Antivirus peddler Trend Micro recently issued a “report”, in which it states that “Google Play [is] populated with fake apps, with more than half carrying malware”. Sounds scary, right?
Well, reality is a little different, as TechRepulic and Android Police found out.
It turns out that Trend Micro is guilty of a little over-eager language that obfuscated the nature of some of these threats. While there are indeed fake versions of many popular Android apps available for download, Trend failed to mention in their initial promotion for the report that the apps in question were posted outside the Play Store, and had to be installed manually in what’s commonly known as a side-load. This requires users to download the app in a browser, ignore a standard security warning about APK files, and disable a security option in Android’s main settings menu.
As I’ve been saying for years and years now, antivirus peddlers are the scum of the technology industry. These people actively lie and spread FUD about popular platforms just to scare people into buying their crappy, bloated, unnecessary software. They tried these scummy scare tactics for OS X, iOS, and recently it’s been Android’s turn. Of course, it doesn’t help that people like Tim Cook actively join in on the lying and FUD.
You can spot the FUD from miles away. It usually contains something like “99% of all mobile malware targets Android”, which may technically be true, but is actually entirely meaningless without the figure that actually matters: infection rates to determine just how successful this malware actually is. The actual infection rate figures make it very clear that they are, in fact, not successful at all. Another dead giveaway that you’re dealing with antivirus FUD is “[platform] is insecure. Buy our software to make it secure”.
Android is just as secure as iOS. The figures are out there for all to see. Any time you see articles about reports regarding Android’s security, you can be 100% sure it’s coming from antivirus peddlers, meaning the figures will be contorted, false, manipulated, or just downright made up. These people are not to be trusted. If you still haven’t learned that lesson, you are either stupid, or you have an agenda to push.
I would say Apple is more secure and less flexible, but the difference is 99.98% and 99.99%. Devices don’t become botnets. Blackberry is even better on many levels (QNX).
Security is mainly an economic calculation – enough money and you can break and enter. But if the threat is greater from pickpockets tha malware today, we need to refocus.
There is of course a trade off between user freedom and security.
I think there is not enough warning on Android before allowing the user to allow third party application package, on the other hand other closed mobile OS require s and lot of tweaking before being able to achieve such feature. This allows for a cheaper cost of creating/spreading android malware. Of course we could always point out the couple of idiots that choose to install application from shady location, but it is from my point of view a failure of the OS security ,from my point of view the ok/cancel dialog is not enough, installing self developped application should require signing with a device specific certificate, or at least require the user to re-enter his pin number, user who don’t limit the access to their device have no right to complain.
Ultimately, I agree that giving false statistics is wrong on so many level, and given the actually observed
infection rate I would not trust any of the antivirus company that use scare tactics and fear mongering to sell ( Android or other platform ) products.
Who are the people who side-load on Android? The vast majority are those who want to install pirated software, because they’re too cheap to pay a couple of dollars for genuine software.
These people deserve all they get in the way of malware.
That’s the fun part: the figures about how many application installs are malevolent (0.001%) *includes* install from outside of Google Play. So, even if you *do* sideload – Android’s numerous other safeguards *still* prevent any harm.
O noes! Android helps protect even the evil sideloaders who may install free and libre apps from places like F-Droid or developer sites and who might also want to copy apps (that may be free or that they may have paid for) from one device that they own to another?
Who allowed Google to let that much security be incorporated into their OS? (0;
too bad that you aren’t including anyone using free software repos like f-droid.
Arrogant much? They might be those on 1.x and early 2.x that can’t run Google Play, those that Google play simply won’t work (which I have seen on several occasions, android is REALLY piss poor when it comes to helping fix errors) or those whose carrier provided a shitty appstore instead of Google play (common on many asian devices).
So before you type next time you might want to think a little, because the world isn’t as black and white as you think.
Most anyone running a custom Android build or doing Android software development.
Hint: If you use CyanogenMod or any of the others, you have to side-load the Google Apps.
Hint: If you do Android Development you side-load your own app until you have it ready enough to go into the App Store.
No. Google Apps are not sideloaded in the way you’re referring to. Google Apps are *flashed* through Recovery, like the ROM itself. This is technically different from sideloading.
I still recall this NBC News piece done during the winter Olympics.
http://www.nbcnews.com/video/nightly-news/54273832/#54273832
Avast picked it up for one of their blog posts:
http://blog.avast.com/2014/02/06/going-to-the-olympics-prepare-to-b…
trying to peddle their VPN product. Never mind the fact that the product they were advertising for was not going to keep one safe from the sort of threats that were featured in the video(maybe I missed the wifi sniffing bit? I doubt it).
I went on to their forums hoping to get an explanation for this sort of behaviour and met the advocate linching mob.
F**k antivirus companies!
I remember when Samsung was caught cheating on their Android benchmarks, which gave me the idea of ‘human shaming’, like some people do with dogs, and I think it definitely applies here. Imagine if whoever was responsible for this report had to wear a sign like these around their neck everywhere they went for awhile:
http://www.dogshaming.com
‘I lied about malware threats on Android so that gullible people would buy my company’s suck-ass anti virus software.’
Edited 2014-07-27 14:32 UTC
So I guess you enlightened folk don’t use an AV program on your Windows systems, correct?
You just employ good ol’ common sense and don’t visit shady parts of the internet or download sketchy cracked programs and games.
And let me guess, you’ve never even been infected. It’s all FUD. Your PC is running just fine, no slowdowns at all.
I’ve heard that idiotic tune more times than any FUD from AV “peddlers”.
Then you run a scan on their system a couple of portable scanners and it’s loaded with trojans, keyloggers, screen capture tools, fake video codecs and other crap.
And they wonder how did it get there. They must have been “hacked”.
Enlightened pc users use a Linux based operation system to avoid the whole chain of AV/FW/Malware software suck needed in Windows. Enlightened/trendy people buy Apple stuff for the same reason… it’s not Windows. However, to be fair Windows wants to lock down it’s platform which would solve most of that but users revolted, they like having computer sex without a condom. repositories and appstores are far more elegant and better than wild EXE’s everywhere, pirated software and porn sites are also to be avoided without running a sandboxed no save browser in a vm, but who does that?
Linux isn’t invincible. If market penetration picked up, you’d see a bunch of Ubuntu boxes loaded with malware. Sure, it probably wouldn’t run as root, but it can still be a botnet sending spam and other things.
All OS platforms can get malware as most users don’t know what they are doing.
I always find this response funny. For things to be executed in a Unix environment after being downloaded, the user would either have to chmod+x and run it themselves, or extract a tarball and run some script to install it. Really isn’t that many ways that you can get infected on a Linux box unless you try to run some code that downloaded off of some random site.
Granted, I’m sure there may be a way to be infected via a flash backdoor, but I think all the ones that worked on OS X and Windows didn’t work on Linux. Someone correct me if I’m wrong here…
More on topic, I accidentally tapped on a suspicious link when I was reading my email on my Android tablet. Funny thing is, it redirected me to a .ru site, where it then proceeded to download a .apk file. Of course not being a complete idiot, I ran it through avast, and guess what, it was indeed a trojan.
I pretty much treat my Android devices like I do Windows. It may have the Linux kernel at heart, but the play store may as well be Cnet, when you download a program, you’ll probably get tons of adware from it. And with the permissions they usually ask you…
Yes, but real users do click on zip files in emails and load the contents all the time. Plus some software like Chrome, Firefox, Oracle Java, Adobe Reader and Flash runs on linux too. Browsers are the most common attack vector these days.
Most users I know click on everything that moves, blindly copy-paste stuff from forums and tend to run as root.
Ha, and they deserve what they get.
When I first started at my last job, one of the other guys that were on the Linux ‘team’ had SuSE 10 running on a spare computer so he could learn Linux. He was logged straight into the GUI with root, as was apparent by the giant red background with bombs on his screen saying “Don’t run as root.” I asked him why he did that, and his response, “because everything has to be ran as root anyhow.” I just shook my head and walked away. Needless to say, I got him off the team.
Almost every single response to an issue or a question on the Ubuntu forums is to blindly “try copying and pasting this command” which sometimes includes “enable this external repo” followed by “sudo apt-get… .” ArchLinux wiki is full of articles where people have placed commands for others to blindly run as root. There was a time when Fedora was big and many HOWTOs would have you disable SELinux as the first step for desktop use. To get a usable desktop CentOS/Scientific Linux system requires enabling external repositories, some of which still include software with bugs that haven’t been patched in years.
It comes down to the user, and their willingness to accept risk. Linux has been immune to this for awhile because all the software-chasing mouthbreathers stick to the Windows platform so they can brag about having 1000 (pirated) apps installed. Once the apps come over, so do the hordes of idiots and the increased threat of malware, as we have seen with Android.
But at least with the forum posts there will always be another response that says “don’t do that, it’ll hose your system” or “that worked for me as well.”
Only time forums are bad are when there are people trolling, but usually that isn’t the case.
Besides I wouldn’t say “Oh I copied and pasted some command a guy posted in a forum and it screwed my system up!” as a virus/adware/malware. different breed of things. It’s not really even the same equivalent of a phishing attack. It’s just trolls. You’re just as likely to find them in Windows support forums with registry keys.
We’re talking about downloading a .deb or .rpm that is malicious and having it installed without user interaction. Which pretty much doesn’t happen in Linux distributions. Unless you’re running your browser as root and you click on some page that has embedded php or something. I guess in theory that could work…
There are attack vectors where if you just copy-and-paste directly from the forum, you are actually copying more than what is visible.
I won’t show how it is done, you can easily find it.
Additionally, even if the user is running as they should in terms of authentication, an powned application that do a lot of damage even if running as user.
Transforming a computer/mobile into a botnet node or making private data available to the world doesn’t need root.
This is true for running the download itself, but I think one should consider a broader range of execution forms.
The downloaded item could be input to something that actually runs.
For example an extension to a program (like a browser extension) does not have to be executable itself but can still perform things within the functionality limits exposed by the program’s scripting framework.
Which could very well include downloading capability, local file access and running child processes.
Even more problematic example are inputs to programs running with elevated permissions.
One easily overlooked example for this is the system’s package manager.
Unless it has been configured to only accept packages signed by specific keys, it would without hesitation run pre- and post-install hook scripts. As root!
Sure, running the package manager will usually require a password, but it would still be a viable attack vector for a trojan, i.e. something that can reasonably claim to have to be installed.
Of course it was a trojan… I don’t mean to pick at you (really I don’t) but why did you even bother passing it through Avast?
I would absolutely, under any and all circumstances, just delete such a file without thinking twice about it – I don’t even want to know what it was.
I didn’t explicitly ask for it, it came from an unknown source, it is an executable. No way it is going to get run on my system…
Just saying, you didn’t need any AV to confirm the obvious.
EDIT: On top of that, if you are running unmolested Android and you have not disabled the basic security protections the apk could not have executed anyway…
It may have had a trojan in it but it would not be effective unless you were configured to allow apps from unknown sources. I realize lots of people run Android that way (so they can sideload) but the point is with great power comes great responsibility…
People who don’t understand the implications of those settings should not mess with them. I absolutely refuse to “help” my newbie friends with sideloading – if they can’t figure it out by themselves there is no way it is a good idea…
EDIT AGAIN: Note to any Google devs out there. Please implement a 2-step system for enabling debugging and allowing apps from unknown sources. This is how it should work:
1. User changes setting on device.
2. Device asks for confirmation.
3. If confirmed, device displays a confirmation code and waits for ADB connection (use a modal dialog for this – if user cancels stop listening for connection)
4. In order to make the setting persisten the user must connect with ADB and enter the confirmation code.
That would eliminate at least 80% of the current problem right there – which is idiots reading “how to haxor your android” without the slightly clue of the potential damage they are opening themselves up to. At least this way being able to setup and use ADB would be a prerequisite…
Edited 2014-07-28 04:26 UTC
What, like it ran roughly half the entire Internet? Yeah, that’d be something.
Yeah just look at all that Linux malware that, uh…just look at it!
You realize that windows servers don’t typically have malware on them either right? Most infections are caused by user error.
There is some linux malware for servers though. http://thehackernews.com/2014/07/mayhem-new-malware-targets-linux-a…
No. Enlightened pc users simply don’t do the thoughtless/stupid things that allow their pc to get infected. And, enlightened pc users don’t fool themselves into thinking linux security is impenetrable.
Remember, Windows users may have a habit of clicking on anything, but Linux users have a habit of sudo’ing everything and are willing to copy&paste damn near anything into their shell. The biggest security risk factor is the users behavior, not the OS.
Thankfully it’s much harder to get malware onto Linux than Windows.
I’ll just leave this here..
http://www.geekzone.co.nz/foobar/6229
He creates a trojan and thinks it’s a virus. Bravo!
Well… I consider myself enlightened, but even then I use Windows without an A/V. It’s just that I use my brain when opening sites and files.
Well, I do have Microsoft Security Essentials running, but it has never caught a single virus or malware-app on my PC. I have no idea why you think that some tech-savviness and attention paid to what you’re doing is irrelevant nor do I understand why you seem to imply that everyone will get viruses and stuff unless they’re running AV-software.
There are plenty of very simple things one can do to avoid such stuff, like e.g. when downloading software downloading it from the original source instead of some download-aggerator site, avoiding pirated software or checking all the comments related to the torrent before running anything, using Flash-blockers and adblockers in browser so as to avoid fly-by-attacks, check where the links in your e-mails take you to and if you’re actually passing your login credentials to an authentic site, and so on and so forth. Basically, just pay some fucking attention to what you’re doing.
I could download any AV-software you might wish to point me at and none of them would find anything malicious on my PC, but then again, you probably would just cover your ears and go “LALALALALA!” about it.
The funny thing is the guys sarcasm backfired because it provides people good tips on how to avoid being infected; don’t visit shady parts of the net, download sketchy cracks, and use good ol’ common sense. So ironically, yes, doing those things will help keep your pc running just fine.
My guess would be the guy is just yapping BS for fun, or he’s one of those naive people who clicks on anything and then winds up with a negative result.
Windows 8.1 has Windows Defender (i.e. MSE) built into the OS now – there is no reason to install AV anymore. I mostly use OSX nowadays but I still have a gaming/HTPC rig with Windows on it that I use everyday. MSE is not the best AV around but does a fair job from what I have read.
I say “from what I have read” because I have never had it trigger anything but a false positive – in the years I have used it on my machines (going back to XP) it has never found a virus. That would be because I use common sense, don’t visit shady parts of the internet, and don’t download sketchy cracked programs and games…
The thing is most people who don’t know computers have some “windows expert” in their family that tells them to do stupid shit like run with admin privileges, turn off UAC, disable DEP, modify default permissions on executable files, etc. – things that basically break the little bit of security the OS actually has. Then they are surprised when their machine gets owned and it gets blamed on not running AV…
Having common sense and good hygiene is vastly more important that having good AV on an OS like Windows. AV is like a vaccine for a constantly mutating virus – it is certainly good to have “just in case”, but it is much much safer if you ALSO actively try and avoid exposure to infection and keep your immune system (UAC, DEP, etc.) healthy.
But we are talking about Android, and Android is not Windows. It implements cryptographic signing and it does not allow any form of executable code in data.If you get your apps from the appstore someone is already running AV for you… If you use the platform’s security features as they were intended, you simply don’t need AV – it serves no purpose at all.
Is either incredibly stupid or in bed with Microsoft and/or Apple. Android is great and getting better. It’s open nature means users win. Too bad Apple and Microsoft can’t take a page out of Google’s play book and gee, I don’t know, actually give the users what they want.
What do the users want? Or, is it what you think they want?
My Android experience was not covered in roses. Why (for example) does a Solitaire App need virtually full access to the whoe frigging system? It is not even networked.
Then there was the case of the Faceblock and Twatter apps. not only could you not stop them but you couldn’t delete them. Gee thanks Samsung.
Android is slowly, very slowly getting better but it has a long way to go. AV apps might not be needed but until some discipline (viz electric shocks to the developers private parts) on the permissions needed by apps is enforced then I’m staying well away from Android. Perhaps Google’s plan for Android uber control might tighten things up a tad but the jury is out on that one.
No, I’m not in the Apple of heaven fobid, the Microsoft camp. I’ve reverted to an old Nokia 6310i. Does everything I need from a phone.
And no one in their right mind will steal it….
Ha, I’ve on occasion thought that I should just go back to using my Nokia N9 or N900 instead of the travesty that is Android. I did end up getting Avast on it, mainly ’cause with the Firewall it comes with (which you need to root your phone for) you can block whatever network access the apps want.
I really hate the way Android apps will at times just sit there in your memory, even when you’ve closed them all out, just so they can keep a timer going. It also seems that any Android game out there tries to nickle and dime you worse than any F2P game I’ve ever seen.
It doesn’t. Did you tap “Accept”? If you did not, where’s the problem?
Hitting ‘Accept’ is not the point. Far from it. Why does it even need to ask the question in the first place.
IMHO (and with 40+ years of software dev behind me), this is nothing but lazy programming. It seems the are of ‘Defensive Programming’ is dead and buried in the mobile App world.
Giving an app access to almost everything on the phone can allow a compromised update onto your phone. What happens then?
I didn’t accept it and the App wasn’t installed. It was just one more nail in the coffin that was my Android experience.
Because the application lists the permissions it requires and you are free to accept or decline those permissions. It helps users know what an application is likely to do. It helps users spot suspicious applications.
See? The system worked perfectly.
Why? Because security is bad? I don’t get it.
When was the last year you could install an anti virus program that, you know, scanned your system for viruses without scare pop-ups every 10 seconds, did not slow down your system and was easy to uninstall?
I’m guessing it didn’t begin with a 2…
I use Avast Anti-Virus, and generally speaking, it stays out of your way. Though lately they’ve been trying to push their “GrimeFighter” program…
It’s one of the better ones as far as not being a pig, and being able to uninstall it.
On the other hand, McAfee on my work Macbook pro… it randomly says it’s turned off, and then after a reboot, it’s back on.
MSE, Comodo IS, Avast Home. All are free, all meet your requirements, all are “clicky clicky” simple.
From testing all of them in the shop I’d rate Comodo the highest (have yet to have a customer running Comodo get infected and their sandbox is top notch) followed by avast and last place MSE which if you are a geek and just need an on demand scanner works fine for that task.
MSE does that out of the box. No pop-ups, and you can select a CPU usage limit which it won’t exceed, so it doesn’t bring your system to its knees whenever it’s running a scan. You can almost forget it’s actually installed…
“As I’ve been saying for years and years now, antivirus peddlers are the scum of the technology industry. ”
100% Agreed. Some easterner AV companies like the romanian bitdefender are even accused paying hackers for writing viruses so they can stay in business. Knowing the mindset of those people I don’t think it’s far from the truth.
As a technology company we have to tell our clients please use AV software if you dont want your web/email accounts compromised, because if the case goes into court and they did not use any then guess who wins.
Nowadays most malware pries on human stupidity not mass exploitation like the old rpc, dcom exploits. OS-es are indeed way more secure than they were 10 years ago.
I think the problem with the android apps arent really that their appstore is malware ridden but the way the developers of legitimate apps try to make money on it through various background banners, surveys, adnetworks, redirects etc. which remain invisible for the average user. Once you push your IOS/Android phone’s traffic through an SSL stripping gateway and look into what it’s doing that rather bothers me than the fact that there are a few intentonally created remote access trojans somewhere in the appstore which will never make it on the top of any app lists so you never see them.
I read an article about that some devs for example put in 16MB large pictures as icons for the applications and shipped it out with that (purely bad design). Knowing how overpriced the mobile data plans are all over the world these apps which keep connecting and pushing out data about pretty much anything like usage stats, connection info, your status, gps location, chatlogs etc. can greatly increase your traffic.
I agree with RMS on the mobile technologies:
http://www.youtube.com/watch?v=uFMMXRoSxnA
I remember a really old story about Symantec doing the same.
Paying people to write viruses.
Edited 2014-07-28 10:57 UTC
>> Android is just as secure as iOS.
In the same sense, Windows is just as secure as Linux. Anyone saying otherwise has an agenda or is an av peddler. Right Thom?
Android, just like Windows, is secure as long as you’re not stupid. iOS is secure even if you are stupid. Unfortunately lots of people are stupid.
Too bad for you that the numbers simply do not support your assertion.
If you got proof of your assertion, let us know.
Can you not read your own source? Was it about 1200 per million app installs on android are potential malware? A low number, but on ios that number is within a rounding error of zero. When was the last time a malware app made it on the App Store?
So according to your google source, about 0.001% of app installs are malware and are able to penetrate Androids defences (partially due to user stupidity).
How many app installs are there per month on android? Well all the way back in 2012 google play had 1.5B app installs per month (http://techcrunch.com/2012/06/27/google-play/) so I think it’s safe to assume there are at least 2.5B per month 2 years later adding in growth and non play store installs.
2,500,000,000 * 0.00001 = 25,000 potential infections per month on Android.
How about on ios? Well in 2012 it seems they found the first instance of a malware app (http://www.wired.com/2012/07/first-ios-malware-found/). Since then there have been some proof of concept malware in research (http://www.theguardian.com/technology/appsblog/2013/aug/19/ios-malw…).
No evidence of any malware on the App Store that I know of. And given that it is almost impossible to install apps outside of the App Store on ios (unless you are a developer or jail broken), that means incidents of malware installs on ios are near as makes no difference to zero.
So, about 25,000 per month vs about 0 malware installs. Please explain again how both platforms are equally secure. Keep in mind that I said if you’re not an idiot Android is just as secure as ios. Trouble is that there are many idiots out there, and for them, ios is clearly more secure.
While that is true to a point, it is also unfair. What iOS implements isn’t just security, it is vendor mandated security. It doesn’t keep you from shooting yourself in the foot – what it does is take away your gun… That isn’t security, it is fascism applied to technology.
Android IS just as secure as iOS, as long as you don’t enable debugging. That is important point to me, because unlike Linux and Windows, where there are like a million ways to shoot yourself in the foot, on Android there is literally only one way to do so. But unlike iOS that single boolean option lets you take control of your system back from the vendor if you want to.
So yeah, you can say iOS is secure even if you are stupid – and that is true to a point. But if saying that is true than it is also true to say that you never really own a system running iOS, Apple does – they are just nice enough to let you pay them to use it as they see fit…
Sure. The reason ios is more secure is because there is no easy way to run non App Store apps.
Some people don’t like that restriction, but it doesn’t change the fact that it takes out an entire class of threats (non reviewed apps).
Thom is so biased he doesn’t even acknowledge there’s a difference in malware infection rates between the two platforms.
I totally agree with you that ios only has less malware because it is more restrictive, but that is a legitimate and very common way to achieve security.
But that is a total red herring. There isn’t a difference in malware infection rates – not if you are comparing apples to apples. Unmolested Android devices are just as secure as unmolested iOS devices. The only malware they can run is malware signed by their respective appstore, and while that has happened occasionally in both appstores it is a pretty rare occurance…
What your argument hinges on is that unlike Android, iOS doesn’t have a vendor supplied method of circumventing its security model. You make this out to be a good thing – it isn’t. In practice people do it anyway – its not like jailbreaking iOS devices is rocket science… Both platforms have the same security protections (for the most part) – just because one of them requires exploits to circumvent it doesn’t make it more secure – it simply makes it less capable for users that know what they are doing.
On Android, I can enable installation of unsigned apps, sideload some apps I know are safe, and then turn the setting back off. Try that on iOS (hint – you can’t do that).
