Glad to see nothing has changed on AI -- anyone who doesn't tout the party line is "delusional" or "a troll." Really mature bunch of commenters, we have here.
Quote:
Originally Posted by tenly
If my house has a lock on the front door and your house does not, the front door to my house is obviously more secure than yours. The fact that your house hasn't been broken into does nothing to prove security.
I don't think reasoning by analogy is helpful here, but to continue your comparison -- the issue isn't who has a better door. When police are reporting crime statistics, they report on break-ins, burglaries, etc, not on how many people lock their doors. The difference isn't just semantics, it matters.
Quote:
Originally Posted by tenly
Convince me and convince everyone reading this comment thread why we should ignore the findings of the professional Security and IT groups within the government and these large corporations. Why should we believe you - some random person on the internet (with no credentials) - that Android is in fact secure, when everyone we hear from that has credentials and understands what a security vulnerability is - is telling us that it's not?
I doubt I could convince most of you about anything. Too many of the commenters here have absolutist views of things, and their posts are filled with hate and venom. Not to mention endless cherry picking and goalpost moving. It's really sad. The amount of closed-mindedness and groupthink on the AI forums is striking.
Google Play does an outstanding job of blocking malware. At this year's RSA conference, Google presented stats on Android malware infection. The whole deck is worth reviewing, but if you're pressed for time, review slides 25-27. The last one compares the alarmist Android malware headlines to actual, observed infection rates (which are far, far below 1%).
Unfortunately, the tech press does a lousy job of reporting this. You often see poorly written stories, like this one ,"New Android RAT threatens mobile banking users" about new Android malware in South Korea. The story drones on for a dozen paragraphs about how terrible and awful and scary the malware is until you get to last paragraph where you find this gem: "MWR believes the malware may not pose a widespread threat. Security consultant Henry Hoggard told SC via email: 'It's not likely that this will become a major problem, due to the propagation problems - not on Google Play, which requires third-party app install and social engineering or a separate vulnerability in a highly privileged application.'"
On the same note, we often see reports about local exploits, like this one. What these reports often leave out is that SE Android often blocks these problems (the one I linked to is blocked on (at least) the Galaxy S4, S5, and Note 3; LG G3 and GFlex; Nexus 4 and 5; HTC One m8, and Sony Z2).
This was a great piece. Yes, it had some obvious spin - but that's OK. I think most readers can cut through that language to focus on the factual and philosophical basis behind it.
More than anything else, this article reminds me of how futile the "who copied who" arguments are. Everyone "copies" everyone. It seems useless to look back at the origins of one particular feature. I think what matters more is the implementation of said feature.
It's true that Apple is not as open as Google in terms of the OS, but on the other hand, I am personally quite happy with the "curated" experience. Security is (or should be) an increasing concern; but it's not just security per se, it's also the way in which applications can change the general user experience in negative ways. For example, I appreciate that apps on iOS must ask to use my location data, or to access my photos or contacts. That's as it should be.
There have been so many dodgy attempts by app developers to get things under the radar (on iOS and elsewhere besides), and there are still numerous examples where things go wrong (i.e. you visit a web page and an ad on the page opens App Store without your approval and directs you to some crappy game). So, I appreciate that when Apple looks at implementing some new feature (like extensions), they do so in a very carefully considered way.
You don't need "evidence that someone has been harmed" to prove a security hole exists.
If my house has a lock on the front door and your house does not, the front door to my house is obviously more secure than yours. The fact that your house hasn't been broken into does nothing to prove security.
Android is full of known security holes. Whether a hacker takes advantage of those holes or not, does not change the fact that they exist and that there is a security problem.
The news is full of reports that large corporations and governments are passing on Android because it is not as secure as iOS and other products.
Convince me and convince everyone reading this comment thread why we should ignore the findings of the professional Security and IT groups within the government and these large corporations. Why should we believe you - some random person on the internet (with no credentials) - that Android is in fact secure, when everyone we hear from that has credentials and understands what a security vulnerability is - is telling us that it's not?
Quote:
Originally Posted by EricTheHalfBee
Bingo. Sounds an awful lot like the argument made by a few other well-known trolls here at AI. Always demanding "proof" that something happened when they know damn well it's virtually impossible.
A similar analogy would be to look at Windows. I myself have NEVER had an issue with any type of virus/malware on my PCs simply because I take steps to prevent it. However, I'd be a raving lunatic to claim that Windows PCs never get malware based on my experiences.
This is the exact opposite of the argument I usually see on this site when Apple has a vulnerability. Major security flaws like the 'wireless' hole are poo-poo'd here because everyone knows 'Apple is secure.' Since nearly 100% of Apple users were on affected version and almost all used a wireless connection at some point, you could argue that Apple users are less secure because any issues affect their entire base. Never mind that very few users were *actually* hacked (that we know of), the main thing (by your argument) is that they *could have been* hacked. Either one has valid arguments- but seeing the same argument either supported or brushed off depending on which platform is affected hints at these sites being overly biased (not that that is surprising).
If you're feeling defensive about lifting widgets & keyboards from Android and that doing security a little differently absolves Apple from thieving- I say run with it. In my view there is no need to feel defensive about it and no thieving occurred in the first place. Keyboards are a no-brainer. Widgets are very nice to have and I hope iOS users enjoy them. I'd think a bigger driver is that with the smaller screens of prior iPhones, there really wasn't an elegant use for widgets- your screen could really only show one thing at a time. Now that Apple is going with larger screens, widgets make more sense (and are a must imo) so add them and make them great.
This is the exact opposite of the argument I usually see on this site when Apple has a vulnerability. Major security flaws like the 'wireless' hole are poo-poo'd here because everyone knows 'Apple is secure.' Since nearly 100% of Apple users were on affected version and almost all used a wireless connection at some point, you could argue that Apple users are less secure because any issues affect their entire base. Never mind that very few users were *actually* hacked (that we know of), the main thing (by your argument) is that they *could have been* hacked. Either one has valid arguments- but seeing the same argument either supported or brushed off depending on which platform is affected hints at these sites being overly biased (not that that is surprising).
