they were going to Android and Windows forums to promote their own preferred products among people who don't give two sh*ts about them and denigrate products they don't own.
According to Gatorguy, security companies aren't credible so anything they say has to be dismissed as suspect. You can't just pick out the statements you like and ignore the ones you don't. Clearly whatever f-secure report you're referring to hasn't included the recent malware from the Google Play Store:
I don't believe you are genuinely making this point. You know there's a lot of difference between 'security company hyping the danger to sell products' and 'security company lying about malware sources for some reason to benefit Google'. You're implying the latter, wheras the reasonable position is the former.
Nowhere did I deny that Google Play has had malware attacks. In fact I explicitly said that they had. Why is it that I am constantly having to defend myself from things I never said?
Quote:
There you go again trying to equate everything. We know that sample malware from security researchers has made it into the App Store. It pales in comparison to the amount of malware deployed for Android and the infections encountered.
Do you think for some reason that malware on iOS and malware on Android is incomparable? Of course I equate 'everything' because that's the right way to see the reality of the situation. How many times do we have to go through this, you seem to take personal offence if I don't individually thank and praise Apple for whatever they're doing, even if it's not even noteworthy. I'll say it again. The iOS security model is such that even if you ignore what the screen tells you you should never be able to do anything Apple does not approve of. This is not the case on OSX or Android.
Quote:
If the SSL bug made it less secure than any platform for months then you'd have seen more exploits. None have been reported.
Not true at all. The SSL bug did make it less secure, there's no possible argument you can make against that, and no reporting would be possible as the exploit it enabled was data theft. There would be literally no way to tie it together unless logs of this information were kept, and I have seen no indication of that either.
Quote:
You need a lot of conditions to happen for that to be worthwhile. Firstly you need the right setup like so:
You need for someone to be willing to connect to the wifi hotspot and for them to be doing something meaningful enough for it to be worth intercepting the data.
Those 'lot of conditions' is to have a computer with a supported wifi chipset. I literally have one sitting on top of my keyboard right now. Getting people to connect to a "Free Internet" WiFi hotspot is trivial, and if your security depends on "doing something meaningful" then that's no security at all. What more evidence do you need than the widespread criticism from the security community? Perhaps this will change your mind? http://corte.si/posts/security/cve-2014-1266.html
Quote:
This is an Apple forum, I'm not sure how many times that has to be explained, it's right there in the title. Apple users here likely would mock problems with an Android product. They'd be insecure if they were going to Android and Windows forums to promote their own preferred products among people who don't give two sh*ts about them and denigrate products they don't own.
Except the nature of an Apple forum doesn't inherently mean you must dismiss or minimise problems at Apple. I may own an Android as my primary phone but I don't dismiss or minimise the reality of problems on that platform at all. Both platforms have their own issues, and Apple's review process fundamentally cannot catch all potential malware, nor is the platform fully secure (see: jailbreaks). This is just the nature of computing in general.
Nowhere did I deny that Google Play has had malware attacks. In fact I explicitly said that they had.
Now take it one step further and admit that the malware has made it to user's devices in large numbers where in the case of iOS it has not and that answers the following point.
Do you think for some reason that malware on iOS and malware on Android is incomparable? Of course I equate 'everything' because that's the right way to see the reality of the situation.
Not true at all. The SSL bug did make it less secure, there's no possible argument you can make against that
The argument I was making was against your statement that it made iOS less secure than any other platform. For outgoing data sure but not anything else and even at that, the outgoing data was hard to exploit harmfully. For someone using devices in their own home or at work with people they can trust, they weren't at risk.
Those 'lot of conditions' is to have a computer with a supported wifi chipset. I literally have one sitting on top of my keyboard right now.
Why does that not surprise me. There's more conditions than that as you need to be on the same network as someone with the vulnerability and you need to exploit the flaw:
- Trick you into visting an imposter HTTPS site, e.g. by using a poisoned public Wi-Fi access point.
- Force your browser (or other software) into using forward secrecy, possible because the server decides what encryption algorithms it will support.
- Force your browser (or other software) into using TLS 1.1, possible because the server decides what TLS versions it will allow.
- Supply a legitimate-looking TLS certificate with a mismatched private key.
