iphone mobile security

You may want to talk to an actual iOS developer before pushing your opinions much further. If you knew much about the architecture, you'd know how difficult it actually would be to create real malware for iOS, and why there currently is none.

I doubt that's going to happen though, and I'm not really interested in convincing you. I trust that the reader will be able to determine what to believe.

> You may want to talk to an actual iOS developer

> before pushing your opinions much further.

Lol... I'm a security architect. I don't need to speak with an [uneducated?] iOS developer. Developer driven security is some of the worst security I have seen.

Plus, I can program in Objective C. I've integrated secure containers and secure channels with both Cocoa/CocoaTouch.

> I doubt that's going to happen though, and I'm not really

> interested in convincing you.

No problem.

Here's one of the conferences you might want to get familiar with before making those spectacular claims: ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. Felt submitted a paper to last year's conference that could be of interest to you. Or you can keep reading press releases....

Jeff

Lol... I'm a security architect.

Security "architect," huh? Yup. I suppose that could be a real job description in some tech company somewhere. But if you're claiming to be an expert in computer security, it's interesting that you don't use the terms properly.

> Security "architect," huh? Yup.

You're right again. I'm just making that up. I suppose the folks I used to work with in New York (fiancial instituions) did not exist either. http://www.google.com/#q=security+architect+job+description.

> But if you're claiming to be an expert in computer security

Actually, no. I don't have a PhD - I stopped at a Masters of Science in Computer Science. So I don't consider myself an expert in anything.

Jeff

noloader wrote:

Lol... I'm a security architect.

Let's see. You've been a member of these forums since April of 2011 but have 0 points. Either you've never tried to help anyone or no one has ever found your posts helpful. On the other hand, very, very many people (including me) have found Thomas helpful. I know who I'm most likely to believe.

Best of luck.

> Let's see. You've been a member of these forums since

> April of 2011 but have 0 points. Either you've never tried

> to help anyone or no one has ever found your posts helpful.

> On the other hand, very, very many people (including me)

> have found Thomas helpful. I know who I'm most likely

> to believe.

Believe whom you'd like. Or, you could read Felt's paper and believe the expert. I'm indifferent - I can't say I care one way or the other.

Jeff

I've already given you one example - Jailbreakme.com. It works on a non-jail broken device.

"worked" not "works". iOS has been updated since then.

you could read Felt's paper and believe the expert.

Is there some reason you only provided us with a link to a conference schedule and not a link to this paper?

> ...you'd know how difficult it actually would be to create real malware for iOS,

Apple has an effective security model,and I don't contest that. Code Signing (the Gatekeeper service), Sandbox (the Seatbelt service) and strict control of the App Store has done a great job.

> and why there currently is none.

That's the leap that is incorrect. You do not know that. I gave you a counter example, and Felt gives you counter examples. I would agree with you if you said "there are so few".

For what's its worth, the sandbox has forced us to move security controls (such as antivirus and firewall) from teh device to the server in the Enterprise and Federal. But we still place the security controls.

Jeff

I gave you a counter example

You gave no counter-examples. The discussion is about malware... jailbreakme.com is not malware.

> You gave no counter-examples. The discussion is about

> malware... jailbreakme.com is not malware.

So, help me out here.... Define malware so we are on the same page.

Perhaps you would believe a work that has been technical and copy edited:

"The infamous FinFisher cyber espionage tool has gone mobile, malware style. Multiple mobile Trojans for the Android, iOS, BlackBerry, Symbian, and Windows Mobile platforms have been discovered as have many Command and Control (C&C) servers around the world that they communicate with", http://thenextweb.com/mobile/2012/08/29/finfisher-malware-goes-mobile-infects-an droid-iphone-blackberry/.

"Even though malware is increasing in iOS, it still remains relatively low compared with other operating systems", http://news.cnet.com/8301-1009_3-57506159-83/apples-ios-and-android-are-new-favo rite-malware-victims/"

"All platforms have some malware but it is less common on Blackberrys, Apple iOS devices like the iPhone and Windows Phone handsets", http://www.techrepublic.com/blog/cio-insights/mobile-malware-cheat-sheet/3974959 7.