If you're feeling defensive about lifting widgets & keyboards from Android and that doing security a little differently absolves Apple from thieving- I say run with it. In my view there is no need to feel defensive about it and no thieving occurred in the first place. Keyboards are a no-brainer. Widgets are very nice to have and I hope iOS users enjoy them. I'd think a bigger driver is that with the smaller screens of prior iPhones, there really wasn't an elegant use for widgets- your screen could really only show one thing at a time. Now that Apple is going with larger screens, widgets make more sense (and are a must imo) so add them and make them great.
More delusions that a casual reader might actually think are true. There's no reason to feel defensive about Apple implementing widgets and keyboards in the next release of iOS. You insinuate that they were stolen/copied/lifted from Android which is actually pretty laughable and this article does a good job of explaining why that's not true.
Myself, and I hope other members of this community reply publicly to posts that are filled with lies, misinformation or misleading remarks, not because we are defensive and feeling threatened, but more as a service to the casual reader who might otherwise think the information is accurate and factual.
I think it's indisputable that Apple does a MUCH better job of providing security updates to their users and getting those updates installed throughout their entire user base quickly and easily. How would you respond to this claim? Would you point out that there are 2 or 3 Android models in which this is possible - or would you word it in a way that misleads readers into thinking that this is something that is quick and easy to do on all Android phones?
Getting back to the security debate, I still don't understand how a handful of people can show up here and post comments that directly contradict the industry experts without telling us what their personal credentials are or explaining why they know more than the 'experts' know. To me, it just sounds like a lot of wishful thinking. A quick Google search for 'Android vs iOS security' overwhelmingly return results that support the "common knowledge" that security is a secondary concern for Android. Here are a handful of headlines and quotes from this year:
"If we’re talking purely about the level of threat that exists on the two platforms, it would seem iPhone and iPad users have the better side of the deal"
"Speaking at Mobile World Conference, Google's new Android chief Sundar Pichai admitted that security plays second fiddle to "freedom" in the design and implementation of Google's mobile operation system, exposing Android users to an overwhelming, disproportionate share of malware vulnerabilities."
"With Google Android, manufacturers can modify the carrier releasing the device. This then causes Android devices to become more at risk due to poor or unwanted UI modifications."
"Love it or hate it, not only is iOS more secure than Android today, but its position as the front runner in security will continue to grow for the foreseeable future."
From your post it's not clear if you're aware that Android apps must ask to use your location data, photos, contacts, etc. as well.
The difference is that iOS forces apps to ask permission when they need it, creating a relationship between what they are asking for and why they need it (As is "I'm accessing your contacts to look for friends, ok?"). And users can say no, and the app will continue working (although might not be able to do all it wants to/can do).
Under Android (and correct me if I'm wrong), apps ask for a laundry list of access permissions up front when they are installed, so that users have to accept all or nothing, the entire batch. Many users just click ok to complete the install without stopping to read a bunch of arcanely worded, generically abstract ideas that only make sense to engineers or tech enthusiasts. And if they don't accept them all, it won't install.
So no, it's not the same. And that's one reason why Android has a problematic ecosystem full of malware and spyware.
Additionally, even "reputable" Android developers like Facebook and Samsung are taking advantage of the "take it or leave it 100%" structure of Android permissions requests to push unnecessary permissions. And then they take advantage of that to do things users wouldn't tolerate if they knew what was happening (like having all their contacts routinely uploaded for data mining, and spying on all the other apps installed on the device and recording what they are doing). This isn't just obscure Chinese malware doing this. It's top to bottom in the Android ecosystem.
This is the exact opposite of the argument I usually see on this site when Apple has a vulnerability. Major security flaws like the 'wireless' hole are poo-poo'd here because everyone knows 'Apple is secure.' Since nearly 100% of Apple users were on affected version and almost all used a wireless connection at some point, you could argue that Apple users are less secure because any issues affect their entire base.
There's a big difference between a security flaw in iOS and a similar one in Android: Apple can patch the issue before many (or any, in the WiFi case) users are actually affected. It then rolls out its updates rapidly to virtually the entire installed base. iOS 7 is now over 90%, and it came out alongside KitKit. Google can fix the same type of problem, but it can't force its licensees to actually run it through QA and package it up for each model they sell, through every carrier they work with (each of whom has their own diddling to do before they make it available to users). So that's why KitKit is still reaching less than 15% of users. Only the newest Android users will ever get KitKat. That leaves a ton of users who are wide open to vulnerabilities after they're found and even after Google actually fixes them.
But that's not the issue at hand. The problem here is that Google has created an ecosystem that is insecure by design. It has set in motion a series of events it can not fix now, even if it could, wanted to, and spent the effort dickering with carriers and manufacturers to actually roll an update out to users. It has facilitated software that is "self vetting," handing every developer virtually full control to do anything, protected by broad permissions demands that users are forced to accept to get the app to work.
The only way Google can fix Android is to start over with a correct design, making it incompatible with the hardware and apps / malware already out there. And if that were possible at this point, Microsoft would have done it for Windows Phone.
Google can't compete with the ecosystem it already created. It took many years to get rid of the mistakes of Android 2.x, and that old software still makes up 15% of the "active" Google Play users that Google actually decides to recognize in its officially published dashboard stats.
Never mind that very few users were *actually* hacked (that we know of), the main thing (by your argument) is that they *could have been* hacked. Either one has valid arguments- but seeing the same argument either supported or brushed off depending on which platform is affected hints at these sites being overly biased (not that that is surprising).
We know tons of data are being extracted from Android because that's the core monetization for the platform! Google designed a platform to facilitate full control for advertisers because that's what Google is. It makes its money from selling analytics optimized, audience targeting advertisements. That requires spying on as much user data/behaviors as possible.
Or are you naive enough to think that Android exists because Google wants to help people actualize themselves?
Apple, in contrast, makes money selling high end hardware. Apple is motivated to create reliable, quality differentiated hardware and software. Google can make good enough stuff that can pass for free and that hardware makers don't have to pay for to use. If Apple did that, nobody would buy its stuff anymore.
Apple is actually profit-motivated to protect users' privacy and security. Google is the very opposite!
If you're feeling defensive about lifting widgets & keyboards from Android and that doing security a little differently absolves Apple from thieving- I say run with it.
Google didn't create either feature, so it has nothing it "owns" for anyone to steal, certainly not the company that pioneered dynamically bitmapped multitouch screens with virtual keyboards as a smartphone's primary user interface. While Google clung to physical keyboards and an LED trackball.