That doesn't sound as trivial and automatic as you want people to believe, especially if you have to do it in the timeframe of a real-time scenario not knowing what data a user is accessing. If you have a working demo that takes less effort, describe how you set it up.
Getting people to connect to a "Free Internet" WiFi hotspot is trivial, and if your security depends on "doing something meaningful" then that's no security at all.
There you go with the hyperbole again. The security doesn't depend solely on someone doing something meaningful, it depends on someone doing something meaningful while connected to your dodgy free wifi and the above steps so it is a level of security that is not "no security at all".
"With a tool like mitmproxy in the right position". Why doesn't he mention what that position is? Likely because it means installing mitmproxy on an intermediate server or configuring devices accessing a router in a certain way. He is trying to promote mitmproxy as he's one of the developers. Security researchers get excited when things like this happen, that guy was tweeting every 3 minutes that Apple hadn't issued an update.
Except the nature of an Apple forum doesn't inherently mean you must dismiss or minimise problems at Apple. I may own an Android as my primary phone but I don't dismiss or minimise the reality of problems on that platform at all.
What it means is that if you have no interest in being positive about the subject of the forum then you're specifically here to be a nuisance poster and yes you do dismiss and minimise the reality of problems with Android.
Now take it one step further and admit that the malware has made it to user's devices in large numbers where in the case of iOS it has not and that answers the following point.
Have I not 'admitted' this before this point? I'm absolutely positive that plenty of Android devices have been attacked. I don't know how many different ways I really need to say this. I have no idea if there's been any significant malware on iOS devices. I certainly haven't heard of any and I'm sure Apple would remove them promptly if they did get through.
If you read back to the start of this discussion, you'll see that I was only making the point that this security is limited to there being no exploits and Apple's detection process being perfect. That obviously is never the case in any of these systems, and so that's why I compared Android to OSX.
Quote:
What it means is that if you have no interest in being positive about the subject of the forum then you're specifically here to be a nuisance poster and yes you do dismiss and minimise the reality of problems with Android.
How? I have been as relentlessly even in my criticisms and praise as I can be. I've taken care to make sure what I post is not just noise and I have very few negative things to say about Apple, mostly in relation to a couple of lawsuits. You seem to be reading all sorts of intentions and subtexts into posts that don't exist.
Quote:
The argument I was making was against your statement that it made iOS less secure than any other platform. For outgoing data sure but not anything else and even at that, the outgoing data was hard to exploit harmfully. For someone using devices in their own home or at work with people they can trust, they weren't at risk.
Why does that not surprise me. There's more conditions than that as you need to be on the same network as someone with the vulnerability and you need to exploit the flaw:
Yes, there are steps that must be taken, but this is about as serious a security bug as you can get short of remote code execution. This is just a simple fact and I can provide you endless third party sources to say so.
Quote:
That doesn't sound as trivial and automatic as you want people to believe, especially if you have to do it in the timeframe of a real-time scenario not knowing what data a user is accessing. If you have a working demo that takes less effort, describe how you set it up.
It requires a few patches to mitmproxy because it's designed for a straight substitution. I can't really say any more than that but it does require some reasonable cryptography / programming expertise. I'm not sure if I could manage it on my own but any coordinated hacking group would easily have the talent. I know for a fact that as soon as the news was made public at least two groups were working on this.
Quote:
There you go with the hyperbole again. The security doesn't depend solely on someone doing something meaningful, it depends on someone doing something meaningful while connected to your dodgy free wifi and the above steps so it is a level of security that is not "no security at all".
Ok sure, but it's pretty tenuous security. Of course it's fixed now, and of course similar bugs have existed on everything from Android to Debian.
Quote:
"With a tool like mitmproxy in the right position". Why doesn't he mention what that position is? Likely because it means installing mitmproxy on an intermediate server or configuring devices accessing a router in a certain way. He is trying to promote mitmproxy as he's one of the developers. Security researchers get excited when things like this happen, that guy was tweeting every 3 minutes that Apple hadn't issued an update.
He doesn't mention it because it's a normal part of security research to explore what sort of capabilities you have on a local network. For example, perhaps you can arp poison and have local devices send their packets to you. Perhaps you plug a wifi card into a Linux box and advertise an SSID.
There's an endless list of potentials I could provide, but potential impacts are great. Banking information, usernames/passwords, apparently keychain events could all be passively sniffed. This isn't me hating on Apple, it's just the reality of an unfortunate bug.
