Question for you android users

[Vulcan]

It's not rubbish. Now I'm sure you can explain how exactly it is rubbish mr blind belief in antiviruses

Apple apps have been found that sideload content. There's been stuff that even sideloads advertising. Both iOS and Android are very exposed, the different is with android you can get protection. In all hacking competitions iOS falls very quickly, usually via Safari.

http://www.infosecurity-magazine.com/view/21936/proofofconcept-malware-sneaked-onto-apple-itunes-developer-given-the-axe

According to the Forbes newswire, at the SysCan conference in Taiwan next week, Miller will present a proven methodology that exploits a flaw in Apple’s restrictions on code signing on iOS devices – the security measure that allows only Apple-approved commands to run in an iPhone or iPad’s memory.

“Using his method – and Miller has already planted a sleeper app in Apple’s [iTunes] app store to demonstrate the trick – an app can phone home to a remote computer that downloads new unapproved commands onto the device and executes them at will, including stealing the user’s photos, reading contacts, making the phone vibrate or play sounds, or otherwise repurposing normal iOS app functions for malicious ends”, notes the newswire.

“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check”, he says. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

Miller has posted a YouTube video demonstrating the security vulnerability.

ripley, face it - you're a one-eyed fan boy. No matter what I or anyone else says you will never listen. I work in the security field, I've assessed both android and iphone apps for use within government (i.e. professional, paid for work) - I've seen who's behind the curtain. And tbh the underlying OS is much of a muchness between the two.

[MrRiplEy[H]]

Apple apps have been found that sideload content. There's been stuff that even sideloads advertising. Both iOS and Android are very exposed, the different is with android you can get protection. In all hacking competitions iOS falls very quickly, usually via Safari.

http://www.infosecurity-magazine.com/view/21936/proofofconcept-malware-sneaked-onto-apple-itunes-developer-given-the-axe

ripley, face it - you're a one-eyed fan boy. No matter what I or anyone else says you will never listen. I work in the security field, I've assessed both android and iphone apps for use within government (i.e. professional, paid for work) - I've seen who's behind the curtain. And tbh the underlying OS is much of a muchness between the two.

You fail to grasp that nobody has direct access to the app store so any hacking attempt has first to pass Apple content control before even having a chance of getting to the end user Android play has open barn doors for attacks, literally.

Vulcan, face it - you're working in the field of security and place way too much trust in measures that happen in the wrong end - defence. The attacker is always one step ahead so the only right way is to prevent the attack from happening in the first place. You may notice that once this proof of concept was published, the developer was axed immediately and most likely check routines for approved content were improved. With play store you can publish a hack, then publish another one 5 minutes later with a different fake account (unlimited e-mails available). And for each new hack typically thousands of users download it through play before it's detected and removed. Not a pretty picture

What you're trying to say essentially that it's no better to hide behind a concrete wall dodging random ricochets instead of standing in the open machine gunned, but wearing a flak jacket

[Vulcan]

You fail to grasp that nobody has direct access to the app store so any hacking attempt has first to pass Apple content control before even having a chance of getting to the end user

Yet it has been achieved. Also worth noting most iOS attacks focus on Safari, not the app store http://www.idownloadblog.com/2012/09/19/iphone-4s-pwn2own/    - it's the same year after year.

I also work with a bunch of mac developers, iOS experts (ie apple certified engineers) who pretty much agree. It does really matter if there is 10x as much malware on android as there is on iOS, all it takes is one to be successful. Same thing happened with the OS X malware and the massive botnet that generated.

You're kind of missing the point entirely, but that's what you'll always do. You're completely blinded with fanboism, No matter, your opinion is fairly worthless in the greater scheme, android has market share dominance in both smartphones and tablets now .

[Delirium]

I agree with Vulcan, both on his opinion of security and the opinion of Ripley.

[MrRiplEy[H]]

Yet it has been achieved. Also worth noting most iOS attacks focus on Safari, not the app store http://www.idownloadblog.com/2012/09/19/iphone-4s-pwn2own/    - it's the same year after year.

