Google can issue a patch to AOSP and even deliver patches to its own Nexus devices less than 18 months old, but that does not actually solve any problems for most of the Android user base, which is not running a device from Google nor tethered to a Linux console of a IT admin who compiles his own kernel several times a week.
The majority of Android devices around the world -- you know, that "80%" that your sources CNET likes to prattle about -- is not patched and will never be patched.
So you're saying that Wirelurker and Masque are security vulnerabilities that have been added to iOS recently? When were these security vulnerabilities introduced?
You don't get it. Android didn't "introduce" Fake ID accidentally. It just never actually finished writing the code to verify certificates.
WireLurker is a con in China developed to spy on users who trade pirated software by tricking them into installing a trojan horse.
The majority of Android devices around the world -- you know, that "80%" that your sources CNET likes to prattle about -- is not patched and will never be patched.
Google can issue a patch to AOSP and even deliver patches to its own Nexus devices less than 18 months old, but that does not actually solve any problems for most of the Android user base, which is not running a device from Google nor tethered to a Linux console of a IT admin who compiles his own kernel several times a week.
The majority of Android devices around the world -- you know, that "80%" that your sources CNET likes to prattle about -- is not patched and will never be patched.
It's been patched for Gingerbread on up. Or are you saying that 80% of the Android world is running Froyo or earlier?
That "fix" is laughable since installing it requires you to first hack your phone to get root privileges; unless you have a Nexus device or otherwise have an unlocked bootloader, the process of getting root requires itself a security exploit. The real solution for the average user is to do nothing and let Verify Apps deal with the problem as that was updated to detect FakeID similarly to how XProtect was recently updated to catch Wirelurker and Masque.
Man, reading this thread with @Lord Amhran, @DroidFTW and @d4NjvRzf versus Corrections reminds me of those Kung-fu movies I watched as a child with one guy taking on 3-4 people. Or like Neo versus Agent Smith in Matrix Reloaded!
iOS now lets the user install apps outside of the Apple App Store without jailbreaking? That's a shame. I always considered protecting users from themselves as a good selling point. It's why I've recommended iPhone's to some people.
It's been like that for about 5 years, for enterprise support.
The feature is to let businesses keep their apps of Apple App Store, and still deploy to hundreds, potentially thousands of devices. App's can be downloaded from a website, but then Apple warns it's from a nontrusted developer.
You don't get it. Android didn't "introduce" Fake ID accidentally. It just never actually finished writing the code to verify certificates.
WireLurker is a con in China developed to spy on users who trade pirated software by tricking them into installing a trojan horse.
Fake ID is like Android didn't finish its OS.
Not similar.
Interesting answer to that question as it doesn't answer it in any way. Allow me to repeat:
So you're saying that Wirelurker and Masque are security vulnerabilities that have been added to iOS recently? When were these security vulnerabilities introduced?
Typical DED. When it's Apple he defends it by saying you need to disable some of the security features in order to get it, and this is true, but the same counts for 99.99% of Android malware but then he forgets to mention that of course. Just like with these malware programs in order to get infected by the vast majority of Android malware you need to download from a third party source, enable installations from unknown sources (disabled by default), install the malware program manually and then ignore the 'verify apps' warning you get. The chances of getting malware when only downloading from Play Store and with all security features enabled on your device are ridiculously small. But when talking about Android malware that's not important right? Then you only talk about malware without making a distinction.
Google can issue a patch to AOSP and even deliver patches to its own Nexus devices less than 18 months old, but that does not actually solve any problems for most of the Android user base, which is not running a device from Google nor tethered to a Linux console of a IT admin who compiles his own kernel several times a week.
The majority of Android devices around the world -- you know, that "80%" that your sources CNET likes to prattle about -- is not patched and will never be patched.
I'm convinced you know better so why continue with FUD Daniel? iOS doesn't need your half-truths to support it. It's a great mobile system all on it's own.
From back in July:
"We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability."
When Android malware comes along and works only when someone installs apps manually, something most users never do, I don't see you guys treated it as not a huge issue. It's amazing how much fanboyism goes on here. I personally use both OS (iOS on the iPad), and while I agree it's an Apple site, it's amazing to see what lengths you go to to show Apple is superior.
P.S: Not saying Android is that safe, but still, most never get affected, especially by malware that need the option to install apps manually enabled.
Well when Daniel/Prince/Corrections comes out and blatently lies about things not being patched that are in fact patched all in an effort to write yet another Android slur piece he deserves to be called on it.
iOS now lets the user install apps outside of the Apple App Store without jailbreaking? That's a shame. I always considered protecting users from themselves as a good selling point. It's why I've recommended iPhone's to some people.
Only if they're paying 99$/yr for a developer account. Which would require either being part of an enterprise, or you compile every single app from source you wish to sideload.
Many developers want to develop software only for iOS, because as soon as their app goes on the Google Play store, it's pirated.
It's been like that for about 5 years, for enterprise support.
The feature is to let businesses keep their apps of Apple App Store, and still deploy to hundreds, potentially thousands of devices. App's can be downloaded from a website, but then Apple warns it's from a nontrusted developer. [/QUOTE]
[QUOTE name="Misa" url="/t/183345/wirelurker-masque-attack-malware-only-a-threat-for-users-who-disable-apples-ios-os-x-security#post_2638087"] Only if they're paying 99$/yr for a developer account. Which would require either being part of an enterprise, or you compile every single app from source you wish to sideload.
Many developers want to develop software only for iOS, because as soon as their app goes on the Google Play store, it's pirated.[/QUOTE]
So your normal, everyday user can't go into their iPhone settings and allow the installation of 3rd party apps. Thanks for the clarification as the article appeared to suggest otherwise.
It's been like that for about 5 years, for enterprise support.
The feature is to let businesses keep their apps of Apple App Store, and still deploy to hundreds, potentially thousands of devices. App's can be downloaded from a website, but then Apple warns it's from a nontrusted developer.
Only if they're paying 99$/yr for a developer account. Which would require either being part of an enterprise, or you compile every single app from source you wish to sideload.
Many developers want to develop software only for iOS, because as soon as their app goes on the Google Play store, it's pirated.
So your normal, everyday user can't go into their iPhone settings and allow the installation of 3rd party apps. Thanks for the clarification as the article appeared to suggest otherwise.
I'm not sure about that - I have one app that I loaded from a website without any changes to the default iOS security posture. It was not approved for the App Store because it broke a couple of video API rules.
Apple could do a better job (with dialogue boxes popping up) to explain the significance of "identified developers" of downloadable software and the risks of selecting "anywhere" in the security/privacy settings. I don't have any quarrel with the basic thrust of the article, which is that IOS/OX users don't have to worry Masque Attack or Wirelurker unless they've disabled the effective, built-in security safeguards Mac offers. And I particularly appreciate Apple making the "walled garden" even safer. Those who want to jailbreak their IOS devices should accept that they're on their own when it comes to security or privacy. Have fun.
Comments
Speaking of not checking facts....
http://www.zdnet.com/google-fixes-androids-fake-id-security-hole-7000032108/
Speaking of not checking facts....
http://www.zdnet.com/google-fixes-androids-fake-id-security-hole-7000032108/
Incorrect
Google can issue a patch to AOSP and even deliver patches to its own Nexus devices less than 18 months old, but that does not actually solve any problems for most of the Android user base, which is not running a device from Google nor tethered to a Linux console of a IT admin who compiles his own kernel several times a week.
The majority of Android devices around the world -- you know, that "80%" that your sources CNET likes to prattle about -- is not patched and will never be patched.
Quote:
So you're saying that Wirelurker and Masque are security vulnerabilities that have been added to iOS recently? When were these security vulnerabilities introduced?
You don't get it. Android didn't "introduce" Fake ID accidentally. It just never actually finished writing the code to verify certificates.
WireLurker is a con in China developed to spy on users who trade pirated software by tricking them into installing a trojan horse.
Fake ID is like Android didn't finish its OS.
Not similar.
Moving the goalposts once again Daniel?
https://play.google.com/store/apps/details?id=tungstwenty.xposed.fakeidfix&hl=en
It's been patched for Gingerbread on up. Or are you saying that 80% of the Android world is running Froyo or earlier?
Incorrect
Google can issue a patch to AOSP and even deliver patches to its own Nexus devices less than 18 months old, but that does not actually solve any problems for most of the Android user base, which is not running a device from Google nor tethered to a Linux console of a IT admin who compiles his own kernel several times a week.
The majority of Android devices around the world -- you know, that "80%" that your sources CNET likes to prattle about -- is not patched and will never be patched.
Devices running Gingerbread or newer also maintain a malware blacklist similar to Xprotect called "Verify Apps" (https://blog.malwarebytes.org/mobile-2/2013/07/android-as-a-service-verify-apps-for-gingerbread-and-up/).
Moving the goalposts once again Daniel?
https://play.google.com/store/apps/details?id=tungstwenty.xposed.fakeidfix&hl=en
It's been patched for Gingerbread on up. Or are you saying that 80% of the Android world is running Froyo or earlier?
That "fix" is laughable since installing it requires you to first hack your phone to get root privileges; unless you have a Nexus device or otherwise have an unlocked bootloader, the process of getting root requires itself a security exploit. The real solution for the average user is to do nothing and let Verify Apps deal with the problem as that was updated to detect FakeID similarly to how XProtect was recently updated to catch Wirelurker and Masque.
Man, reading this thread with @Lord Amhran, @DroidFTW and @d4NjvRzf versus Corrections reminds me of those Kung-fu movies I watched as a child with one guy taking on 3-4 people. Or like Neo versus Agent Smith in Matrix Reloaded!
iOS now lets the user install apps outside of the Apple App Store without jailbreaking? That's a shame. I always considered protecting users from themselves as a good selling point. It's why I've recommended iPhone's to some people.
It's been like that for about 5 years, for enterprise support.
The feature is to let businesses keep their apps of Apple App Store, and still deploy to hundreds, potentially thousands of devices. App's can be downloaded from a website, but then Apple warns it's from a nontrusted developer.
You don't get it. Android didn't "introduce" Fake ID accidentally. It just never actually finished writing the code to verify certificates.
WireLurker is a con in China developed to spy on users who trade pirated software by tricking them into installing a trojan horse.
Fake ID is like Android didn't finish its OS.
Not similar.
Interesting answer to that question as it doesn't answer it in any way. Allow me to repeat:
So you're saying that Wirelurker and Masque are security vulnerabilities that have been added to iOS recently? When were these security vulnerabilities introduced?
The chances of getting malware when only downloading from Play Store and with all security features enabled on your device are ridiculously small. But when talking about Android malware that's not important right? Then you only talk about malware without making a distinction.
I'm convinced you know better so why continue with FUD Daniel? iOS doesn't need your half-truths to support it. It's a great mobile system all on it's own.
From back in July:
"We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability."
OMG the droid super army of idiots has come!
P.S: Not saying Android is that safe, but still, most never get affected, especially by malware that need the option to install apps manually enabled.
Only if they're paying 99$/yr for a developer account. Which would require either being part of an enterprise, or you compile every single app from source you wish to sideload.
Many developers want to develop software only for iOS, because as soon as their app goes on the Google Play store, it's pirated.
It's been like that for about 5 years, for enterprise support.
The feature is to let businesses keep their apps of Apple App Store, and still deploy to hundreds, potentially thousands of devices. App's can be downloaded from a website, but then Apple warns it's from a nontrusted developer.
[/QUOTE]
[QUOTE name="Misa" url="/t/183345/wirelurker-masque-attack-malware-only-a-threat-for-users-who-disable-apples-ios-os-x-security#post_2638087"]
Only if they're paying 99$/yr for a developer account. Which would require either being part of an enterprise, or you compile every single app from source you wish to sideload.
Many developers want to develop software only for iOS, because as soon as their app goes on the Google Play store, it's pirated.[/QUOTE]
So your normal, everyday user can't go into their iPhone settings and allow the installation of 3rd party apps. Thanks for the clarification as the article appeared to suggest otherwise.
Well written and super informative. Priceless.
Thank You!
I'm not sure about that - I have one app that I loaded from a website without any changes to the default iOS security posture. It was not approved for the App Store because it broke a couple of video API rules.
"identified developers" of downloadable software and the risks of selecting "anywhere" in the security/privacy settings. I don't have any quarrel with the basic thrust of the article, which is that IOS/OX users don't have to worry Masque Attack or Wirelurker unless they've disabled the effective, built-in security safeguards Mac offers. And I particularly appreciate Apple making the "walled garden" even safer. Those who want to jailbreak their IOS devices should accept that they're on their own when it comes to security or privacy. Have fun.