ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Charlie Miller on Android vs iOS security

By | October 21, 2011, 11:51am PDT

Summary: Well-known security researcher Charlie Miller rates the security of the two dominant mobile OSes and finds a winner.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security, Researcher, Android, Apple iOS, Corporate Communications, Mobile Operating Systems, Marketing, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

22
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Charlie Miller on Android vs iOS security
IntegoMacSecurity Updated - 4th Nov
Malware can flow through the iPhone or iPad to other computers that you share files with. So a malware scanner is recommended even for iOS devices.
View in thread
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
DeRSSS 21st Oct
1) unified, integrates updates of OS for all iOS devices 2.5 years; unfortunately, for now Android base is very fragmented due to dependence of updates on both carriers and/or smartphone manufacturers;

2) curated AppStore makes significant difference when statistics on malware is tracked by security firms. For Android, curated Amazon store provides more secure environment, but it is not default store and quantity of application there is way less than less secure Android Market, let alone Apple's App Store.

So, for now, security is better for iOS/iOS platform in these two dimensions.
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
bannedagain 21st Oct
@DeRSSS

In order to use Amazon you have to enable alternative sources, which also enables that option for trojans.

It's all or nothing.
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
radleym 21st Oct
@bannedagain Well, lind of.
Are you suggesting that the trojan would come from the Amazon store? Or the user would not know better than to go to shadier sources? Or that the trojan would somehow sneak in undetected?
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
wright_is 22nd Oct
@radleym

No. The trojan must not come from Amazon. To use the Amazon Store, you need to tell the phone to accept non-Google sources for applications, which means that malware from other sources could also, possibly be loaded.

Of course, as you say, the user would have to go to some shadier place - or maybe fall foul of a drive-by download on a website...

Opening other sources isn't in and of itself a problem, but there is some responsibility on the part of the user - the most of whom have no understanding of the problems or security - and an increased security risk.
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
tkejlboom 24th Oct
@bannedagain

Uh, no. Each app is still individually sandboxed. Users still have to choose to explicitly permit apps afterward. As far as the concept of giving users a choice and then locking them into that choice... It's at the very least... counter-intuitive.
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
jorjitop 22nd Oct
@DeRSSS
People like to forget that Google Android is inherently spyware. Google "gives away" Android in order to accumulate more data on their users for their internal profiles. This is the definition of spyware.

Amazon has now modified Android for the Kindle so that they get the data on users, not Google. I would still trust Amazon more since their business model is to sell products, not their users.
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
Peter Perry 22nd Oct
@jorjitop It is for advertising target and the data is never sold on the user, you guys playing this card like Apple's ad service doesn't do this cracks me up!

Bottom line, Android is not spyware, it is a marketing tool but hey, if you don't think credit or debit card companies and banks aren't doing this every time you swipe that card then you're high!
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
cabdriverjim 21st Oct
So, Android is less secure because you have choice. I think I can live with that trade-off.
0 Votes
+ -
but you have to agree google has done a poor job
otaddy 21st Oct
@cabdriverjim of curating the android store. Amazon does a much better job.

I use Andork...but only cause Im a geek that doesnt want to go with Apple.
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
Peter Perry Updated - 22nd Oct
@cabdriverjim That is only part of what he was saying... The other part is the lack of ASLR and DEP which helps prevent the infection... Android's Sandbox is much more restrictive but like he said, it leaves security to the user and it only contains the infection but doesn't really prevent it.

For he record, Apple never used this security in depth until OS X Lion on their computers and these are much larger targets.

Another note, these features and the aesthetics of the Apple system make the base OS easily 10x larger.

So, bottom line, there are benefits to iOS but most people take offense at being told how to play with their toys !
0 Votes
+ -
Privacy vs Security
sj2@... 21st Oct
Dr Miller makes a good point about address space randomization but I don't really buy his other points. For the regular user, a handset or service provider can lock them in a walled garden of apps that is tightly controlled. Android allows that option. Similarly, because Android is open, a vendor can write security software that sinks it's teeth deep into the OS internals. You cannot do that with iOS because Apple won't let you.

Then there is the issue of privacy. Again, you can write apps for Android that will scrub personal info before passing it on to an app. With iOS, you don't have a choice. You either accept Apple's privacy stance or you don't use iOS.

I am surprised Dr. Miller did not put these choices in the right context. By his logic that Android is less secure by being open, Linux should have been the least secure OS and Ubuntu/Fedora repos would have been filled with malware.
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
eMJayy 21st Oct
Yes, Apple's standing between the bad guys' apps and the iPhones and iPads. But Apple's woefully untested when it comes to providing security under mounting pressure. They've never had to do it before because they've never had the kind of market share that attracts that kind of attention.