Which is a more accurate reflection of reality? The demonstrable susceptibility of a platform to malware when running as intended, or some trumped up “report” from a vendor trying to peddle AV software? Fact is there is no more evidence of actual infection for Android when it is run with its intended security features enabled. The two platforms are both “secure” in pretty much exactly the same way. Whats the difference?
Its not more restrictive, and it doesn’t have “less malware” – whatever that means… Its actually more dangerous. iOS has no mechanism to let people do certain things with it that they find highly desirable – so they are forced to circumvent it to do so – and there is no safe way to do that. Android allows a user to be selective about it – you can circumvent it temporarily.
I will be the first to admit I think it is too easy to circumvent Android’s security – I wish it were a bit more complicated than just going into settings and flipping a bit… But not have that ability is way worse for security than it being too easy – if you are gauging security objectively and not as some marketing ploy to peddle AV software.
That’s not true at all. In order to enable Android to run non-app store software, you just have to disable a setting. Heck after the warning it even tells you exactly what to disable.
In iOS that setting does not exist. There is no way that a non-technical user can configure their device to run non-app store software.
Surely you understand the difference between something that is only 2 clicks away from something that takes real knowledge and a complicated process (jailbreaking)?
Yes the Apple App Store is about as secure as the Google Play Store. But running apps outside of that is a fundamental part of Android. That is good in that it allows alternate distribution, but it does increase the amount of malware installs. This is not up for debate, it’s a fact.
Windows is the same. You will get several warnings if you try to install unsigned software or software from unknown sources. But nothing is stopping an ignorant user from clicking “Ignore” or “Run anyway” on those prompts. Just like nothing is stopping an Android user from disabling that one setting an installing a malware APK.
It’s definitely a good thing for security. That should be abundantly obvious from the fact that there is basically zero malware installs on iOS.
That security comes at a price, and that price is freedom to install random software. But that is not the topic under discussion. The topic is security.
You’re confusing users. People who jailbreak are more likely to be techy users with some expertise. Those are not the people ignorant enough to fall for malware installs for the most part.
Think about it. Some naive user gets a text with a link to an APK and a promise that it will clean up their android phone. On Android the website could easily instruct them to disable the protection setting and then install the APK.
On iOS there is no way that the website could trick them into jailbreaking their phones. The process is too complicated and error prone.
I never said trust the AV vendors. AV vendors are scum. But that doesn’t mean there is no validity to the claim that Android is more susceptible to malware. It is. Just not to the extent that AV vendors will try to claim.
The difference is in the idiot-proofing. Uninformed users ignoring warnings are the primary source of malware installs. Actual security bugs so severe they allow unintended drive-by installs are incredibly few and far between. Android does less idiot-proofing than iOS, so it has more malware.
Obviously it is. There is no way short of exploiting a security hole (or in an enterprise setting) to install software outside of an app store. That is restrictive by definition.
Please show me news stories or evidence of malware on iOS. We already have the numbers for Android, which is about 0.001% of app installs.
Again you are confused about who is typically infected by malware. It is not advanced users that are able to jailbreak. It is basic users who are easily tricked by silly malware tactics.
That kind of claim requires evidence. Please do provide some showing how more iOS devices are compromised in the wild due to their worse security.
Edited 2014-07-28 20:26 UTC
Scenerio: You have an app you REALLY want to run on your device, but it is not distributed through the vendors app store.
Android: Enable installation of unsigned apps. Install app. Disable installation of unsigned apps.
iOS: Jailbreak. Install App. Now your device no longer validates signatures.
Which one is better for security?
So are people who tick off install from unknown source. I already conceded that I think it is a bit too easy to do so on Android, but I still would argue that having the option to do it selectively is better for security in the long run than not having the option at all…
If Android made the option more difficult for “newbs” to tick off, it would completely address your primary argument (its too easy for non-experienced users).
But on iOS, as long as jailbreaking is the only way to circumvent the security model, what you end up with is easily exploitable devices – you have to circumvent security permanently in order to install an unsigned app. That is not better for security in the long run.
Im not really arguing – I get your point. But Android can be easily fixed. Apple seems to have no plans to “fix” iOS, because they don’t want to allow that usage model at all. Thing is users don’t care – they are going to do it anyway, whether Apple likes it or not.
Edited 2014-07-28 21:35 UTC
Again, we’re talking about malware. The people who are tech-savvy enough to jailbreak are not people that are fooled by links to “Download Angry Birdz nowz!”. So no, even if jailbreaking was the issue here, it doesn’t make you more susceptible to malware.
Also your scenario is purely theoretical. Perhaps a jailbroken iOS device is less secure in the hands of a techy user than Android (never mind that techy user probably would also root their Android phone), but you don’t have any evidence to support that.
It doesn’t take any technical expertise to disable a setting, so clearly that is incorrect.
Nice theory, but the evidence says otherwise. According to Thom’s source, malware installs still make up 0.001% of app installs on Android compared to ~0% on iOS. Doesn’t seem like a lot, but with billions of app installs a month it ends up with quite a few malware installs.
Sure. They should hide it in developer options. Doesn’t change the current situation though.
A jailbroken device is not easily exploitable. It would still require users to willfully download and install a compromised app. It does not open users to those apps being installed without their consent. ANd the people that are jailbreaking aren’t the people getting malware for the most part. The security strategies (sandboxing, address randomization, etc) remains, just the idiot proofing was removed.
Agreed, it’s a design decision not a bug that they will ever fix. But there’s also no evidence that their design decision leads to security problems, and strong evidence that it eliminates a large source of security problems (malware installed through user error).
Edited 2014-07-28 23:08 UTC
This is becoming tedious, so I will leave it at this:
There is absolutely no evidence at all that iOS has a 0% malware infection rate when you include jailbroken devices. Such a statement is obviously false, because there are at least 11 iOS malware/trojans/virus known to infect jailbroken iOS devices that have been found in the wild. Someone obviously can be infected or we wouldn’t know about their existence…
Except that’s not how it works at all. You’re missing several crucial protection mechanisms here. When a user downloads a random APK, she first has gets a dialog warning that the application cannot be installed. She can enable installations from unverified sources, but the dialog warns this is a security risk. Then, when she actually removes the checkmark, another warning dialog pops up.
If she then goes back to the APK and tries to install it again, Google will scan the APK before an actual installation takes place. If the application is malicious, it is blocked, and will not install. On top of that, even applications that are already installed are checked periodically to make sure their behaviour isn’t malicious. This checking mechanism is, of course, upgraded and tweaked continuously.
So no, it’s not as easy as just enabling unverified sources.
You’re misinterpreting these numbers, mostly because I myself have been doing the same thing (ha! I’m an idiot). The 0.001% figure isn’t the amount of installations that actually manage to penetrate Android’s runtime defense (and thus cause harm), but only the ones that *attempt* to do so. That is a huge difference that I never even noted before.
How many of them actually succeed at said evasion is unclear – and not mentioned by Google. It’s obviously a lot less than said 0.001%, of course, because otherwise Android’s runtime defenses are pointless.
(the full presentation where all this data is from: http://goo.gl/7xZ4cd )
It should also be noted that – in true Google fashion – all of this is done automatically with algorithms and shit that get smarter the more work it does. In other words, in the years since that presentation, the system will have gotten better.
That security expert that who’s story was posted here last week who lied about Apple security!
Big square ad underneath this story while I’m reading it: McAfee AV.
🙂
At least it was relevant.
My best example is one from many, many years ago.
A Yahoo article about a burned down house and the family with an infant child died was accompanied by an ad selling CD-burners with the text: burn, baby, burn !
The problem is that being in the anti-virus software industry is a just bad business.
Virus-variants can be created by the push of a button and spread around the world in seconds or minutes.
Anti-virus companies don’t really have a good solution other than blacklist the files or part of files they do know are bad, but they have to have a copy of it first.
Obviously they can not create a whitelist only rely on that.