What Apple most certainly didn't "thieve" is Google's implementation of Intents in Android. Because it is seriously flawed, and assumes apps won't be bad. That's very naive. It's something only a company with zero existing experience in developing and managing a consumer platform would do. And that's exactly what Google was when it delivered extents for Android, when Android was a hobbyist platform before anyone was actually using it.
In my view there is no need to feel defensive about it and no thieving occurred in the first place. Keyboards are a no-brainer. Widgets are very nice to have and I hope iOS users enjoy them. I'd think a bigger driver is that with the smaller screens of prior iPhones, there really wasn't an elegant use for widgets- your screen could really only show one thing at a time. Now that Apple is going with larger screens, widgets make more sense (and are a must imo) so add them and make them great.
Keyboards are literally a "no brainer" for anyone naive enough to think that allowing anybody to freely distribute a key logger for their platform disguised as a keyboard is a good idea. I don't think you conceptually understand the issue here. Opening access to things like keyboards before you even give it any thought is purely braindead.
And when Google opened up Android keyboards to third parties, it hadn't even delivered a functional virtual keyboard for Android itself! Google is like an arrogant teenager to thinks he knows everything, when really he's just a moron who should stay in school for a bit longer.
Also, Android introduced widgets back when 3.5" iPhone screens were bigger than any Android phone (because Android phones needed to reserve space for all those keys and that LED trackball!). So your historical revisionism needs some work too.
Widgets in iOS are intended to serve a different purpose than on Android.
"In contrast to Android, Apple's vision for Today Extensions is clearly aimed at presenting quick access to scores, stocks and similar information in the context of other notifications, rather than simply padding the Home screen with a busy box of fluff to make up for a lack of significant, native apps."
What Apple most certainly didn't "thieve" is Google's implementation of Intents in Android. Because it is seriously flawed, and assumes apps won't be bad. That's very naive. It's something only a company with zero existing experience in developing and managing a consumer platform would do. And that's exactly what Google was when it delivered extents for Android, when Android was a hobbyist platform before anyone was actually using it.
What do you mean by "assumes apps won't be bad?" The Intents system is just a general mechanism for structured inter-app communication, analogous to pipes on OS X or any other unix system. You can't eavesdrop on a properly coded application via intents any more than you can with pipes on your Mac.
Well, you've taken an inch of truth and stretched it into a mile of opinionated FUD. I'll give you a quick rundown (at your request).
- Android apps do ask for permissions before install and it is an all or nothing request. You can't accept some permissions and not others. There are third party solutions that give you access at that level but they aren't that great and certainly wouldn't work for your average user. iOS most definitely has an advantage in that area.
- Is it fair to call the permissions request 'a laundry list of arcanely worded, generically abstract ideas that only make sense to engineers or tech enthusiasts'? Not by any stretch of the imagination. I remember you once likened the permissions popup to software EULA's which was even more laughable. At that time I showed you some examples of a few randomly picked permissions popups, you must have forgotten about them. There's nothing overly complicated about them. I'm not sure if it's just too complicated for you in particular or if you're just trying to spread misinformation. I suspect the latter.
- The vast, vast majority of apps don't request permissions that they don't intend on using for legitimate purposes. Facebook is obviously an exception to this rule and not the norm, but I suspect you knew this so I won't bother going into why those points are obviously FUD. Facebook has a long history of shady tactics, the fact that they try to get away with everything they can on Android is status quo for how Facebook operates. Google's even had to change their app store policies due to past FB actions (when FB tried to start getting people to update their app without going thru the Play Store).
Well, you've taken an inch of truth and stretched it into a mile of opinionated FUD. I'll give you a quick rundown (at your request).
- Android apps do ask for permissions before install and it is an all or nothing request. You can't accept some permissions and not others. There are third party solutions that give you access at that level but they aren't that great and certainly wouldn't work for your average user. iOS most definitely has an advantage in that area.
So rather than "correct me if I'm wrong," you agree that what I described was completely accurate, but you don't like what that means so you serve up personal attacks that claim I'm trying to mislead people. That's not very cool
- Is it fair to call the permissions request 'a laundry list of arcanely worded, generically abstract ideas that only make sense to engineers or tech enthusiasts'? Not by any stretch of the imagination.
Oh really? Does the typical user understand what this means?
I remember you once likened the permissions popup to software EULA's which was even more laughable.
It's exactly like an EULA: a bunch of opaque stuff the user "agrees" to because they have to in order to get software to install.
At that time I showed you some examples of a few randomly picked permissions popups, you must have forgotten about them. There's nothing overly complicated about them. I'm not sure if it's just too complicated for you in particular or if you're just trying to spread misinformation. I suspect the latter.
And yet you just admitted that my overview of android permissions was correct.
- The vast, vast majority of apps don't request permissions that they don't intend on using for legitimate purposes.
This is a good example of a broad generalization thrown out with zero factual support. It's also irrelevant. Android only needs a few terrible apps to be a security quagmire and privacy death trap. How many Windows apps were known to bundle spyware, yet do you argue that Windows didn't have a serious spyware/adware/popups/virus problem?
Facebook is obviously an exception to this rule and not the norm, but I suspect you knew this so I won't bother going into why those points are obviously FUD. Facebook has a long history of shady tactics, the fact that they try to get away with everything they can on Android is status quo for how Facebook operates. Google's even had to change their app store policies due to past FB actions (when FB tried to start getting people to update their app without going thru the Play Store).
Facebook is the most popular store app on every platform. Making excuses for android allowing Facebook to be bad just makes you look disingenuous and hypocritical for accusing me--groundlessly-for "just trying to spread misinformation."
What do you mean by "assumes apps won't be bad?" The Intents system is just a general mechanism for structured inter-app communication, analogous to pipes on OS X or any other unix system. You can't eavesdrop on a properly coded application via intents any more than you can with pipes on your Mac.
Google provides copious literature on the subject when you search for "Intent Vulnerabilities"
The TL;DR short version:
"There are two main ways that the security of intents can be compromised:
"Intent interception involves a malicious app receiving an intent that was not intended for it. This can cause a leak of sensitive information, but more importantly it can result in the malicious component being activated instead of the legitimate component. For example, if a malicious activity intercepted an intent then it would appear on the screen instead of the legitimate activity.
"Intent spoofing is an attack where a malicious application induces undesired behavior by forging an intent."
