Topic: Android

Charlie Miller on Android vs iOS security

Summary: Well-known security researcher Charlie Miller rates the security of the two dominant mobile OSes and finds a winner.

By Ryan Naraine for Zero Day | October 21, 2011 -- 11:51 GMT (04:51 PDT)

Follow @ryanaraine

Here's a really interesting video where Accuvant researcher Charlie Miller (of Pwn2Own fame) discusses the security postures of Android and iOS and comes to the conclusion that iOS is a much more secure mobile operating system.

ALSO READ:

Charlie Miller wins Pwn2Own again with iPhone 4 exploit

Topics: Android, Apple, Google, Mobile OS, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments

Log in or register to join the discussion

RE: Charlie Miller on Android vs iOS security

1) unified, integrates updates of OS for all iOS devices 2.5 years; unfortunately, for now Android base is very fragmented due to dependence of updates on both carriers and/or smartphone manufacturers;

2) curated AppStore makes significant difference when statistics on malware is tracked by security firms. For Android, curated Amazon store provides more secure environment, but it is not default store and quantity of application there is way less than less secure Android Market, let alone Apple's App Store.

So, for now, security is better for iOS/iOS platform in these two dimensions.

DDERSSS
21 October, 2011 12:31

Reply Vote
- RE: Charlie Miller on Android vs iOS security
  
  @DeRSSS
  
  In order to use Amazon you have to enable alternative sources, which also enables that option for trojans.
  
  It's all or nothing.
  
  bannedagain
  21 October, 2011 13:26
  
  Reply Vote
  - RE: Charlie Miller on Android vs iOS security
    
    @bannedagain Well, lind of.
    Are you suggesting that the trojan would come from the Amazon store? Or the user would not know better than to go to shadier sources? Or that the trojan would somehow sneak in undetected?
    
    radleym
    21 October, 2011 15:54
    
    Reply Vote
  - RE: Charlie Miller on Android vs iOS security
    
    @radleym
    
    No. The trojan must not come from Amazon. To use the Amazon Store, you need to tell the phone to accept non-Google sources for applications, which means that malware from other sources could also, possibly be loaded.
    
    Of course, as you say, the user would have to go to some shadier place - or maybe fall foul of a drive-by download on a website...
    
    Opening other sources isn't in and of itself a problem, but there is some responsibility on the part of the user - the most of whom have no understanding of the problems or security - and an increased security risk.
    
    wright_is
    22 October, 2011 00:35
    
    Reply Vote
  - RE: Charlie Miller on Android vs iOS security
    
    @bannedagain
    
    Uh, no. Each app is still individually sandboxed. Users still have to choose to explicitly permit apps afterward. As far as the concept of giving users a choice and then locking them into that choice... It's at the very least... counter-intuitive.
    
    tkejlboom
    24 October, 2011 11:48
    
    Reply Vote
- RE: Charlie Miller on Android vs iOS security
  
  @DeRSSS
  People like to forget that Google Android is inherently spyware. Google "gives away" Android in order to accumulate more data on their users for their internal profiles. This is the definition of spyware.
  
  Amazon has now modified Android for the Kindle so that they get the data on users, not Google. I would still trust Amazon more since their business model is to sell products, not their users.
  
  jorjitop
  22 October, 2011 08:00
  
  Reply Vote
  - RE: Charlie Miller on Android vs iOS security
    
    @jorjitop It is for advertising target and the data is never sold on the user, you guys playing this card like Apple's ad service doesn't do this cracks me up!
    
    Bottom line, Android is not spyware, it is a marketing tool but hey, if you don't think credit or debit card companies and banks aren't doing this every time you swipe that card then you're high!
    
    slickjim
    22 October, 2011 11:55
    
    Reply Vote
RE: Charlie Miller on Android vs iOS security

So, Android is less secure because you have choice. I think I can live with that trade-off.

cabdriverjim
21 October, 2011 12:59

Reply Vote
- but you have to agree google has done a poor job
 
 @cabdriverjim of curating the android store. Amazon does a much better job.
 
 I use Andork...but only cause Im a geek that doesnt want to go with Apple.
 
 otaddy
 21 October, 2011 17:28
 
 Reply Vote
- RE: Charlie Miller on Android vs iOS security
 
 @cabdriverjim That is only part of what he was saying... The other part is the lack of ASLR and DEP which helps prevent the infection... Android's Sandbox is much more restrictive but like he said, it leaves security to the user and it only contains the infection but doesn't really prevent it. For he record, Apple never used this security in depth until OS X Lion on their computers and these are much larger targets. Another note, these features and the aesthetics of the Apple system make the base OS easily 10x larger. So, bottom line, there are benefits to iOS but most people take offense at being told how to play with their toys !
 
 slickjim
 22 October, 2011 11:50
 
 Reply Vote
Privacy vs Security

Dr Miller makes a good point about address space randomization but I don't really buy his other points. For the regular user, a handset or service provider can lock them in a walled garden of apps that is tightly controlled. Android allows that option. Similarly, because Android is open, a vendor can write security software that sinks it's teeth deep into the OS internals. You cannot do that with iOS because Apple won't let you.

Then there is the issue of privacy. Again, you can write apps for Android that will scrub personal info before passing it on to an app. With iOS, you don't have a choice. You either accept Apple's privacy stance or you don't use iOS.

I am surprised Dr. Miller did not put these choices in the right context. By his logic that Android is less secure by being open, Linux should have been the least secure OS and Ubuntu/Fedora repos would have been filled with malware.

myweirdopinion
21 October, 2011 14:59

Reply Vote
RE: Charlie Miller on Android vs iOS security

Yes, Apple's standing between the bad guys' apps and the iPhones and iPads. But Apple's woefully untested when it comes to providing security under mounting pressure. They've never had to do it before because they've never had the kind of market share that attracts that kind of attention.

People merely [i]ASSUME[/i] that Apple is catching all the trojan-bearing apps that are presented to Apple for appraisal, and the media is so infatuated with Apple and its stock value that nobody ever bothers to seek the actual story behind why Apple suddenly pulls apps from their store for no apparent reason and with no explanation forthcoming. It's as if some folks have gotten the idea into their head that a company that makes perfect-looking gadgets [i]must[/i] be as perfect as their products seem to be. For me, it all comes down to one fact - Apple is far too [i]secretive, closed to outside scrutiny, inexperienced and rampantly authoritarian[/i] to be trusted to the extent that the world can simply assume that the apps in their store are unquestionably safe for use.

Apple's very good at creating and marketing the feeling of 'bliss'. That's the secret of their success. But if you live long enough, you eventually learn that perpetual bliss eventually makes you ignorant, and perpetual ignorance makes you vulnerable to all manner of exploitation by the people who now have you by your shiny puppet strings. What happens to this ill-advised trust that Apple enjoys if it were ever discovered that many of Apple's apps were not nearly as malware-free as people assumed they were and that Apple spent time deliberately seeking to hide the fact from the world? After all, the media is encouraging people and businesses to put all their eggs in one expensive basket owned and exclusively controlled by a company that obviously desires to have its own way at all cost and not be accountable to anyone. Where do you run to...when there's nowhere to run to?

eMJayy
21 October, 2011 17:34

Reply Vote
- RE: Charlie Miller on Android vs iOS security
  
  @eMJayy
  Apple has a small percentage of the market...ummm not in smartphones & mobile devices. So if your theory is true Apple should have more issues with malware in the mobile arena...they don't.
  Your argument boils down to Apple pulls apps so they are lying to everyone. Apple has no experience in anything! Even though Apple has been in the hardware, software & platform building business for over 30 years. Google on the other hand seems to be a better fit for your conspiracy theory: They collect your data & sell it to make money. They have almost no experience to speak of in platform security, hardware design/engineering, platform building, UI design, Customer support/ relations, etc. etc., etc. You have no facts to back up any of your arguments. So Apple pulls apps that may be malicious? If they do why is that bad? So you don't think Google is doing this? They are they are just doing a poor job & using the excuse of being open to pacify users like yourself & you buy it with pride. Truth is the market has room for both business models. Truth is there is competition. You've made your choice. What is the issue?
  
  SquishyParts
  21 October, 2011 20:32
  
  Reply Vote
- RE: Charlie Miller on Android vs iOS security
  
  @eMJayy You're absolutely right! By my last count, a good third of the apps in Apple's App Store are actually malware. It's a conspiracy to hide them all and the users are in on it! Where do you run to when there's nowhere to run to? You don't! So Stand And Fight! Put on your tin foil hats my brothers and FIGHT the evil menace that is Apple! Google has our backs! They have all of our personal info, email, documents, and everything we've ever searched for since the age of 12, so let's hope they have our backs at least!
  
  2drinks
  24 October, 2011 10:44
  
  Reply Vote
720 malware threats for Android

720 Android malware apps vs zero for iOS (McAfee 2011 Q2 Threat Report) When you can't even trust the Apps in Google's own Marketplace won't pown our phone, turn it into a botnet zombie or send premium rate SMS text messages, that's too high a level of paranoia needed for my liking.

marthill
21 October, 2011 18:17

Reply Vote
- RE: Charlie Miller on Android vs iOS security
 
 @marthill Google doesn't police thir market like that... I support this approach because there is 0 chance that your Rejected App ends up being part of the companies next OS without your consent!
 
 See, both sides have their issues.
 
 Oh and Apple will not open their system but they require App developers to.
 
 slickjim
 22 October, 2011 13:39
 
 Reply Vote
 - RE: Charlie Miller on Android vs iOS security
 
 @Peter Perry
 If other developers can copy your app & add malware & upload that app to Android's marketplace how is that better for anyone?
 
 Oh and Apple will not open their system but they require App developers to.
 How? Google isn't as open as you think.
 
 SquishyParts
 22 October, 2011 21:54
 
 Reply Vote
RE: Charlie Miller on Android vs iOS security

Basicly all system have minuses and pluses in the security arena. However, if I was an IOS user I would not crow too loud when you system can broken into with a refrigerator magnet!!!

eargasm
24 October, 2011 09:09

Reply Vote
I go with the market malware theory

Android is fragmented just as Linux is, however iOS is a monolith and the biggest bang for the buck just as Windows is on desktops. Does a malware author have any incentive to write code to compromise a fragmented market?

epcraig
24 October, 2011 12:15

Reply Vote
Ice Cream Sandwich does ASLR (poss. DEP)

...So that's one criticism addressed (pun intended!)

Scrat
26 October, 2011 12:00

Reply Vote