ie8 fix
madison

Hardware 2.0

Adrian Kingsley-Hughes
Home / News & Blogs / Hardware 2.0

Schneier on iPhone security

By | November 25, 2011, 5:23am PST

Summary: Smartphones to become the primary platform of attack for cybercriminals.

Bruce Schneier, world renowned security technologist and author, has posted his thoughts on smartphone security.

Schneier believes that ‘smart phones are going to become the primary platform of attack for cybercriminals in the coming years,‘ because as they become more and more integrated into our lives they will ‘become the most valuable device for criminals to go after.’

But what about the iPhone? Surely that’s safe because of Apple’s stringent App Store policies? Schneier doesn’t think so:

And I don’t believe the iPhone will be more secure because of Apple’s rigid policies for the app store.

It makes sense.

There’s be not central ‘App Store’ for Windows PCs, yet malware has flourished. Malware makes its way to a PC primarily via the web and email, and both these conduits are available in the iPhone and other smartphones. The simple fact that we’ve seen jailbreak exploits for iOS that can be done via the Safari browser should be enough proof for those who are in any doubt of this.

Having a well curated repository for downloads is only part of the defense against malware.

People hold an ever-increasing amount of data on their smartphones, and the bad guys want access to it.

Related:

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Hardware 2.0”

Topics

Smart Phone, Security, Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

Disclosure

Adrian Kingsley-Hughes

All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.

Biography

Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.

Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.

Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.

13
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Schneier on iPhone security
marthill 26th Nov
@mrlinux,
Well well, wouldn't you know. McAfee has just released their Q3 Threat Report and EVERY instance of new malware released targets Android with the previous leader in malware, Symbian, not even seeing a single new malware app or exploit.

And of course iOS saw zero malware apps or exploits. All this despite the installed base for Android devices being smaller than iOS.
View in thread
0 Votes
+ -
RE: Schneier on iPhone security
kenosha77a 25th Nov
The app store security angle is somewhat of a red herring. The App Store walled garden concept IS more secure - an opinion cited by numerous other "world renowned experts". (Even if Charlie Miller was able to upload a malware proof of concept app successfully, his example of infecting the Apple app store is a rare example to date of a lapse in Apple's over sight app review process.)

However, iOS is NOT inherently more secure than other mobile operation systems and malware is malware, after all.

If an iPhone user is surfing the web and decides to download an malware invested app from some cite or agrees to supply personal financial information to a malicious online source, well, one shouldn't be surprised at the outcome.
0 Votes
+ -
Safety trumps security
Rabid Howler Monkey Updated - 25th Nov
Quoted in the article from Bruce Schneier:
"And I dont believe the iPhone will be more secure because of Apples rigid policies for the app store.

A recent analysis of worldwide smartphone market share shows Android at approx. 52% with the iPhone following at approx. 15%:

http://articles.businessinsider.com/2011-11-15/tech/30400455_1_ios-iphone-smartphone-market

Market share dominance alone will help the malware miscreants to stay focused on Android-based devices. This is independent of Google's failure to vet apps in the Android Market and the failure of a sizable subset of Android device mfrs and carriers to keep their customers smartphones up to date with security patches via updates or upgrades. These two failures are mere gifts to the malware miscreants who have yet to take advantage of the latter, the large number of unpatched Android devices.

Android is well on its way to becoming dominant in the global smartphone market, the Microsoft Windows equivalent of the desktop market. Apple iOS-based devices will likely remain relatively unscathed as Mac OS X PCs have in the desktop PC market dominated by Microsoft Windows.
0 Votes
+ -
RE: Schneier on iPhone security
marthill 25th Nov
@Rabid Howler Monkey
Except that the installed base for iOS is 250 million versus 190 million for Android (only 17 million iPhones sold in first 2 years so the majority of that 250 million are still active).

Despite this, Android suffers from 720 malware apps and malicious exploits according to MacAfee's May 2011 Threat Report versus zero for iOS.
0 Votes
+ -
RE: Schneier on iPhone security
mrlinux 25th Nov
@marthill Well that report is in error IOS has had malware
0 Votes
+ -
RE: Schneier on iPhone security
marthill Updated - 26th Nov
@mrlinux
Please tell us what malicious apps exist for non-jail broken iOS devices? There are none because Apple has kept them out of the App Store unlike the Android Marketplace which has hosted hundreds of malware apps which have affected millions of users. (there are also tens of thousands of spamware apps in the Android Marketplace that make things even worse for Android users)

In a similar way non-jail broken iOS devices are not suffering from hundreds of malicious exploits unlike Android. Yes there have been jailbreaks using particular vulnerabilities that users have had to consciously implement on their phones by jumping through some pretty major hoops. The few web-page drive-by jailbreaks have been rapidly patched by Apple so that malicious exploits haven't had any time to appear or affect any significant number of users due to Apple's excellent software update architecture.

You cannot of course count vulnerabilities that Apple quickly patches as it is the malware apps or malicious exploits that actually do the damage.
0 Votes
+ -
RE: Schneier on iPhone security
marthill 26th Nov
@mrlinux,
Well well, wouldn't you know. McAfee has just released their Q3 Threat Report and EVERY instance of new malware released targets Android with the previous leader in malware, Symbian, not even seeing a single new malware app or exploit.