Here's what seems to be tripping some folks up:

"The Juniper MTC database does not include malware samples for Apple’s iOS platform . This does not necessarily mean it does not exist or that the iOS platform is not vulnerable to malware . Indeed, there have been instances of applications pulled from Apple’s App Store for violating Apple’s terms of service . The inability to quantify iOS threats is largely due to Apple not releasing data or opening its platform for analysis", http://www.juniper.net/us/en/local/pdf/additional-resources/jnpr-2011-mobile-thr eats-report.pdf.

Meg St._Clair can believe whom she likes. I'm still indifferent.

Jeff

> "worked" not "works". iOS has been updated since then.

Do you realize Apple is still handing out iOS 4.3 devices under warranty? I got one about 5 weeks ago when one of my older iPads died (an iPad 1 kept around for legacy testing).

Jeff

> Existence of vulnerabilities does not imply the existence

> of malware that takes advantage of them. Often, vulnerabilities

> are closed before anyone actually takes advantage of them.

"The security flaw in iTunes that FinFisher is reported to have exploited was first described in 2008 by security software commentator Brian Krebs. Apple did not patch the security flaw for more than three years, until November 2011. Apple officials have not offered an explanation as to why the flaw took so long to patch", http://en.wikipedia.org/wiki/FinFisher.

"The infamous FinFisher cyber espionage tool has gone mobile

Yes, I'm familiar with FinFisher. Very little has been made publicly available about how it works, but one thing certainly seems clear: it is not something that can infect a non-jailbroken iOS device, unless perhaps it is manually installed by someone with physical access to the device on which it is to be installed. If there were any evidence at all that FinFisher could infect a non-jailbroken iOS device, that would be HUGE news, and that would not be something that any security company would keep quiet.

"Even though malware is increasing in iOS, it still remains relatively low compared with other operating systems"

This statement, by a C|Net "journalist" I've never heard of before, comes as the last sentence in a paragraph discussing the Flashback malware. Flashback only affected Mac OS X, not iOS. Clearly, the writer did not understand some aspect of what she was saying, as any mention of iOS does not make sense in the context she used it. If she had substituted "Mac OS X" where she said "iOS," the statement and the context would have made perfect sense.

"All platforms have some malware but it is less common on Blackberrys, Apple iOS devices like the iPhone and Windows Phone handsets"

Odd choice of quote... why pick the more generic statement, rather than the far more specific:

Apps that appear in the Apple iPhone and iPad’s iOS App Store are vetted and approved. The system keeps the store pretty much malware free but it has been compromised in the past. A security researcher demonstrated a - now patched - vulnerability that allowed apps to download unsigned code not vetted by the App Store’s review process and there has been an instance of a Trojan making it onto the app store.

To provide additional information, the vulnerability that Charlie Miller found was patched some time ago and was never exploited in the wild. The "trojan" that made it into the App Store as a proof-of-concept, not an actual piece of malware. As such, it did nothing at all malicious, yet even so it was big news at the time. That was, at this point, the only time anything like that happened. There is obviously no guarantee that real malware couldn't be smuggled past Apple at some point, but it hasn't happened yet.

Let's stick to facts here, please.

Edit: By the way, I notice you've completely dropped the whole issue of this paper by Felt since I asked for a link to it. Are you unable to provide that link?

> Edit: By the way, I notice you've completely dropped

> the whole issue of this paper by Felt since I asked for

> a link to it. Are you unable to provide that link?

No. I'm not going to do your leg work for you since I gave you the conference and the author. From the Introduction:

... Researchers have been studying mobile phone security for several years [32, 36]. At first, mobile malware was proof- of-concept. Over time, however, mobile malware has be- come a real threat. We survey the state of modern mobile malware in the wild to illuminate the current threat model and suggest future directions. Our survey encompasses all known iOS, Symbian, and Android malware that spread between January 2009 and June 2011. We collected information about 46 pieces of malware in this time period: 4 for iOS, 24 for Symbian, and 18 for Android....

Jeff