People merely ASSUME that Apple is catching all the trojan-bearing apps that are presented to Apple for appraisal, and the media is so infatuated with Apple and its stock value that nobody ever bothers to seek the actual story behind why Apple suddenly pulls apps from their store for no apparent reason and with no explanation forthcoming. It's as if some folks have gotten the idea into their head that a company that makes perfect-looking gadgets must be as perfect as their products seem to be. For me, it all comes down to one fact - Apple is far too secretive, closed to outside scrutiny, inexperienced and rampantly authoritarian to be trusted to the extent that the world can simply assume that the apps in their store are unquestionably safe for use.

Apple's very good at creating and marketing the feeling of 'bliss'. That's the secret of their success. But if you live long enough, you eventually learn that perpetual bliss eventually makes you ignorant, and perpetual ignorance makes you vulnerable to all manner of exploitation by the people who now have you by your shiny puppet strings. What happens to this ill-advised trust that Apple enjoys if it were ever discovered that many of Apple's apps were not nearly as malware-free as people assumed they were and that Apple spent time deliberately seeking to hide the fact from the world? After all, the media is encouraging people and businesses to put all their eggs in one expensive basket owned and exclusively controlled by a company that obviously desires to have its own way at all cost and not be accountable to anyone. Where do you run to...when there's nowhere to run to?
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
SquishyParts 21st Oct
@eMJayy
Apple has a small percentage of the market...ummm not in smartphones & mobile devices. So if your theory is true Apple should have more issues with malware in the mobile arena...they don't.
Your argument boils down to Apple pulls apps so they are lying to everyone. Apple has no experience in anything! Even though Apple has been in the hardware, software & platform building business for over 30 years. Google on the other hand seems to be a better fit for your conspiracy theory: They collect your data & sell it to make money. They have almost no experience to speak of in platform security, hardware design/engineering, platform building, UI design, Customer support/ relations, etc. etc., etc. You have no facts to back up any of your arguments. So Apple pulls apps that may be malicious? If they do why is that bad? So you don't think Google is doing this? They are they are just doing a poor job & using the excuse of being open to pacify users like yourself & you buy it with pride. Truth is the market has room for both business models. Truth is there is competition. You've made your choice. What is the issue?
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
2drinks 24th Oct
@eMJayy You're absolutely right! By my last count, a good third of the apps in Apple's App Store are actually malware. It's a conspiracy to hide them all and the users are in on it! Where do you run to when there's nowhere to run to? You don't! So Stand And Fight! Put on your tin foil hats my brothers and FIGHT the evil menace that is Apple! Google has our backs! They have all of our personal info, email, documents, and everything we've ever searched for since the age of 12, so let's hope they have our backs at least!
0 Votes
+ -
720 malware threats for Android
marthill Updated - 21st Oct
720 Android malware apps vs zero for iOS (McAfee 2011 Q2 Threat Report)

When you can't even trust the Apps in Google's own Marketplace won't pown our phone, turn it into a botnet zombie or send premium rate SMS text messages, that's too high a level of paranoia needed for my liking.
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
Peter Perry 22nd Oct
@marthill Google doesn't police thir market like that... I support this approach because there is 0 chance that your Rejected App ends up being part of the companies next OS without your consent!

See, both sides have their issues.

Oh and Apple will not open their system but they require App developers to.
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
SquishyParts 22nd Oct
@Peter Perry
If other developers can copy your app & add malware & upload that app to Android's marketplace how is that better for anyone?

Oh and Apple will not open their system but they require App developers to.
How? Google isn't as open as you think.
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
windozefreak 24th Oct
Basicly all system have minuses and pluses in the security arena. However, if I was an IOS user I would not crow too loud when you system can broken into with a refrigerator magnet!!!
0 Votes
+ -
I go with the market malware theory
epcraig 24th Oct
Android is fragmented just as Linux is, however iOS is a monolith and the biggest bang for the buck just as Windows is on desktops. Does a malware author have any incentive to write code to compromise a fragmented market?
0 Votes
+ -
Ice Cream Sandwich does ASLR (poss. DEP)
Scrat 26th Oct
...So that's one criticism addressed (pun intended!)
0 Votes
+ -
I love it!
YetAnotherBob 28th Oct
So, this article is about a 'security expert' who says that iOS is so much safer than Android.

And, get this. The guy's claim to fame is that he can remotely break into iOS devices very quickly.

It's really just too funny!
0 Votes
+ -
RE: Charlie Miller on Android vs iOS security
IntegoMacSecurity Updated - 4th Nov
Malware can flow through the iPhone or iPad to other computers that you share files with. So a malware scanner is recommended even for iOS devices.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix