Schneier on iPhone security

Schneier on iPhone security

Summary: Smartphones to become the primary platform of attack for cybercriminals.


Bruce Schneier, world renowned security technologist and author, has posted his thoughts on smartphone security.

Schneier believes that 'smart phones are going to become the primary platform of attack for cybercriminals in the coming years,' because as they become more and more integrated into our lives they will 'become the most valuable device for criminals to go after.'

But what about the iPhone? Surely that's safe because of Apple's stringent App Store policies? Schneier doesn't think so:

And I don't believe the iPhone will be more secure because of Apple's rigid policies for the app store.

It makes sense.

There's be not central 'App Store' for Windows PCs, yet malware has flourished. Malware makes its way to a PC primarily via the web and email, and both these conduits are available in the iPhone and other smartphones. The simple fact that we've seen jailbreak exploits for iOS that can be done via the Safari browser should be enough proof for those who are in any doubt of this.

Having a well curated repository for downloads is only part of the defense against malware.

People hold an ever-increasing amount of data on their smartphones, and the bad guys want access to it.


Topics: Security, Mobility, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Schneier on iPhone security

    The app store security angle is somewhat of a red herring. The App Store walled garden concept IS more secure - an opinion cited by numerous other "world renowned experts". (Even if Charlie Miller was able to upload a malware proof of concept app successfully, his example of infecting the Apple app store is a rare example to date of a lapse in Apple's over sight app review process.)

    However, iOS is NOT inherently more secure than other mobile operation systems and malware is malware, after all.

    If an iPhone user is surfing the web and decides to download an malware invested app from some cite or agrees to supply personal financial information to a malicious online source, well, one shouldn't be surprised at the outcome.
  • Safety trumps security

    Quoted in the article from Bruce Schneier:<br>"And I dont believe the iPhone will be more secure because of Apples rigid policies for the app store.<br><br>A recent analysis of worldwide smartphone market share shows Android at approx. 52% with the iPhone following at approx. 15%:<br><br> <a href="" target="_blank" rel="nofollow"></a><br><br>Market share dominance alone will help the malware miscreants to stay focused on Android-based devices. This is independent of Google's failure to vet apps in the Android Market and the failure of a sizable subset of Android device mfrs and carriers to keep their customers smartphones up to date with security patches via updates or upgrades. These two failures are mere gifts to the malware miscreants who have yet to take advantage of the latter, the large number of unpatched Android devices.<br><br>Android is well on its way to becoming dominant in the global smartphone market, the Microsoft Windows equivalent of the desktop market. Apple iOS-based devices will likely remain relatively unscathed as Mac OS X PCs have in the desktop PC market dominated by Microsoft Windows.
    Rabid Howler Monkey
    • RE: Schneier on iPhone security

      @Rabid Howler Monkey
      Except that the installed base for iOS is 250 million versus 190 million for Android (only 17 million iPhones sold in first 2 years so the majority of that 250 million are still active).

      Despite this, Android suffers from 720 malware apps and malicious exploits according to MacAfee's May 2011 Threat Report versus zero for iOS.
      • RE: Schneier on iPhone security

        @marthill Well that report is in error IOS has had malware
      • RE: Schneier on iPhone security

        @mrlinux<br>Please tell us what malicious apps exist for non-jail broken iOS devices? There are none because Apple has kept them out of the App Store unlike the Android Marketplace which has hosted hundreds of malware apps which have affected millions of users. (there are also tens of thousands of spamware apps in the Android Marketplace that make things even worse for Android users)<br><br>In a similar way non-jail broken iOS devices are not suffering from hundreds of malicious exploits unlike Android. Yes there have been jailbreaks using particular vulnerabilities that users have had to consciously implement on their phones by jumping through some pretty major hoops. The few web-page drive-by jailbreaks have been rapidly patched by Apple so that malicious exploits haven't had any time to appear or affect any significant number of users due to Apple's excellent software update architecture.<br><br>You cannot of course count vulnerabilities that Apple quickly patches as it is the malware apps or malicious exploits that actually do the damage.
      • RE: Schneier on iPhone security

        Well well, wouldn't you know. McAfee has just released their Q3 Threat Report and EVERY instance of new malware released targets Android with the previous leader in malware, Symbian, not even seeing a single new malware app or exploit.

        And of course iOS saw zero malware apps or exploits. All this despite the installed base for Android devices being smaller than iOS.
  • my 2 cents

    If only the author of this article had put in 1 cents worth of effort instead of just copying crap.

    If i had a nickel for every time someone made up some horse crap about apple and was wrong i'd be a billionaire. Actually a penny would STILL make me a billionaire.

    So after 26 years of using macs and there is no major malware problem im supposed to believe that NOW iphone is going to be a GIANT malware magnet.

    I'll just take my nickle now.
  • Email and web malware only works if you can side-load apps

    "Malware makes its way to a PC primarily via the web and email, and both these conduits are available in the iPhone and other smartphones."

    No, these conduits are not nearly as available to the iPhone because the vast majority of these types of malware are Trojan programs and virus programs that need to be downloaded and run on the device. ??Apple does not allow apps to be downloaded and run from either email or web, nor does Apple support Flash malware or Java malware within the browser. ??

    About the only potential vector is JavaScript and AJAX malware in the browser, but Apple has aggressive sandboxing of all apps including browser and email to stop such web apps from getting access beyond the browser itself.

    Yes web and email vectors can be exploited through vulnerabilities in a browser or email app, but those vulnerabilities can be quickly patched with Apple's vastly superior automatic system update architecture that isn't hamstrung by carriers and device manufacturers dragging their feet for months or years.

    In contrast, PCs and Android phones don't stop users from downloading and running Trojan apps or viruses which are what do the most damage and which are a far more difficult vector to shut down with security patches or AV software as they don't require vulnerabilities be discovered to do damage due to side-loading and lack of sandboxing.

    It has been 4.5 years since the iPhone was first released and less than 2 years since Android really started to pick up steam, yet it is Android that has 720 malware apps and exploits not iOS. ??The facts speak for themselves.
    • RE: Schneier on iPhone security

      @marthill That is incorrect, going to a website and automatically jail breaking the phone proves malware is possible by going to a website on IOS.
      • Yup, iOS is not flawless

        @mrlinux by conscious intent, users can break the supplied security features. Some of these COULD be drive-by attacks, but Apple of course plugs them as quickly as possible. Most survive for only a few days.

        Apple users are high-value targets: all the surveys show higher-income, higher usage, higher-wealth demographics for the iPhone. The dramatic lack of malware on iOS is related to how few opportunities Apple allows versus Android. If opportunity were the issue, there would be little malware on Android and lots on Apple.

        So what will change the status quo? Apple could give up on its strenuous efforts to guard its users from malware, or its efforts to channel usage through apps could falter, incensing more users to go to infected websites instead of pre-approved apps. Neither seem likely: in fact, efforts like Siri provide even more intermediation between users and malware, making it HARDER for malware types to get a foothold.

        What is theoretically possible is not of much interest if it only happens to 0.0001% of users. More interesting what users can do to protect themselves without undue expense and energy, and Apple fans would have an easy answer to that.
      • RE: Schneier on iPhone security

        You didn't read my post above:
        "Yes web and email vectors can be exploited through vulnerabilities in a browser or email app, but those vulnerabilities can be quickly patched with Apple's vastly superior automatic system update architecture that isn't hamstrung by carriers and device manufacturers dragging their feet for months or years."
  • Android Apps Are Sandboxed

    Each Android app has to declare in its manifest which permissions it needs (e.g. network access, services that "cost you money" etc--more details here The user is shown these when they select the app from the Google Android Market, and presumably other market apps do the same. So they see what the app wants permission to do even before it is downloaded and installed.

    Trouble is, users have been acclimated to "confirmation fatigue" from all the alerts that tend to pop up on Windows, so they have a habit of agreeing to everything. This is exacerbated by the display of long, tedious EULAs that also require confirmation, and also by some Android app vendors demanding more permissions than they actually need. The last particularly happens with apps created by the handset makers themselves.

    All these are bad habits that need to be broken.
  • RE: Schneier on iPhone security

    I know that it generally is not a great idea to do anything of significance on the web while, say, at Starbucks via ATT. But, let's say I decide to do something involving an important password in this context. In this regard, what are the relative risks, with firewall on, of:

    a. signing onto ATT wireless using a new Mac portable running Lion and Chrome and proceeding;
    b. doing a., but by bluetooth "tethering" from an iPhone (OS 5) to the Mac;
    c. doing a., but using a cable to do the tethering.

    Also, what are the relative risks of someone actually infiltrating the Mac under the 3 above scenarios?