And of course iOS saw zero malware apps or exploits. All this despite the installed base for Android devices being smaller than iOS.
0 Votes
+ -
my 2 cents
rsmurf 25th Nov
If only the author of this article had put in 1 cents worth of effort instead of just copying crap.

If i had a nickel for every time someone made up some horse crap about apple and was wrong i'd be a billionaire. Actually a penny would STILL make me a billionaire.

So after 26 years of using macs and there is no major malware problem im supposed to believe that NOW iphone is going to be a GIANT malware magnet.

I'll just take my nickle now.
0 Votes
+ -
Email and web malware only works if you can side-load apps
marthill Updated - 25th Nov
"Malware makes its way to a PC primarily via the web and email, and both these conduits are available in the iPhone and other smartphones."

No, these conduits are not nearly as available to the iPhone because the vast majority of these types of malware are Trojan programs and virus programs that need to be downloaded and run on the device. ??Apple does not allow apps to be downloaded and run from either email or web, nor does Apple support Flash malware or Java malware within the browser. ??

About the only potential vector is JavaScript and AJAX malware in the browser, but Apple has aggressive sandboxing of all apps including browser and email to stop such web apps from getting access beyond the browser itself.

Yes web and email vectors can be exploited through vulnerabilities in a browser or email app, but those vulnerabilities can be quickly patched with Apple's vastly superior automatic system update architecture that isn't hamstrung by carriers and device manufacturers dragging their feet for months or years.

In contrast, PCs and Android phones don't stop users from downloading and running Trojan apps or viruses which are what do the most damage and which are a far more difficult vector to shut down with security patches or AV software as they don't require vulnerabilities be discovered to do damage due to side-loading and lack of sandboxing.

It has been 4.5 years since the iPhone was first released and less than 2 years since Android really started to pick up steam, yet it is Android that has 720 malware apps and exploits not iOS. ??The facts speak for themselves.
0 Votes
+ -
RE: Schneier on iPhone security
mrlinux 25th Nov
@marthill That is incorrect, going to a website and automatically jail breaking the phone proves malware is possible by going to a website on IOS.
0 Votes
+ -
Yup, iOS is not flawless
WaltFrench@... 25th Nov
@mrlinux by conscious intent, users can break the supplied security features. Some of these COULD be drive-by attacks, but Apple of course plugs them as quickly as possible. Most survive for only a few days.

Apple users are high-value targets: all the surveys show higher-income, higher usage, higher-wealth demographics for the iPhone. The dramatic lack of malware on iOS is related to how few opportunities Apple allows versus Android. If opportunity were the issue, there would be little malware on Android and lots on Apple.

So what will change the status quo? Apple could give up on its strenuous efforts to guard its users from malware, or its efforts to channel usage through apps could falter, incensing more users to go to infected websites instead of pre-approved apps. Neither seem likely: in fact, efforts like Siri provide even more intermediation between users and malware, making it HARDER for malware types to get a foothold.

What is theoretically possible is not of much interest if it only happens to 0.0001% of users. More interesting what users can do to protect themselves without undue expense and energy, and Apple fans would have an easy answer to that.
0 Votes
+ -
RE: Schneier on iPhone security
marthill 25th Nov
@mrlinux
You didn't read my post above:
"Yes web and email vectors can be exploited through vulnerabilities in a browser or email app, but those vulnerabilities can be quickly patched with Apple's vastly superior automatic system update architecture that isn't hamstrung by carriers and device manufacturers dragging their feet for months or years."
0 Votes
+ -
Android Apps Are Sandboxed
ldo17 25th Nov
Each Android app has to declare in its manifest which permissions it needs (e.g. network access, services that "cost you money" etc--more details here http://developer.android.com/guide/topics/manifest/permission-element.html). The user is shown these when they select the app from the Google Android Market, and presumably other market apps do the same. So they see what the app wants permission to do even before it is downloaded and installed.

Trouble is, users have been acclimated to "confirmation fatigue" from all the alerts that tend to pop up on Windows, so they have a habit of agreeing to everything. This is exacerbated by the display of long, tedious EULAs that also require confirmation, and also by some Android app vendors demanding more permissions than they actually need. The last particularly happens with apps created by the handset makers themselves.

All these are bad habits that need to be broken.
0 Votes
+ -
RE: Schneier on iPhone security
Znod 25th Nov
I know that it generally is not a great idea to do anything of significance on the web while, say, at Starbucks via ATT. But, let's say I decide to do something involving an important password in this context. In this regard, what are the relative risks, with firewall on, of:

a. signing onto ATT wireless using a new Mac portable running Lion and Chrome and proceeding;
b. doing a., but by bluetooth "tethering" from an iPhone (OS 5) to the Mac;
c. doing a., but using a cable to do the tethering.

Also, what are the relative risks of someone actually infiltrating the Mac under the 3 above scenarios?

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix