Monday, October 12, 2015

The Difference Between iOS and Android Security

 iOS is a security nightmare now. And it kinda has been that way for a while:


UPDATE: iOS has been hacked (for real hacked. Not "pretend Android hacked") THREE TIMES since this story was written. I can't even make something like that up. 
https://www.fireeye.com/blog/threat-research/2015/11/ibackdoor_high-risk.html
https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html
https://www.fireeye.com/blog/threat-research/2015/08/ins0mnia_unlimited.html
Again, this is users actually getting exploited. Not like 99.9 percent of Android stories where it either can't infect any typical Android user, or has never been seen in the wild. 




That's from 2013. But it doesn't play to the valley narrative. Apple journalists and editors have Apple stock, and kiss Apple's ass to keep getting invited to WWDC (Apple Prom) every year. So they downplay Apple's horrible security.

The reality is pictured above. Apple has one huge wall. You breach that wall, you own iOS and hundreds of millions of users. We saw this happen with XCodeGhost. XCodeGhost kicked a hole in the wall around iOS, and 4,000 apps got infected in Apple's supposedly "secure" app store. 200 million WeChat users got hacked, and that was just one app out of 4,000. We still don't know the fallout. They had six months roaming around safe behind Apple's wall stealing data and iCloud accounts. It's the worst computer security incident in history.


Right now any iPhone user could be hacked, and they'd have no idea. Apple never published the list of over 4,000 apps that got hacked (which is reprehensible) or a tool to check if you did get hacked. Profit is more important to them than you. And it's going to happen again. We've had a major iOS hacking every few weeks now for a while. I'm literally just sitting here waiting for the next one. And as a person that helps manage a fleet of iPhones, I'm really not looking forward to it.





Now, lets compare that to Android


Android uses oldschool "Castle Defense", which is the expensive "right" way to do security. First, wouldbe malware has to deal with the vast ocean. Then it has to deal with the lobstrocities on the shore that will eat its appendages. Then it has to deal with the forest full of ROUS. If it somehow makes it through the forest intact, it faces a 1000 foot high wall of fire, in front of a mote full of acid. THEN it hits the big wall. And if by some miracle it makes it through the wall (almost never happens) roving gangs of cyborg cannibals with 1000 mile eagle vision spot it and take it out anyway. And even if the malware manages to dodge those, it will find a dead end and can't do anything anyway but sit there and wait for removal. 

And that's why these numbers matter so much:


(click)


iOS
127 total vulnerabilities      32 high severity   72 medium severity          23 low severity


Android

6 total vulnerabilities      4 high severity   1 medium severity          1 low severity

Now, I already know how the apologists try to spin this. They ignore the "vulnerabilities turned into exploit" numbers above, and concentrate on vulnerabilities that never get turned into exploits. 

Which one matters more?

I'll quote my lead InfoSec guy.

"Well, see that's the thing with mobile. Android gets lots of talk about how it might get hacked, but iPhones actually get hacked. You don't see me using one do you?"

Love you,

S