I also work with a bunch of mac developers, iOS experts (ie apple certified engineers) who pretty much agree. It does really matter if there is 10x as much malware on android as there is on iOS, all it takes is one to be successful. Same thing happened with the OS X malware and the massive botnet that generated.

You're kind of missing the point entirely, but that's what you'll always do. You're completely blinded with fanboism, No matter, your opinion is fairly worthless in the greater scheme, android has market share dominance in both smartphones and tablets now .

LOL! You're so badly lost in this discussion that you have to resort in personal attacks. Ad hominem.

1st of all Apple has the track records to prove it - despite being the most popular at times, the iPhone is THE most secure phone at the moment. Android, Symbian and blackberry have all had a multitude of problems. Even your own article stated "Users of Apple’s iPhone and other iOS devices enjoy a fairly high level of security. In the past five years, the platform has only seen a handful of malware scares, and MIT says it recently crossed a “significant” threshold in security."

2nd the OSX botnet was far from massive lol! It contained a few thousands of machines where there are currently active windows botnets that contain multiple millions of computers. Yeah, running an antivirus. The only reason the OSX botnet made headlines was it was a first on OSX - not because it was anything special as far as computers go.

3rd nobody is forced to use Safari on an iPhone. And even then the security by obscurity point stands - what are your chances of ever browsing to a dangerous website (no, an iPhone threatening website) with your phone of all things? Most likely if someone is going to attack you, it's going to be through an app. There is one exception to the rule though and it's the abomination called 'the social media' where malware links spread like wildfire.

What exactly is your logic behind 'it doesnt matter how much malware there is'? If one app in a million contains a harmful element (that slipped past content checks) chances are you can use apps for the rest of your life without ever encountering one. IT DOES NOT MATTER HOW SUCCESFUL THAT ONE APP IS. Someone just won 300 millions in lottery. Are you going to place an order for a new jet already? If 15-30% of any new app (such as is in Android play store) contains malware, chances are pretty high that you'll end up infected sooner than later. It does not matter how crappily made that app is - if it reaches enough people even ones that do not know how to use operator backdoors will find enough users who give apps wide permissions without even thinking about it. This is also exactly where the danger behind places like Facebook lie - they're a concentrated distribution method that target users that are proven prone to influences and social engineering i.e. they use Facebook.

Apple app store way which requires code signing to run apps on devices make any attacks really, really that much harder to achieve in a large scale. Devs have to wait from days to weeks to get their app approved for distribution opposed to Play store cash in - chi ching you're done.

Your whole industry is based on stupidity, really. Antivirus companies are making false promises about 'securing' the computers and people keep believing in these lies despite the indisputable fact that infections happen all the time and the infected computers run av:s 99% of the time. Because people believe in the false sense of security provided by antiviruses, no change in computer using habits is done and any old attack vector remains open for malware and virusmakers. And this is of course what the AV companies exactly want. If people would all of the sudden start using their computers responsibly their whole business would collapse the same night.

Prevention = good, Defence = bad

Analogies: Safe sex = good, Abortion, AIDS medication, Antibiotics = bad. Staying out of trouble = good, flak jacket, armoured car, bulletproof glass = bad. Using a secure OS and content distribution methods = good, Antivirus, P2P, Warez, malwarescanners = bad

[CptTrips]

nvrmnd

[guncrasher]

Apple app store way which requires code signing to run apps on devices make any attacks really, really that much harder to achieve in a large scale. Devs have to wait from days to weeks to get their app approved for distribution opposed to Play store cash in - chi ching you're done.

but ripley if I understand correctly the story says that the guy was able to post an app in the app store.  so I guess all the checking apple did wasnt that great after all.  so if he was able to add it and was approved just to prove that it can be done, is it possible that there may other apps out there on the app store that havent been found?


semp

[MrRiplEy[H]]

but ripley if I understand correctly the story says that the guy was able to post an app in the app store.  so I guess all the checking apple did wasnt that great after all.  so if he was able to add it and was approved just to prove that it can be done, is it possible that there may other apps out there on the app store that havent been found?


semp

The story says that developer was axed permanently from future access to the app store. And I'm sure in the future review methods are improved to check for this kind of vulnerability also. You have to realize that Apple holds 1 strike you're out policy where on Android play you can create unlimited amounts of developer accounts and spam attacks at your hearts will. That is why iOS has seen so few attacks in the practise - not that people haven't tried. Trust me, they have.

[Shuffler]

You don't seem to grasp that Apple holds much tighter standards with what it accepts for distribution on the app store. Apple restricts the way apps can update themselves, too. Android play works completely differently. Anyone with 5 bucks and an e-mail account can publish any crap on Play and people will be able to download it untill Googles malware detection catches it (if it does). A typical malware gets downloaded in the order of thousads before it's removed from the play store. Apps also have a full freedom to download updates from unverified sources e.g. a legitimate looking app can just update a malicious payload at any given time and the play store won't even see it. If you do banking on an android phone you're a true darwin awards candidate as far as information technology goes! 

There's a fundamental difference in the method of operation there. Android is built on the principle of freedom - unfortunately it means freedom to exploit your mobile phone connection. It's exactly like issuing a carte blanche to criminals. Here, have my billing information - feel free to send me any charges (of any size) from automatically generated calls to malicious payphone numbers. 1000 dollars a minute? No problem. Let em rip!

I'll go along with you that most apple viruses are self induced. There are some outsider that find holes in it too though.

[MrRiplEy[H]]

I'll go along with you that most apple viruses are self induced. There are some outsider that find holes in it too though.

Name one example of self induced Apple virus... 

[Vulcan]

2nd the OSX botnet was far from massive lol! It contained a few thousands of machines where there are currently active windows botnets that contain multiple millions of computers. Yeah, running an antivirus. The only reason the OSX botnet made headlines was it was a first on OSX - not because it was anything special as far as computers go.

3rd nobody is forced to use Safari on an iPhone. And even then the security by obscurity point stands - what are your chances of ever browsing to a dangerous website (no, an iPhone threatening website) with your phone of all things? Most likely if someone is going to attack you, it's going to be through an app. There is one exception to the rule though and it's the abomination called 'the social media' where malware links spread like wildfire.

Funny I remember the botnet counting being around the 600000 machine mark.

How do you change the default browser in iOS? Yes I know you can install other browsers, but how do you change the DEFAULT browser

[CptTrips]

Can't we all just get along?

http://www.cnn.com/2012/10/19/tech/mobile/apple-samsung-peace-treaty/index.html?hpt=hp_bn5

Wab

[guncrasher]

The story says that developer was axed permanently from future access to the app store. And I'm sure in the future review methods are improved to check for this kind of vulnerability also. You have to realize that Apple holds 1 strike you're out policy where on Android play you can create unlimited amounts of developer accounts and spam attacks at your hearts will. That is why iOS has seen so few attacks in the practise - not that people haven't tried. Trust me, they have.

he wasnt kicked out of the app store because apple found out about it.  it was because he told them.  which proves that apple's store is not as secure as you think.  which bring back the "if he did it" then what makes you think that others haven done it yet and havent been found.  and what makes you think those who get axed from the apple store dont come back with a friend's or relative's id, hell they can come back with a stolen identity.  after all if you were doing something illegal, would you give your own information to apple?


semp

[quig]

It isn't necessarily 3-party devs that you have to worry about: http://gcn.com/articles/2012/03/15/ecg-app-makers-stealing-personal-info.aspx

Apple and Google both probably have more info on you than you'd tell your own mother. But boy, do they get annoyed when anyone cuts in on the profit margin 

All the big names have a dog in the fight. This iPhone vs Android fuss is useless until you get the corps on a leash.

[MrRiplEy[H]]

he wasnt kicked out of the app store because apple found out about it.  it was because he told them.  which proves that apple's store is not as secure as you think.  which bring back the "if he did it" then what makes you think that others haven done it yet and havent been found.  and what makes you think those who get axed from the apple store dont come back with a friend's or relative's id, hell they can come back with a stolen identity.  after all if you were doing something illegal, would you give your own information to apple?


semp

No he was kicked out because he sneaked a malicious app in the store, obviously. You can not dispute the fact that Apples content control has kept the iOS platform the most secure platform of all smartphones. Period.