- I agreed with your, with Android it's all or nothing part. That was the inch of truth I spoke of. The rest was the mile of FUD and misinformation. So to say that I thought your overview was correct would really depend on which part you're referring to.
- That permission screen looks old. Here's a current one so that we're both on the same page (the most relevant one). Does the typical user understand what this means? Do you see how ridiculous it is to compare this to an EULA which reads like a lengthy legal document (because it is one)?
- I never once made excuses for Facebook. I did the exact opposite. I believe I stated how FB is known for their shady tactics. They're shady on all platforms so saying that they're shady on the Android platform isn't saying much. They're also shady on Windows, iOS, and every other platform that can access Facebook. I also never said that Android (I assume you mean Google there) allows Facebook to be bad. That's another instance where I said the exact opposite. I mentioned how Google has had to put Facebook in their place in the past for shady tactics.
Google provides copious literature on the subject when you search for "Intent Vulnerabilities"
The TL;DR short version:
"There are two main ways that the security of intents can be compromised:
"Intent interception involves a malicious app receiving an intent that was not intended for it. This can cause a leak of sensitive information, but more importantly it can result in the malicious component being activated instead of the legitimate component. For example, if a malicious activity intercepted an intent then it would appear on the screen instead of the legitimate activity.
"Intent spoofing is an attack where a malicious application induces undesired behavior by forging an intent."
Intent spoofing is certainly a potential danger, but that's why the system lets developers control what other apps can use their components. It's their responsibility to exercise that control if their app can perform sensitive actions. Quoting from that same link, for example,
"If you write a component that you would like to be accessible only to another application you’ve written, you can export the component but protect it with a signature permission that allows access only to other applications signed by your developer key."
- I agreed with your, with Android it's all or nothing part. That was the inch of truth I spoke of. The rest was the mile of FUD and misinformation. So to say that I thought your overview was correct would really depend on which part you're referring to.
- That permission screen looks old. Here's a current one so that we're both on the same page (the most relevant one). Does the typical user understand what this means? Do you see how ridiculous it is to compare this to an EULA which reads like a lengthy legal document (because it is one)?
Well that's not the same subject is it. Do you see "Network" there at all?
Not that Android malware developers need to ask for permissions. Flaws that affect "nearly 87 per cent of Android users," including versions even through Android 4.4.2 KitKat, leave users vulnerable tools that can override the permissions system, "surreptitiously dialing out to expensive toll services, potentially racking up big charges on unsuspecting customers' phone bills." See: http://www.theregister.co.uk/2014/07/07/android_dialer_vulnerabilities/ (that's from today).
- I never once made excuses for Facebook. I did the exact opposite. I believe I stated how FB is known for their shady tactics. They're shady on all platforms so saying that they're shady on the Android platform isn't saying much. They're also shady on Windows, iOS, and every other platform that can access Facebook. I also never said that Android (I assume you mean Google there) allows Facebook to be bad. That's another instance where I said the exact opposite. I mentioned how Google has had to put Facebook in their place in the past for shady tactics.
Read that again. You tried to shift the blame to Facebook, I pointed out that Google's Android platform allows Facebook to do bad things. If it's really that hard to understand what I'm saying (and which one of us said what I just wrote), it's no surprise why you are completely unaware of any security issues affecting Android.
I did ask you a question about Windows that you also sidestepped. Too painful to contemplate?
One has to be willfully ignorant or purely delusional to insist that Android does not have serious security issues. Google got on stage for a painfully slow discussion at IO of how it plans to address the major problems that are keeping Android products out of the enterprise. Did you even pay any attention? Or were you bamboozled by the BS statistically smoke and mirrors the company danced around before it claimed credit for Apple's exact implementation of CarPlay as if Google invented the entire thing itself?
Really, pick a new god, as Google is simply a joke at this point.
Intent spoofing is certainly a potential danger, but that's why the system lets developers control what other apps can use their components. It's their responsibility to exercise that control if their app can perform sensitive actions. Quoting from that same link, for example,
"If you write a component that you would like to be accessible only to another application you’ve written, you can export the component but protect it with a signature permission that allows access only to other applications signed by your developer key."
Describing some possible solution to an existing problem does not change the fact that there is a clear, recognized problem with actual existing software that is widely known about and already being exploited in the real world.
You asked, "What do you mean by 'assumes apps won't be bad?'" and then I gave you an answer. Why run to change the discussion to be about how one can indeed assume apps can be bad, while ignoring the clear and obvious corollary that Google allowed those cases to exist by designing a flawed system in its rush to deliver functionality without considering what could happen?
Or are you just trolling to demand researched answers to questions you already know the answers to?
- I agreed with your, with Android it's all or nothing part. That was the inch of truth I spoke of. The rest was the mile of FUD and misinformation. So to say that I thought your overview was correct would really depend on which part you're referring to.
- That permission screen looks old. Here's a current one so that we're both on the same page (the most relevant one). Does the typical user understand what this means? Do you see how ridiculous it is to compare this to an EULA which reads like a lengthy legal document (because it is one)?
- I never once made excuses for Facebook. I did the exact opposite. I believe I stated how FB is known for their shady tactics. They're shady on all platforms so saying that they're shady on the Android platform isn't saying much. They're also shady on Windows, iOS, and every other platform that can access Facebook. I also never said that Android (I assume you mean Google there) allows Facebook to be bad. That's another instance where I said the exact opposite. I mentioned how Google has had to put Facebook in their place in the past for shady tactics.
I think that that permissions window is equally bad. What does 'uses account' mean? Are you handing over your account password, your name, your address, your phone number or what?
Describing some possible solution to an existing problem does not change the fact that there is a clear, recognized problem with actual existing software that is widely known about and already being exploited in the real world.
You asked, "What do you mean by 'assumes apps won't be bad?'" and then I gave you an answer. Why run to change the discussion to be about how one can indeed assume apps can be bad, while ignoring the clear and obvious corollary that Google allowed those cases to exist by designing a flawed system in its rush to deliver functionality without considering what could happen?
Or are you just trolling to demand researched answers to questions you already know the answers to?
It's not just "some possible solution." It's using the system as designed. That intents (which, I'll concede, are unlike pipes in this regard) are integrated with a fine-grained permissions system suggests that rather than assuming that apps won't be bad, the system is designed to help the developer secure their applications against bad apps. You could, however, argue that Google should do more to educate developers in best practices instead of leaving that up to security conferences.
