Smart phone security

[jyl]

If you haven't already done so, it is time to start thinking seriously about the security of your smart phone.

New type of auto-rooting Android adware is nearly impossible to remove | Ars Technica

The TLDR version: apps that look and function like the real thing, contain malicious code, and nearly cannot be removed from the phone.

The Stagefright bug should have been a wake-up call, but if not then this needs to be.

[Scott R]

My phone is encrypted, and all installed apps are blocked by my setting on install, no contacts access, no other cross application access. They should offer that on all phones.

[Neilk]

So the Apple fanboy in me wants to say, "Wouldn't it be easier to get an iPhone that doesn't have all these security risks?"

[Porsche-O-Phile]

Quote:

Originally Posted by Neilk

So the Apple fanboy in me wants to say, "Wouldn't it be easier to get an iPhone that doesn't have all these security risks?"

My thought exactly. The Apple world is kept pretty tightly controlled which has its plusses and minuses but one of the big plusses is that if someone can break through Apple's security and start messing around with their stuff on devices that are playing by Apple's rules (i.e. not jailbroken) it's more Apple's problem than mine!

Apple has more money than God - they can and do hire the best in the world so I'm pretty confident nobody's going to break their system anytime soon. The fact that it usually takes a long time for simple exploits / jailbreaks to come out after each new revision is a testimony to how robust their platform is. Jailbreak 9.0.2 was an anomaly and likely involved a known vulnerability that Pangu had been aware of for a while and was just sitting on to see if it got patched or not. When it didn't, they released their JB. Now of course it's fixed and nobody has (to my knowledge) been able to break 9.1.x

[nostatic]

I'm increasingly happy with Apple's stance on these things. While you're trusting companies that in the end want to turn a profit (so in some sense, it is the lesser of multiple evils), they have very different philosophies and business models.

Could Apple stop selling the iPhone in the UK? | Daily Mail Online

http://www.nytimes.com/2014/09/27/technology/iphone-locks-out-the-nsa-signaling-a-post-snowden-era-.html

Apple Anger On The NSA iPhone Hacking - Business Insider

[gtc]

Quote:

Originally Posted by Neilk

So the Apple fanboy in me wants to say, "Wouldn't it be easier to get an iPhone that doesn't have all these security risks?"

AHAHAHAHAHAHAHAHAHAHAHAHAH

HAHAHAHAHAHAHAH

(gasp)



HAHAHAHAHAHAHAHAHAHAHAHAHHAHAHAHHAHAHAHAHAHAHAHAHH AH

[stomachmonkey]

Quote:

Originally Posted by Neilk

So the Apple fanboy in me wants to say, "Wouldn't it be easier to get an iPhone that doesn't have all these security risks?"

Quote:

Originally Posted by Porsche-O-Phile

My thought exactly. The Apple world is kept pretty tightly controlled which has its plusses and minuses but one of the big plusses is that if someone can break through Apple's security and start messing around with their stuff on devices that are playing by Apple's rules (i.e. not jailbroken) it's more Apple's problem than mine!

Apple has more money than God - they can and do hire the best in the world so I'm pretty confident nobody's going to break their system anytime soon. The fact that it usually takes a long time for simple exploits / jailbreaks to come out after each new revision is a testimony to how robust their platform is. Jailbreak 9.0.2 was an anomaly and likely involved a known vulnerability that Pangu had been aware of for a while and was just sitting on to see if it got patched or not. When it didn't, they released their JB. Now of course it's fixed and nobody has (to my knowledge) been able to break 9.1.x

It goes deeper than that.

I work in that world and the biggest gripe we get from our developers is the lag that Apples app vetting creates.

We can stick an app on the Android stores and have it live within hours.

Not so with Apples app store.

What that also means is the bad guys can stick their trojans and malware on the Android stores confident in the fact that they will get massive installs before anyone finds out their app is not all it's said to be.

You want to root / jailbreak your device and install apps from unsigned and unverified developers go right ahead, you get what you deserve.

[nostatic]

Right now we're in the 2-week lag time waiting for approval of an iOS VR app. For Android we can distribute however we want. Two completely different processes/approaches/philosophies with associated 2nd and 3rd order effects.

[Neilk]

So SM and Todd, do you guys roll out Android version more quickly to see what features work and what don'tt and then tweak the IOS app accordingly?

[nostatic]

We don't sell apps - ours are research prototypes so we don't do a lot of distribution. When we do, no difference from a dev standpoint. Mostly avoid App Store as it is more to deal with but often our target users are primarily iOS - hence our submitting this app in advance of CES.

[red-beard]

I guess I just don't have a need to go to 3rd party sites for applications. Not sure why someone would download Facebook from something other than the Playstore.

[stomachmonkey]

Quote:

Originally Posted by Neilk

So SM and Todd, do you guys roll out Android version more quickly to see what features work and what don'tt and then tweak the IOS app accordingly?

No not as a rule.

Depending on the product one might but generally that approach doubles your marketing / PR efforts and budget which is not always offset by releasing an improved product on a second platform.

Simultaneous platform launches are almost always preferable.

[gtc]

Apple cleanses App Store of tainted iPhone, iPad software - CNET

[stomachmonkey]

Quote:

Originally Posted by gtc

Apple cleanses App Store of tainted iPhone, iPad software - CNET

Yeah, that was (no surprise) China's App Store.

[jyl]

Also, Apple has tighter control of the iOS version actually running on phones, they get the installed base of iPhones upgraded to the latest iOS plus updates, very quickly. iOS 9 was just launched in September and already 66% of iPhones are running it.

Google does not, they have no ability to push upgrades directly to your phone, even OEMs like Samsung has no ability, it is in the control of the carrier, and the carriers are really bad at it along with being ready bad at every other aspect of customer service. Android 5 Lollipop is on only 20% of Android phones, even though it was released a year ago. To further complicate things, the versions of Android out there are overlaid with carrier and OEM customization, and sometimes outright forking.

So most iPhones are on the latest and most secure iOS and Apple can address new vulnerabilities with rapid updates. Most Android phones are on old versions of the OS, they get updated slowly if at all, and I question just how much priority Google, the OEMs, and the carriers put on security. Well, actually, I'm sure the carriers give it very little importance.

[stomachmonkey]

Quote:

Originally Posted by jyl

Also, Apple has tighter control of the iOS version actually running on phones, they get the installed base of iPhones upgraded to the latest iOS plus updates, very quickly. iOS 9 was just launched in September and already 66% of iPhones are running it.

Google does not, they have no ability to push upgrades directly to your phone, even OEMs like Samsung has no ability, it is in the control of the carrier, and the carriers are really bad at it along with being ready bad at every other aspect of customer service. Android 5 Lollipop is on only 20% of Android phones, even though it was released a year ago. To further complicate things, the versions of Android out there are overlaid with carrier and OEM customization, and sometimes outright forking.

So most iPhones are on the latest and most secure iOS and Apple can address new vulnerabilities with rapid updates. Most Android phones are on old versions of the OS, they get updated slowly if at all, and I question just how much priority Google, the OEMs, and the carriers put on security. Well, actually, I'm sure the carriers give it very little importance.

Fragmentation.

I've been *****ing about it for years.

Most carriers will purposely not push updates as major OS releases are an incentive for their users to upgrade, (read, renew their contract) and tack on upgrade fees.

NOT pushing updates is actually a revenue stream.

[jyl]

As I understand it, Google's lack of control over updates, fragmentation and forking is because of the way it set up Android, as open source code. I think Google needs to take back control. Just because Android started as open source, does that mean that every future version of Android (Android 6, 7, etc) must forever be open source?

Right now, I think most people don't know or care about Android's security weaknesses. But one day, people's bank logins, PayPal logins, identity, pictures, contacts, etc will get stolen in a big way that gets widely publicized. And in a flash, Android will lose buckets of market share.

[stomachmonkey]

Quote:

Originally Posted by jyl

As I understand it, Google's lack of control over updates, fragmentation and forking is because of the way it set up Android, as open source code. I think Google needs to take back control. Just because Android started as open source, does that mean that every future version of Android (Android 6, 7, etc) must forever be open source?

Right now, I think most people don't know or care about Android's security weaknesses. But one day, people's bank logins, PayPal logins, identity, pictures, contacts, etc will get stolen in a big way that gets widely publicized. And in a flash, Android will lose buckets of market share.

The amount of capital investment, infrastructure specific, and device specific tweaks (forks) to the base system made by licensee's makes it difficult to reset to a standard. It's not impossible, just can't happen overnight.

Google know they need to and have been actively trying to take control of Android but it's not simple.

Amazon is a prime example. Think of everything they've built that relies on their fork of Android.

I believe it is one of the driving factors behind googles aggressive push of it's own OS / hardware initiatives.

They need to have the majority market share in order to dictate and enforce a standard.

The only other option is to adopt a standard fork from one of the other hardware players and that's no bueno.

[nostatic]

They made their bed, now they have to lie in it. The open source angle gave them a point of differentiation from Apple, and they used it as a USP. Now it has become a liability, and if they reverse course they will piss off (and likely end up in court with) their licensees, and they'll also alienate the Android faithful.

No free lunch. Apple takes flack for having a walled garden and limited OS tweaking. Android now is taking flack for having a more open garden and lots of OS tweaking (and the resulting fragmentation and security risks. Pick your poison.

[stomachmonkey]

Quote:

Originally Posted by nostatic

They made their bed, now they have to lie in it. The open source angle gave them a point of differentiation from Apple, and they used it as a USP. Now it has become a liability, and if they reverse course they will piss off (and likely end up in court with) their licensees, and they'll also alienate the Android faithful.

No free lunch. Apple takes flack for having a walled garden and limited OS tweaking. Android now is taking flack for having a more open garden and lots of OS tweaking (and the resulting fragmentation and security risks. Pick your poison.

I've never bought the Apple "walled garden" argument.

It's a .nix, there is very little a power user can't do with the system.

It's only walled for people like my wife who despite living with me for 25 years and deriving the benefit of my expertise still forwards things to me to print because she does not have an f'n clue.