This needs far more coverage in the media. For all the "lack of innovation" that Apple gets accused of I, for one, am extremely happy they get the structural stuff right, their internal review processes work and they are open about the problems they are working to fix.
What does Google offer? They "scan" their store for known versions of malware. Really? Because antivirus software has been such an overwhelming success in the PC world. /s
It's pretty clear to me that Android has been developed with a profit first, user last mentality (like every soulless implementation of windows PC).
In my opinion Apple mostly achieves the right balance of user control. It would be nice to set alternate apps for particular functions (like email) but not to the extent that android phones give 3rd party access to critical information (like a replacement keyboard being able to log keystrokes when you use a banking app!!!).
This needs far more coverage in the media. For all the "lack of innovation" that Apple gets accused of I, for one, am extremely happy they get the structural stuff right, their internal review processes work
You might want to wait until a few weeks after their most major security bug to date before you say this. Otherwise I mostly agree that it's down to the user which choice they prefer.
I'm absolutely positive that plenty of Android devices have been attacked. I have no idea if there's been any significant malware on iOS devices.
So there's no possible way to reach the conclusion that there's no tangible benefit to Apple's setup. Until you know that real-world exploits have affected users in large numbers in iOS, as far as the data currently shows, iOS is more secure from a user's perspective.
How? I have been as relentlessly even in my criticisms and praise as I can be. I've taken care to make sure what I post is not just noise and I have very few negative things to say about Apple, mostly in relation to a couple of lawsuits. You seem to be reading all sorts of intentions and subtexts into posts that don't exist.
Just take a look at the last post you made. "You might want to wait until a few weeks after their most major security bug to date before you say this". It's not their most major security bug because you just said that it's less serious than bugs that allow arbitrary code execution, which have been in previous iOS versions.
You say a lot of the same things many posters who are no longer members have said over the years. The claim is always that you're just being impartial but the comments you make are laced with the usual propaganda promoting alternatives to the forum subject. When you keep making the subtle jabs at every opportunity, it's known as trolling and it irritates a lot of people.
It wouldn't be appropriate for an Apple user to sign up to an Android forum and starting talking about malware, Google's privacy policies and fragmentation and then keep mentioning alternatives that have a different setup but offer benefits.
Uh, Android has a signed boot chain, signed packages, external packages off by default and a manifest based permission framework.
Perhaps before saying what lessons have been learned, you should actually go take those lessons yourself and learn the differences. Windows XP etc were nightmares for security because users would trivially elevate programs to Administrator as it had to be run so often even for things like deleting desktop icons.
Android by default does not permit Administrator level access. Honestly you're completely wrong.
I never said it does, but it has hole to be exploited by hackers, and you took one sentence out my entire comment, which is google has so may threads of android floating around even as they find the holes and fix them they can not ever get to everyone who has Android on their devices. This was the same issue M$ had early on, people and company could or would not update to the new fixes for a long list of reasons which allow all the hacks to continue on.
As M$ did and google is doing, they open the system so people can see inside anyone could see inside and therefore allow the hackers to find all the holes. Even apple with all is concerns about security first, still have a very small group of people who know how hack the iphone and jailbreak it, it does take the user being involved, but it can be done. Andriod just makes it a lot easier for less dedicated hacker.
As M$ did and google is doing, they open the system so people can see inside anyone could see inside and therefore allow the hackers to find all the holes. Even apple with all is concerns about security first, still have a very small group of people who know how hack the iphone and jailbreak it, it does take the user being involved, but it can be done. Andriod just makes it a lot easier for less dedicated hacker.
1) When did MS ever open source its software? MS is far more closed than Apple, which at least uses open source foundations for its OS.
2) Open source is inherently no less secure than closed-source software. Linux for example has a much stronger security record than Windows despite its source code being completely open for everyone to see. Ever heard of the principle, "given enough eyeballs, all bugs are shallow"?
Comments
Like I said, the new stats came out later. If Google can retain security with less restriction then of course it's better but the new stats suggest there are millions of infections. That data wasn't released before, the other reports didn't mention higher infection rates and they are different reports. Just because one report doesn't find significant infection rates, if a separate report does then it can't be discounted just because another one doesn't.
If tomorrow 50 million Android devices get infected by a new trojan, are you going to suggest that because Google said everything was ok last October that people shouldn't use the new data to counter it?
What comparative stats came out in the last month that should have changed your mind Marvin? Google's statistics you were using in your argument had to do with apps that could potentially cause actual harm to an Android owner. They broke down various categories of "malware" into percentages to help readers understand what the various forms are and what they do. The Alcatel report doesn't break those out instead referring to the general and very broad category of "malware" as a whole which would be anything from relatively benign but undisclosed ad delivery or contact colection to premium SMS messaging to email phishing attacks that don't even rely on Android per-se. Alcatels collection certainly doesn't suggest Google statistics are wrong. They don't try to break it down enough to even compare the two except in the broadest sense.
IMO the stats that really matter, the ones to pay attention to, speak to the potential for actual damage from malicious Android app installs rather than the Alcatel report of assorted undisclosed activity from both harmless and harmful apps mixed with phishing-type schemes which aren't reliant on any particular platform.
Pretty surprised your opinions waver with the winds so much. Now you seem to be falling back in line with "most people here (who) naturally want Android to fail in some regard." Anyway, I don't expect to change your mind, but I am curious what prompted you to change yours so quickly. Certainly shouldn't have been that Alcatel report since it never touched on the detail that Google offered and that you had found so compelling.
Oh, you're taking issue with the lack of a breakdown of what the malware is rather than the infection count. Well, here's something a little more definitive:
http://pandalabs.pandasecurity.com/new-malware-attack-through-google-play/
No, I actually questioned your sudden change of view. You still didn't explain what lead to it but no big deal. It's not my business.
As I understand Verify Apps any attempt to scam a user via that premium SMS trick would be flagged to the user as long as they're on Gingerbread or better. That's essentially all current Android phones. A user might download an app that has a hidden premium SMS function thus technically "infected" but I don't think they'll suffer a loss since Verify Apps is designed to recognize it. With that said of course "malware" exists. It does on every platform. The job of the OS engineers is to catch 'em. I think Google is doing a fine job on that front especially considering all the low-life's trying to get in.
http://blogs.computerworld.com/android/23590/google-android-security
Why? Because only apple can as ios is a closed system. I doubt apple is going to blast it's mouth to say how many were infected. How many were affected with the huge ssl security hole? How long was it there before apple finally admitted it.
I feel more secure with Android as it is open and being scrutinize rigorously by the community instead of ios which is a total black box.
3rd parties can download whatever apps they want from the store and scan them just like with Google Play.
Lots of Microsoft and Android users were affected - they got really excited by Apple having a problem. The bug is only useful for targeted attacks where the attacker has a privileged network position.
Do you mean how long after they discovered it or how long after the bug was put into the system? It was introduced in September 2012 with iOS 6. Considering it was 1 line of code, I imagine it was addressed immediately. They probably had an investigation into who added the code. Fortsall was fired in 2012, it might have been him. He could use the login of one of the lower level staff and commit the change. He might even have used it to spy on inter-office communications to see what people were saying about him.
It doesn't sound like you feel more secure considering you're on an Apple forum. If you felt more secure, why wouldn't you be on an Android forum? It's only when you feel insecure that you have to justify your choices to people who you think might have made better choices than you.
But you have no stats to back that up, that's just what you assume to be the case. It's a lot like the assumptions people make about jailbreakers not doing it for the piracy. There's no stats to back it up so they just make a decision about it and then repeat it as fact.
Well for example, if you read the f-secure report, all the malware they list is found in 'third party app stores'. There's Google's official statements and then there's simple anecdotes. I have many friends who use Androids on a regular basis and I have seen the attempts to get them to install malware. They are all almost identical to OSX.
Because it has no tangible benefit as long as you read warnings. The idea that OSX is less secure than iOS because I might permit a virus to be installed is silly. Yes in theory it has the potential of being less secure, but that's it. We know for a fact malware has made it into all app stores. We know that iOS has suffered its fair share of major security bugs. Contacts / SMSs being uploaded through the web browser seems a pretty apt one.
Security is not as simple as locking down installation. As you've seen, a single errant line of code and iOS has been less secure than any other platform for months if not longer. Trying to act as if security is simply a matter of how restricted your platform is is clearly not accurate.
The major benefactor of Apple's closed approach is Apple.
Lots of Microsoft and Android users were affected - they got really excited by Apple having a problem. The bug is only useful for targeted attacks where the attacker has a privileged network position.
Not at all. I can attach my laptop to an open wifi network and automatically poison every HTTPS request, intercept it with mitmproxy and log all private data.
I don't understand why you're so insistent on saying all other manufacturer's users are paranoid or 'insecure'. If this bug was a bug in Android I feel confident in saying the mocking on this forum would be widespread, yet when it is one of the most serious possible bugs on iOS you brush it off as if it were nothing.
Every platform has security bugs, Android had the master key vulnerability, Windows is Windows etc. Apple picked a strategy that works best for them but it doesn't mean they are somehow exempt from criticism. If you're willing to ignore warnings and simply install whatever you're told to install then iOS is in theory more resistant to damage, but I don't think you are this type of person and neither am I, so claiming this as an advantage is relatively pointless I feel.
Because it has no tangible benefit as long as you read warnings. The idea that OSX is less secure than iOS because I might permit a virus to be installed is silly. Yes in theory it has the potential of being less secure, but that's it. We know for a fact malware has made it into all app stores. We know that iOS has suffered its fair share of major security bugs. Contacts / SMSs being uploaded through the web browser seems a pretty apt one.
It would seem backwards for OS X to have less real-world security than iOS given that OS X sees more mission-critical applications. Many companies, such as Google, use OS X as their primary computing platform. People are more likely to file their taxes and store sensitive financial documents on their Mac than on their IPhone. A security breach on OS X would likely have far greater impact than one for iOS.
According to Gatorguy, security companies aren't credible so anything they say has to be dismissed as suspect. You can't just pick out the statements you like and ignore the ones you don't. Clearly whatever f-secure report you're referring to hasn't included the recent malware from the Google Play Store:
http://pandalabs.pandasecurity.com/new-malware-attack-through-google-play/
There you go again trying to equate everything. We know that sample malware from security researchers has made it into the App Store. It pales in comparison to the amount of malware deployed for Android and the infections encountered.
If the SSL bug made it less secure than any platform for months then you'd have seen more exploits. None have been reported.
Seems like the major benefactor is Google's and Samsung's PR machine.
You need a lot of conditions to happen for that to be worthwhile. Firstly you need the right setup like so:
http://blog.philippheckel.com/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-traffic-of-your-phone/
You need for someone to be willing to connect to the wifi hotspot and for them to be doing something meaningful enough for it to be worth intercepting the data.
This is an Apple forum, I'm not sure how many times that has to be explained, it's right there in the title. Apple users here likely would mock problems with an Android product. They'd be insecure if they were going to Android and Windows forums to promote their own preferred products among people who don't give two sh*ts about them and denigrate products they don't own.
According to Gatorguy, security companies aren't credible so anything they say has to be dismissed as suspect. You can't just pick out the statements you like and ignore the ones you don't. Clearly whatever f-secure report you're referring to hasn't included the recent malware from the Google Play Store:
http://pandalabs.pandasecurity.com/new-malware-attack-through-google-play/
I don't believe you are genuinely making this point. You know there's a lot of difference between 'security company hyping the danger to sell products' and 'security company lying about malware sources for some reason to benefit Google'. You're implying the latter, wheras the reasonable position is the former.
Nowhere did I deny that Google Play has had malware attacks. In fact I explicitly said that they had. Why is it that I am constantly having to defend myself from things I never said?
Do you think for some reason that malware on iOS and malware on Android is incomparable? Of course I equate 'everything' because that's the right way to see the reality of the situation. How many times do we have to go through this, you seem to take personal offence if I don't individually thank and praise Apple for whatever they're doing, even if it's not even noteworthy. I'll say it again. The iOS security model is such that even if you ignore what the screen tells you you should never be able to do anything Apple does not approve of. This is not the case on OSX or Android.
Not true at all. The SSL bug did make it less secure, there's no possible argument you can make against that, and no reporting would be possible as the exploit it enabled was data theft. There would be literally no way to tie it together unless logs of this information were kept, and I have seen no indication of that either.
http://blog.philippheckel.com/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-traffic-of-your-phone/
You need for someone to be willing to connect to the wifi hotspot and for them to be doing something meaningful enough for it to be worth intercepting the data.
Those 'lot of conditions' is to have a computer with a supported wifi chipset. I literally have one sitting on top of my keyboard right now. Getting people to connect to a "Free Internet" WiFi hotspot is trivial, and if your security depends on "doing something meaningful" then that's no security at all. What more evidence do you need than the widespread criticism from the security community? Perhaps this will change your mind? http://corte.si/posts/security/cve-2014-1266.html
Except the nature of an Apple forum doesn't inherently mean you must dismiss or minimise problems at Apple. I may own an Android as my primary phone but I don't dismiss or minimise the reality of problems on that platform at all. Both platforms have their own issues, and Apple's review process fundamentally cannot catch all potential malware, nor is the platform fully secure (see: jailbreaks). This is just the nature of computing in general.
Now take it one step further and admit that the malware has made it to user's devices in large numbers where in the case of iOS it has not and that answers the following point.
The argument I was making was against your statement that it made iOS less secure than any other platform. For outgoing data sure but not anything else and even at that, the outgoing data was hard to exploit harmfully. For someone using devices in their own home or at work with people they can trust, they weren't at risk.
Why does that not surprise me. There's more conditions than that as you need to be on the same network as someone with the vulnerability and you need to exploit the flaw:
http://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/
- Trick you into visting an imposter HTTPS site, e.g. by using a poisoned public Wi-Fi access point.
- Force your browser (or other software) into using forward secrecy, possible because the server decides what encryption algorithms it will support.
- Force your browser (or other software) into using TLS 1.1, possible because the server decides what TLS versions it will allow.
- Supply a legitimate-looking TLS certificate with a mismatched private key.
That doesn't sound as trivial and automatic as you want people to believe, especially if you have to do it in the timeframe of a real-time scenario not knowing what data a user is accessing. If you have a working demo that takes less effort, describe how you set it up.
There you go with the hyperbole again. The security doesn't depend solely on someone doing something meaningful, it depends on someone doing something meaningful while connected to your dodgy free wifi and the above steps so it is a level of security that is not "no security at all".
"With a tool like mitmproxy in the right position". Why doesn't he mention what that position is? Likely because it means installing mitmproxy on an intermediate server or configuring devices accessing a router in a certain way. He is trying to promote mitmproxy as he's one of the developers. Security researchers get excited when things like this happen, that guy was tweeting every 3 minutes that Apple hadn't issued an update.
What it means is that if you have no interest in being positive about the subject of the forum then you're specifically here to be a nuisance poster and yes you do dismiss and minimise the reality of problems with Android.
Now take it one step further and admit that the malware has made it to user's devices in large numbers where in the case of iOS it has not and that answers the following point.
Have I not 'admitted' this before this point? I'm absolutely positive that plenty of Android devices have been attacked. I don't know how many different ways I really need to say this. I have no idea if there's been any significant malware on iOS devices. I certainly haven't heard of any and I'm sure Apple would remove them promptly if they did get through.
If you read back to the start of this discussion, you'll see that I was only making the point that this security is limited to there being no exploits and Apple's detection process being perfect. That obviously is never the case in any of these systems, and so that's why I compared Android to OSX.
How? I have been as relentlessly even in my criticisms and praise as I can be. I've taken care to make sure what I post is not just noise and I have very few negative things to say about Apple, mostly in relation to a couple of lawsuits. You seem to be reading all sorts of intentions and subtexts into posts that don't exist.
The argument I was making was against your statement that it made iOS less secure than any other platform. For outgoing data sure but not anything else and even at that, the outgoing data was hard to exploit harmfully. For someone using devices in their own home or at work with people they can trust, they weren't at risk.
Why does that not surprise me. There's more conditions than that as you need to be on the same network as someone with the vulnerability and you need to exploit the flaw:
Yes, there are steps that must be taken, but this is about as serious a security bug as you can get short of remote code execution. This is just a simple fact and I can provide you endless third party sources to say so.
It requires a few patches to mitmproxy because it's designed for a straight substitution. I can't really say any more than that but it does require some reasonable cryptography / programming expertise. I'm not sure if I could manage it on my own but any coordinated hacking group would easily have the talent. I know for a fact that as soon as the news was made public at least two groups were working on this.
Ok sure, but it's pretty tenuous security. Of course it's fixed now, and of course similar bugs have existed on everything from Android to Debian.
He doesn't mention it because it's a normal part of security research to explore what sort of capabilities you have on a local network. For example, perhaps you can arp poison and have local devices send their packets to you. Perhaps you plug a wifi card into a Linux box and advertise an SSID.
There's an endless list of potentials I could provide, but potential impacts are great. Banking information, usernames/passwords, apparently keychain events could all be passively sniffed. This isn't me hating on Apple, it's just the reality of an unfortunate bug.
What does Google offer? They "scan" their store for known versions of malware. Really? Because antivirus software has been such an overwhelming success in the PC world. /s
It's pretty clear to me that Android has been developed with a profit first, user last mentality (like every soulless implementation of windows PC).
In my opinion Apple mostly achieves the right balance of user control. It would be nice to set alternate apps for particular functions (like email) but not to the extent that android phones give 3rd party access to critical information (like a replacement keyboard being able to log keystrokes when you use a banking app!!!).
This needs far more coverage in the media. For all the "lack of innovation" that Apple gets accused of I, for one, am extremely happy they get the structural stuff right, their internal review processes work
You might want to wait until a few weeks after their most major security bug to date before you say this. Otherwise I mostly agree that it's down to the user which choice they prefer.
So there's no possible way to reach the conclusion that there's no tangible benefit to Apple's setup. Until you know that real-world exploits have affected users in large numbers in iOS, as far as the data currently shows, iOS is more secure from a user's perspective.
Just take a look at the last post you made. "You might want to wait until a few weeks after their most major security bug to date before you say this". It's not their most major security bug because you just said that it's less serious than bugs that allow arbitrary code execution, which have been in previous iOS versions.
You say a lot of the same things many posters who are no longer members have said over the years. The claim is always that you're just being impartial but the comments you make are laced with the usual propaganda promoting alternatives to the forum subject. When you keep making the subtle jabs at every opportunity, it's known as trolling and it irritates a lot of people.
It wouldn't be appropriate for an Apple user to sign up to an Android forum and starting talking about malware, Google's privacy policies and fragmentation and then keep mentioning alternatives that have a different setup but offer benefits.
Uh, Android has a signed boot chain, signed packages, external packages off by default and a manifest based permission framework.
Perhaps before saying what lessons have been learned, you should actually go take those lessons yourself and learn the differences. Windows XP etc were nightmares for security because users would trivially elevate programs to Administrator as it had to be run so often even for things like deleting desktop icons.
Android by default does not permit Administrator level access. Honestly you're completely wrong.
I never said it does, but it has hole to be exploited by hackers, and you took one sentence out my entire comment, which is google has so may threads of android floating around even as they find the holes and fix them they can not ever get to everyone who has Android on their devices. This was the same issue M$ had early on, people and company could or would not update to the new fixes for a long list of reasons which allow all the hacks to continue on.
As M$ did and google is doing, they open the system so people can see inside anyone could see inside and therefore allow the hackers to find all the holes. Even apple with all is concerns about security first, still have a very small group of people who know how hack the iphone and jailbreak it, it does take the user being involved, but it can be done. Andriod just makes it a lot easier for less dedicated hacker.
As M$ did and google is doing, they open the system so people can see inside anyone could see inside and therefore allow the hackers to find all the holes. Even apple with all is concerns about security first, still have a very small group of people who know how hack the iphone and jailbreak it, it does take the user being involved, but it can be done. Andriod just makes it a lot easier for less dedicated hacker.
1) When did MS ever open source its software? MS is far more closed than Apple, which at least uses open source foundations for its OS.
2) Open source is inherently no less secure than closed-source software. Linux for example has a much stronger security record than Windows despite its source code being completely open for everyone to see. Ever heard of the principle, "given enough eyeballs, all bugs are shallow"?
A heads-up if your iPhone is jail-broken and NOT Apple's latest 64-bit model. There's a nasty little exploit making the rounds, designed for stealing Apple passwords and log-in credentials. You should at least be aware it's out there. So far it doesn't appear to infect the 5s.
http://arstechnica.com/security/2014/04/active-malware-campaign-steals-apple-passwords-from-jailbroken-iphones/