Damage caused by incorrect use of a tool is not necessarily an indictment of the tool itself. If you use a sharp knife in the kitchen and cut yourself by using an improper grip, is the knife maker to blame for making the knife so sharp? If you accidentally wipe out a directory by running "rm *" at the command line, is Apple to blame for shipping a powerful command line with OS X? Is the "rm" utility flawed for accepting wildcards, when the user can easily alias "rm" to "rm -i" to prevent such an accident? You can cause great damage on your Mac with an improperly coded program. Is Apple to blame for providing all those APIs in the first place?
Comments
Your opinions are clearly delusional.
Glad to see nothing has changed on AI -- anyone who doesn't tout the party line is "delusional" or "a troll." Really mature bunch of commenters, we have here.
If my house has a lock on the front door and your house does not, the front door to my house is obviously more secure than yours. The fact that your house hasn't been broken into does nothing to prove security.
I don't think reasoning by analogy is helpful here, but to continue your comparison -- the issue isn't who has a better door. When police are reporting crime statistics, they report on break-ins, burglaries, etc, not on how many people lock their doors. The difference isn't just semantics, it matters.
Convince me and convince everyone reading this comment thread why we should ignore the findings of the professional Security and IT groups within the government and these large corporations. Why should we believe you - some random person on the internet (with no credentials) - that Android is in fact secure, when everyone we hear from that has credentials and understands what a security vulnerability is - is telling us that it's not?
I doubt I could convince most of you about anything. Too many of the commenters here have absolutist views of things, and their posts are filled with hate and venom. Not to mention endless cherry picking and goalpost moving. It's really sad. The amount of closed-mindedness and groupthink on the AI forums is striking.
Google Play does an outstanding job of blocking malware. At this year's RSA conference, Google presented stats on Android malware infection. The whole deck is worth reviewing, but if you're pressed for time, review slides 25-27. The last one compares the alarmist Android malware headlines to actual, observed infection rates (which are far, far below 1%).
Unfortunately, the tech press does a lousy job of reporting this. You often see poorly written stories, like this one ,"New Android RAT threatens mobile banking users" about new Android malware in South Korea. The story drones on for a dozen paragraphs about how terrible and awful and scary the malware is until you get to last paragraph where you find this gem: "MWR believes the malware may not pose a widespread threat. Security consultant Henry Hoggard told SC via email: 'It's not likely that this will become a major problem, due to the propagation problems - not on Google Play, which requires third-party app install and social engineering or a separate vulnerability in a highly privileged application.'"
On the same note, we often see reports about local exploits, like this one. What these reports often leave out is that SE Android often blocks these problems (the one I linked to is blocked on (at least) the Galaxy S4, S5, and Note 3; LG G3 and GFlex; Nexus 4 and 5; HTC One m8, and Sony Z2).
Amazingly, some security consultants, when pressed, admit that the alarmist Android malware headlines are BS. "Derek Halliday, a security product manager at Lookout, says that it's important to look at more than specific instances of malware, and that "it is alarmist to claim that malware has increased by hundreds of thousands of percentages.""
Insightful, thanks.
This was a great piece. Yes, it had some obvious spin - but that's OK. I think most readers can cut through that language to focus on the factual and philosophical basis behind it.
More than anything else, this article reminds me of how futile the "who copied who" arguments are. Everyone "copies" everyone. It seems useless to look back at the origins of one particular feature. I think what matters more is the implementation of said feature.
It's true that Apple is not as open as Google in terms of the OS, but on the other hand, I am personally quite happy with the "curated" experience. Security is (or should be) an increasing concern; but it's not just security per se, it's also the way in which applications can change the general user experience in negative ways. For example, I appreciate that apps on iOS must ask to use my location data, or to access my photos or contacts. That's as it should be.
There have been so many dodgy attempts by app developers to get things under the radar (on iOS and elsewhere besides), and there are still numerous examples where things go wrong (i.e. you visit a web page and an ad on the page opens App Store without your approval and directs you to some crappy game). So, I appreciate that when Apple looks at implementing some new feature (like extensions), they do so in a very carefully considered way.
From your post it's not clear if you're aware that Android apps must ask to use your location data, photos, contacts, etc. as well.
Your opinions are clearly delusional.
You don't need "evidence that someone has been harmed" to prove a security hole exists.
If my house has a lock on the front door and your house does not, the front door to my house is obviously more secure than yours. The fact that your house hasn't been broken into does nothing to prove security.
Android is full of known security holes. Whether a hacker takes advantage of those holes or not, does not change the fact that they exist and that there is a security problem.
The news is full of reports that large corporations and governments are passing on Android because it is not as secure as iOS and other products.
Convince me and convince everyone reading this comment thread why we should ignore the findings of the professional Security and IT groups within the government and these large corporations. Why should we believe you - some random person on the internet (with no credentials) - that Android is in fact secure, when everyone we hear from that has credentials and understands what a security vulnerability is - is telling us that it's not?
Bingo. Sounds an awful lot like the argument made by a few other well-known trolls here at AI. Always demanding "proof" that something happened when they know damn well it's virtually impossible.
A similar analogy would be to look at Windows. I myself have NEVER had an issue with any type of virus/malware on my PCs simply because I take steps to prevent it. However, I'd be a raving lunatic to claim that Windows PCs never get malware based on my experiences.
This is the exact opposite of the argument I usually see on this site when Apple has a vulnerability. Major security flaws like the 'wireless' hole are poo-poo'd here because everyone knows 'Apple is secure.' Since nearly 100% of Apple users were on affected version and almost all used a wireless connection at some point, you could argue that Apple users are less secure because any issues affect their entire base. Never mind that very few users were *actually* hacked (that we know of), the main thing (by your argument) is that they *could have been* hacked. Either one has valid arguments- but seeing the same argument either supported or brushed off depending on which platform is affected hints at these sites being overly biased (not that that is surprising).
If you're feeling defensive about lifting widgets & keyboards from Android and that doing security a little differently absolves Apple from thieving- I say run with it. In my view there is no need to feel defensive about it and no thieving occurred in the first place. Keyboards are a no-brainer. Widgets are very nice to have and I hope iOS users enjoy them. I'd think a bigger driver is that with the smaller screens of prior iPhones, there really wasn't an elegant use for widgets- your screen could really only show one thing at a time. Now that Apple is going with larger screens, widgets make more sense (and are a must imo) so add them and make them great.
