Is Apple’s Jab at Android Security Valid, or Just Sabre Rattling?
Apple’s Phil Schiller recently posted a tweet aimed squarely at Android users: “Be safe out there”, followed by a link to F-Secure’s latest Mobile Threat Report. That was last week and the talking-heads are already on a roll. Some are claiming vindication, even going as far as saying that Apple has won the war. Others have retaliated against Schiller saying tweet was uncalled for.
The source behind the tweet is really at the meat of the issue. It’s a 34-page .PDF that outlines the mobile threats in the world today. That report, too, has received quite a bit of coverage in the news and tech blogs, with advocates on both sides arguing for and against their favorite platform and why it’s better than the other guys’ platform..
“In the fourth quarter alone, 96 new families and variants of Android threats were discovered.”
The report goes on to state that Android’s “threat share” rose to 79% last year. That’s enough to make any rational person panic, right? It shouldn’t.
The first point at issue is the use of percentages. They’re not fair and they don’t tell the whole store. Sure, they may be factually accurate, but they don’t necessarily paint the whole picture — though they look great in a headline!
Imagine a company made 110 widgets last year, ten more than the previous year. That’s a 10% increase, right? A new company enters the market selling cogs. They sold 50 cogs last year which was up 25 from the year prior — a whopping 100% increase. Looking at percentages the cog company is doing twice as good as widget company. The same is true with mobile platforms, but the numbers are a bit more “complicated”.
Apple’s not immune
For a long time the mantra of Macintosh users was that they were somehow “immune” from viruses and malware. That wasn’t entirely untrue, as long as the viruses and malware they were referencing could only execute on Windows operating systems. Why, then, were so few malicious apps written to exploit Mac? It’s a numbers game.
Imagine for a moment that you’re a black-hat coder and want to do bad things to people’s computers. Are you going to spend countless hours writing code that can infect 90% of the computers our there, or 10%? You’re going to aim for the bigger target, right? It’s not so much that Apple was immune, they just weren’t as temping a target — not until they started saying they were superior because they were somehow “safer”. Even if that was true (which I’m not going to argue for or against), the more statements the company and its users made touting their “security”, the more of a challenge it was for the bad guys to target. Hackers love a challenge! Apple started getting hit with all kids of exploits and malware on their desktop OS.
You’d have thought Apple and their proponents had learned their lesson, and would keep their mouths shut to avoid becoming a larger target. Apparently not, but what does that have to do with mobile?
Mobile is sweeter
With mobile devices being always online, socially connected, with built-in ways for bad-guys to make money (premium SMS services, pay-per-minute calls to offshore phone numbers, etc.) our smartphones and tablets are quickly becoming sweeter targets than our desktop computers ever were.
Right now Android is getting the hits from the “bad guys” more so than Apple or Microsoft. Why? Depending on who you trust for your statistics, Android is in the lead in the mobile game. If you disagree with that you’ve got to accept the fact that they’re neck in neck with iOS. So why is Android a nicer target? They’re open.
I probably just lost half my readers by saying that, but for those of you who’ve stuck around, let me explain.
The “problem” with “open” is also one of its biggest strengths. Sure, it’s easier for the bad guys to write “bad” code for it. It’s also easier for those bad guys to get their code into an “unregulated” market. On the flip-side, Google loves the way we can self-regulate in the open-market. Looking at an app you can usually tell at a glance if it’s something you want to install on your device based on the ratings of those who’ve installed it. Sure, this can be gamed (and will probably become a huge industry in and of itself in the not-too-distant future), but for today it’s a good indicator.
So why hasn’t iOS been hit? They have. The numbers of malware just aren’t as high on the fruit-flavored OS because of a couple things. First off, all app submissions are screened before they’re published in iTunes. Second, the source is closed, so it’s not as easy to find things to exploit.
The “exploitability” issue makes being “bad” on Apple products more difficult, but it offers only a false-sense of security. The “screening” issue won’t solve everything, it only means someone has to look at the code before it’s published. Speaking as a developer who writes code for a living, you might be somewhat surprised to learn that it’s not to difficult to just “gloss over” what you’re looking at and approve it because you’re trying to hit a deadline, you don’t fully understand the code, or perhaps you just want to go home for the day. It’s a person who’s doing the screening, and people aren’t perfect.
“Open” might seem more vulnerable at first glance, but it’s really not. You have more sets of eyes looking at it, figuring out what something does, and improving upon it. “Closed” source doesn’t have that advantage. Instead they rely on “obscurity”. It’s like having a lock on your front door. The more people that take apart your particular brand of lock, the more its design flaws are exposed and fixed, resulting in a better product. Security through obscurity simply makes your door knob hard to find, but once you do, all you’ve got to to is twist and you’re in. No, I’m not implying that any OS or company behind them operates this way, it’s just an analogy to help you see the potential strengths and weaknesses of both approaches.
Real world experiences
I’ve got a whole bunch of people using Android-powered phones and tablets in my house. You wanna know how many “infections” I’ve gotten in that time? Exactly two. One was an “overly aggressive” ad pusher that displayed advertisements in the notification shade all the time, the other was a browser-history thief. Both apps came from the Play Store, both had 1-star ratings. Both were easy to remove. Neither cost us any money nor any down-time.
Perhaps Mr. Schiller wasn’t poking fun at Android like many of the talking-heads are reporting. Maybe he was just pointing out that there are people that write “bad” code out there and we all (Android, iOS, Microsoft, BlackBerry, etc.) need to do our research before we install an app from an unknown or un-trusted developer. If he wasn’t, then I will, and I’ll say the same thing he did “be safe out there” — regardless of what platform you’re on or what OS you’re using.