For the first time ever, the security exploit broker Zerodium is paying a higher price for zero-day attacks that target Android than it pays for comparable attacks targeting iOS.
The company provided a message to Ars, stating that while Google and Samsung have worked hard to significantly improve the security of Android.
During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we’ve recently started refusing some [of] them.
On the other hand, Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it’s even harder to develop zero click exploits not requiring any user interaction.
In accordance with these new technical challenges related to Android security and our observations of market trends, we believe that time has come to allocate the highest bounties to Android exploits until Apple re-improves the security of iOS and strengthens its weakest parts which are iMessage and Safari (Webkit and sandbox).
The security of an operating system is only as strong as its weakest links, and if Apple is slacking a bit on things like iMessage and Safari, while Google and Samsung work to strengthen Android’s weakest links, this is only a logical outcome.
“the growing difficulty of finding comparable exploits for versions 8 and 9 of Android”
So it appears Google’s projects to make Android more modular and easier to update were highly successful, which makes the whining about fragmentation here more about how people are personally annoyed rather than actually inconvenienced. My S7 is probably never getting updated beyond version 8; however, I still get critical security updates.
As for Apple: “users of fully patched versions of iOS were vulnerable to iOS zero-days that were exploited in the wild for more than two years.” Par for the course, never trust a company that has a long history of flat out denying any issues exist.
It’s iOS at war with Android. As in any war, there’s always an interested 3rd party, laying odds of one against the other. And taking bets.
The 3rd party observer has no influence on the property or lives lost. Zerodium’s press release is, basically, zero.
This is but one of the many reason why people has always been suspicious of the so-called “security” community. It was always suspected that they worked hand-in-hand with the virus creating crowd.
sound to me like this will discourage people from exploiting ios, by taking away the incentive.
that might make the system less secure in effect, but appear to be more secure due to lower rate of exploit discovery.
Security by obscurity….