This is the exact opposite of the argument I usually see on this site when Apple has a vulnerability. Major security flaws like the 'wireless' hole are poo-poo'd here because everyone knows 'Apple is secure.' Since nearly 100% of Apple users were on affected version and almost all used a wireless connection at some point, you could argue that Apple users are less secure because any issues affect their entire base. Never mind that very few users were *actually* hacked (that we know of), the main thing (by your argument) is that they *could have been* hacked. Either one has valid arguments- but seeing the same argument either supported or brushed off depending on which platform is affected hints at these sites being overly biased (not that that is surprising).
If you're feeling defensive about lifting widgets & keyboards from Android and that doing security a little differently absolves Apple from thieving- I say run with it. In my view there is no need to feel defensive about it and no thieving occurred in the first place. Keyboards are a no-brainer. Widgets are very nice to have and I hope iOS users enjoy them. I'd think a bigger driver is that with the smaller screens of prior iPhones, there really wasn't an elegant use for widgets- your screen could really only show one thing at a time. Now that Apple is going with larger screens, widgets make more sense (and are a must imo) so add them and make them great.
More delusions that a casual reader might actually think are true. There's no reason to feel defensive about Apple implementing widgets and keyboards in the next release of iOS. You insinuate that they were stolen/copied/lifted from Android which is actually pretty laughable and this article does a good job of explaining why that's not true.
Myself, and I hope other members of this community reply publicly to posts that are filled with lies, misinformation or misleading remarks, not because we are defensive and feeling threatened, but more as a service to the casual reader who might otherwise think the information is accurate and factual.
I think it's indisputable that Apple does a MUCH better job of providing security updates to their users and getting those updates installed throughout their entire user base quickly and easily. How would you respond to this claim? Would you point out that there are 2 or 3 Android models in which this is possible - or would you word it in a way that misleads readers into thinking that this is something that is quick and easy to do on all Android phones?
Getting back to the security debate, I still don't understand how a handful of people can show up here and post comments that directly contradict the industry experts without telling us what their personal credentials are or explaining why they know more than the 'experts' know. To me, it just sounds like a lot of wishful thinking. A quick Google search for 'Android vs iOS security' overwhelmingly return results that support the "common knowledge" that security is a secondary concern for Android. Here are a handful of headlines and quotes from this year:
Symantec - April 2014 - http://community.norton.com/t5/Norton-Protection-Blog/Android-vs-iOS-Which-is-More-Secure/ba-p/1122152
"If we’re talking purely about the level of threat that exists on the two platforms, it would seem iPhone and iPad users have the better side of the deal"
Apple Insider - Feb 2014 - http://appleinsider.com/articles/14/02/27/apple-touts-secure-design-of-ios-as-google-chief-admits-android-is-best-target-for-malicious-hackers
"Speaking at Mobile World Conference, Google's new Android chief Sundar Pichai admitted that security plays second fiddle to "freedom" in the design and implementation of Google's mobile operation system, exposing Android users to an overwhelming, disproportionate share of malware vulnerabilities."
DroidReport.com - Feb 2014 - http://www.droidreport.com/android-vs-ios-security-6137
"With Google Android, manufacturers can modify the carrier releasing the device. This then causes Android devices to become more at risk due to poor or unwanted UI modifications."
Cybernet - Cyber Security Division - Oct 2013 - http://cybersecurity.cybernet.com/blog/2-reasons-iphone-secure-android/
"Love it or hate it, not only is iOS more secure than Android today, but its position as the front runner in security will continue to grow for the foreseeable future."
From your post it's not clear if you're aware that Android apps must ask to use your location data, photos, contacts, etc. as well.
The difference is that iOS forces apps to ask permission when they need it, creating a relationship between what they are asking for and why they need it (As is "I'm accessing your contacts to look for friends, ok?"). And users can say no, and the app will continue working (although might not be able to do all it wants to/can do).
Under Android (and correct me if I'm wrong), apps ask for a laundry list of access permissions up front when they are installed, so that users have to accept all or nothing, the entire batch. Many users just click ok to complete the install without stopping to read a bunch of arcanely worded, generically abstract ideas that only make sense to engineers or tech enthusiasts. And if they don't accept them all, it won't install.
So no, it's not the same. And that's one reason why Android has a problematic ecosystem full of malware and spyware.
Additionally, even "reputable" Android developers like Facebook and Samsung are taking advantage of the "take it or leave it 100%" structure of Android permissions requests to push unnecessary permissions. And then they take advantage of that to do things users wouldn't tolerate if they knew what was happening (like having all their contacts routinely uploaded for data mining, and spying on all the other apps installed on the device and recording what they are doing). This isn't just obscure Chinese malware doing this. It's top to bottom in the Android ecosystem.
This is the exact opposite of the argument I usually see on this site when Apple has a vulnerability. Major security flaws like the 'wireless' hole are poo-poo'd here because everyone knows 'Apple is secure.' Since nearly 100% of Apple users were on affected version and almost all used a wireless connection at some point, you could argue that Apple users are less secure because any issues affect their entire base.
There's a big difference between a security flaw in iOS and a similar one in Android: Apple can patch the issue before many (or any, in the WiFi case) users are actually affected. It then rolls out its updates rapidly to virtually the entire installed base. iOS 7 is now over 90%, and it came out alongside KitKit. Google can fix the same type of problem, but it can't force its licensees to actually run it through QA and package it up for each model they sell, through every carrier they work with (each of whom has their own diddling to do before they make it available to users). So that's why KitKit is still reaching less than 15% of users. Only the newest Android users will ever get KitKat. That leaves a ton of users who are wide open to vulnerabilities after they're found and even after Google actually fixes them.
But that's not the issue at hand. The problem here is that Google has created an ecosystem that is insecure by design. It has set in motion a series of events it can not fix now, even if it could, wanted to, and spent the effort dickering with carriers and manufacturers to actually roll an update out to users. It has facilitated software that is "self vetting," handing every developer virtually full control to do anything, protected by broad permissions demands that users are forced to accept to get the app to work.
The only way Google can fix Android is to start over with a correct design, making it incompatible with the hardware and apps / malware already out there. And if that were possible at this point, Microsoft would have done it for Windows Phone.
Google can't compete with the ecosystem it already created. It took many years to get rid of the mistakes of Android 2.x, and that old software still makes up 15% of the "active" Google Play users that Google actually decides to recognize in its officially published dashboard stats.
Never mind that very few users were *actually* hacked (that we know of), the main thing (by your argument) is that they *could have been* hacked. Either one has valid arguments- but seeing the same argument either supported or brushed off depending on which platform is affected hints at these sites being overly biased (not that that is surprising).
We know tons of data are being extracted from Android because that's the core monetization for the platform! Google designed a platform to facilitate full control for advertisers because that's what Google is. It makes its money from selling analytics optimized, audience targeting advertisements. That requires spying on as much user data/behaviors as possible.
Or are you naive enough to think that Android exists because Google wants to help people actualize themselves?
Apple, in contrast, makes money selling high end hardware. Apple is motivated to create reliable, quality differentiated hardware and software. Google can make good enough stuff that can pass for free and that hardware makers don't have to pay for to use. If Apple did that, nobody would buy its stuff anymore.
Apple is actually profit-motivated to protect users' privacy and security. Google is the very opposite!
If you're feeling defensive about lifting widgets & keyboards from Android and that doing security a little differently absolves Apple from thieving- I say run with it.
Google didn't create either feature, so it has nothing it "owns" for anyone to steal, certainly not the company that pioneered dynamically bitmapped multitouch screens with virtual keyboards as a smartphone's primary user interface. While Google clung to physical keyboards and an LED trackball.
What Apple most certainly didn't "thieve" is Google's implementation of Intents in Android. Because it is seriously flawed, and assumes apps won't be bad. That's very naive. It's something only a company with zero existing experience in developing and managing a consumer platform would do. And that's exactly what Google was when it delivered extents for Android, when Android was a hobbyist platform before anyone was actually using it.
In my view there is no need to feel defensive about it and no thieving occurred in the first place. Keyboards are a no-brainer. Widgets are very nice to have and I hope iOS users enjoy them. I'd think a bigger driver is that with the smaller screens of prior iPhones, there really wasn't an elegant use for widgets- your screen could really only show one thing at a time. Now that Apple is going with larger screens, widgets make more sense (and are a must imo) so add them and make them great.
Keyboards are literally a "no brainer" for anyone naive enough to think that allowing anybody to freely distribute a key logger for their platform disguised as a keyboard is a good idea. I don't think you conceptually understand the issue here. Opening access to things like keyboards before you even give it any thought is purely braindead.
And when Google opened up Android keyboards to third parties, it hadn't even delivered a functional virtual keyboard for Android itself! Google is like an arrogant teenager to thinks he knows everything, when really he's just a moron who should stay in school for a bit longer.
Also, Android introduced widgets back when 3.5" iPhone screens were bigger than any Android phone (because Android phones needed to reserve space for all those keys and that LED trackball!). So your historical revisionism needs some work too.
Widgets in iOS are intended to serve a different purpose than on Android.
"In contrast to Android, Apple's vision for Today Extensions is clearly aimed at presenting quick access to scores, stocks and similar information in the context of other notifications, rather than simply padding the Home screen with a busy box of fluff to make up for a lack of significant, native apps."
This was a wonderful article, engaging and informative. I look forward to the next in the series.
I feel that you get to the heart of why and how Apple does things.
What Apple most certainly didn't "thieve" is Google's implementation of Intents in Android. Because it is seriously flawed, and assumes apps won't be bad. That's very naive. It's something only a company with zero existing experience in developing and managing a consumer platform would do. And that's exactly what Google was when it delivered extents for Android, when Android was a hobbyist platform before anyone was actually using it.
What do you mean by "assumes apps won't be bad?" The Intents system is just a general mechanism for structured inter-app communication, analogous to pipes on OS X or any other unix system. You can't eavesdrop on a properly coded application via intents any more than you can with pipes on your Mac.
correct me if I'm wrong
Well, you've taken an inch of truth and stretched it into a mile of opinionated FUD. I'll give you a quick rundown (at your request).
- Android apps do ask for permissions before install and it is an all or nothing request. You can't accept some permissions and not others. There are third party solutions that give you access at that level but they aren't that great and certainly wouldn't work for your average user. iOS most definitely has an advantage in that area.
- Is it fair to call the permissions request 'a laundry list of arcanely worded, generically abstract ideas that only make sense to engineers or tech enthusiasts'? Not by any stretch of the imagination. I remember you once likened the permissions popup to software EULA's which was even more laughable. At that time I showed you some examples of a few randomly picked permissions popups, you must have forgotten about them. There's nothing overly complicated about them. I'm not sure if it's just too complicated for you in particular or if you're just trying to spread misinformation. I suspect the latter.
- The vast, vast majority of apps don't request permissions that they don't intend on using for legitimate purposes. Facebook is obviously an exception to this rule and not the norm, but I suspect you knew this so I won't bother going into why those points are obviously FUD. Facebook has a long history of shady tactics, the fact that they try to get away with everything they can on Android is status quo for how Facebook operates. Google's even had to change their app store policies due to past FB actions (when FB tried to start getting people to update their app without going thru the Play Store).
Google provides copious literature on the subject when you search for "Intent Vulnerabilities"
The TL;DR short version:
"There are two main ways that the security of intents can be compromised:
"Intent interception involves a malicious app receiving an intent that was not intended for it. This can cause a leak of sensitive information, but more importantly it can result in the malicious component being activated instead of the legitimate component. For example, if a malicious activity intercepted an intent then it would appear on the screen instead of the legitimate activity.
"Intent spoofing is an attack where a malicious application induces undesired behavior by forging an intent."
http://blog.palominolabs.com/2013/05/13/android-security/
- I agreed with your, with Android it's all or nothing part. That was the inch of truth I spoke of. The rest was the mile of FUD and misinformation. So to say that I thought your overview was correct would really depend on which part you're referring to.
- That permission screen looks old. Here's a current one so that we're both on the same page (the most relevant one). Does the typical user understand what this means? Do you see how ridiculous it is to compare this to an EULA which reads like a lengthy legal document (because it is one)?
- I never once made excuses for Facebook. I did the exact opposite. I believe I stated how FB is known for their shady tactics. They're shady on all platforms so saying that they're shady on the Android platform isn't saying much. They're also shady on Windows, iOS, and every other platform that can access Facebook. I also never said that Android (I assume you mean Google there) allows Facebook to be bad. That's another instance where I said the exact opposite. I mentioned how Google has had to put Facebook in their place in the past for shady tactics.
Google provides copious literature on the subject when you search for "Intent Vulnerabilities"
The TL;DR short version:
"There are two main ways that the security of intents can be compromised:
"Intent interception involves a malicious app receiving an intent that was not intended for it. This can cause a leak of sensitive information, but more importantly it can result in the malicious component being activated instead of the legitimate component. For example, if a malicious activity intercepted an intent then it would appear on the screen instead of the legitimate activity.
"Intent spoofing is an attack where a malicious application induces undesired behavior by forging an intent."
http://blog.palominolabs.com/2013/05/13/android-security/
Intent spoofing is certainly a potential danger, but that's why the system lets developers control what other apps can use their components. It's their responsibility to exercise that control if their app can perform sensitive actions. Quoting from that same link, for example,
"If you write a component that you would like to be accessible only to another application you’ve written, you can export the component but protect it with a signature permission that allows access only to other applications signed by your developer key."
See also the slide on Custom Permissions and "Enforcing Permissions Programmatically" (https://www.owasp.org/images/c/ca/ASDC12-An_InDepth_Introduction_to_the_Android_Permissions_Modeland_How_to_Secure_MultiComponent_Applications.pdf).
- I agreed with your, with Android it's all or nothing part. That was the inch of truth I spoke of. The rest was the mile of FUD and misinformation. So to say that I thought your overview was correct would really depend on which part you're referring to.
- That permission screen looks old. Here's a current one so that we're both on the same page (the most relevant one). Does the typical user understand what this means? Do you see how ridiculous it is to compare this to an EULA which reads like a lengthy legal document (because it is one)?
Well that's not the same subject is it. Do you see "Network" there at all?
But now that you bring it up, Google's new over gross simplification of the rights users are signing away to third parties is only making things worse, not better. See: http://www.citeworld.com/article/2450481/mobile-byod/simplified-android-apps-permissions-will-reduce-user-control.html
Not that Android malware developers need to ask for permissions. Flaws that affect "nearly 87 per cent of Android users," including versions even through Android 4.4.2 KitKat, leave users vulnerable tools that can override the permissions system, "surreptitiously dialing out to expensive toll services, potentially racking up big charges on unsuspecting customers' phone bills." See: http://www.theregister.co.uk/2014/07/07/android_dialer_vulnerabilities/ (that's from today).
- I never once made excuses for Facebook. I did the exact opposite. I believe I stated how FB is known for their shady tactics. They're shady on all platforms so saying that they're shady on the Android platform isn't saying much. They're also shady on Windows, iOS, and every other platform that can access Facebook. I also never said that Android (I assume you mean Google there) allows Facebook to be bad. That's another instance where I said the exact opposite. I mentioned how Google has had to put Facebook in their place in the past for shady tactics.
Read that again. You tried to shift the blame to Facebook, I pointed out that Google's Android platform allows Facebook to do bad things. If it's really that hard to understand what I'm saying (and which one of us said what I just wrote), it's no surprise why you are completely unaware of any security issues affecting Android.
I did ask you a question about Windows that you also sidestepped. Too painful to contemplate?
One has to be willfully ignorant or purely delusional to insist that Android does not have serious security issues. Google got on stage for a painfully slow discussion at IO of how it plans to address the major problems that are keeping Android products out of the enterprise. Did you even pay any attention? Or were you bamboozled by the BS statistically smoke and mirrors the company danced around before it claimed credit for Apple's exact implementation of CarPlay as if Google invented the entire thing itself?
Really, pick a new god, as Google is simply a joke at this point.
Intent spoofing is certainly a potential danger, but that's why the system lets developers control what other apps can use their components. It's their responsibility to exercise that control if their app can perform sensitive actions. Quoting from that same link, for example,
"If you write a component that you would like to be accessible only to another application you’ve written, you can export the component but protect it with a signature permission that allows access only to other applications signed by your developer key."
See also the slide on Custom Permissions and "Enforcing Permissions Programmatically" (https://www.owasp.org/images/c/ca/ASDC12-An_InDepth_Introduction_to_the_Android_Permissions_Modeland_How_to_Secure_MultiComponent_Applications.pdf).
Describing some possible solution to an existing problem does not change the fact that there is a clear, recognized problem with actual existing software that is widely known about and already being exploited in the real world.
You asked, "What do you mean by 'assumes apps won't be bad?'" and then I gave you an answer. Why run to change the discussion to be about how one can indeed assume apps can be bad, while ignoring the clear and obvious corollary that Google allowed those cases to exist by designing a flawed system in its rush to deliver functionality without considering what could happen?
Or are you just trolling to demand researched answers to questions you already know the answers to?
I think that that permissions window is equally bad. What does 'uses account' mean? Are you handing over your account password, your name, your address, your phone number or what?
Describing some possible solution to an existing problem does not change the fact that there is a clear, recognized problem with actual existing software that is widely known about and already being exploited in the real world.
You asked, "What do you mean by 'assumes apps won't be bad?'" and then I gave you an answer. Why run to change the discussion to be about how one can indeed assume apps can be bad, while ignoring the clear and obvious corollary that Google allowed those cases to exist by designing a flawed system in its rush to deliver functionality without considering what could happen?
Or are you just trolling to demand researched answers to questions you already know the answers to?
It's not just "some possible solution." It's using the system as designed. That intents (which, I'll concede, are unlike pipes in this regard) are integrated with a fine-grained permissions system suggests that rather than assuming that apps won't be bad, the system is designed to help the developer secure their applications against bad apps. You could, however, argue that Google should do more to educate developers in best practices instead of leaving that up to security conferences.
Damage caused by incorrect use of a tool is not necessarily an indictment of the tool itself. If you use a sharp knife in the kitchen and cut yourself by using an improper grip, is the knife maker to blame for making the knife so sharp? If you accidentally wipe out a directory by running "rm *" at the command line, is Apple to blame for shipping a powerful command line with OS X? Is the "rm" utility flawed for accepting wildcards, when the user can easily alias "rm" to "rm -i" to prevent such an accident? You can cause great damage on your Mac with an improperly coded program. Is Apple to blame for providing all those APIs in the first place?