Q: iphone mobile security

> Because NONE of the numerous professionals who study

> this sort of thing all day, every day, for a living have ever

> managed to find one single piece of iOS malware capable

> of installing on a non-jailbroken system

You cannot make that leap. Just as Dykstra told us "Testing shows the presence, not the absence of bugs," lack of press releases does not prove the absence of malware.

I've already given you one example - Jailbreakme.com. It works on a non-jail broken device.

I could give you others, too. But you're a guy who "tracks and studies malware", so I'm sure you could find the relevant papers if you choose to look for them. I'll give you one hint for one paper I am aware: Felt. I'll also give you some advice: stop basing your opinions on press releases from marketing departments.

Jeff

You may want to talk to an actual iOS developer before pushing your opinions much further. If you knew much about the architecture, you'd know how difficult it actually would be to create real malware for iOS, and why there currently is none.

I doubt that's going to happen though, and I'm not really interested in convincing you. I trust that the reader will be able to determine what to believe.

> You may want to talk to an actual iOS developer

> before pushing your opinions much further.

Lol... I'm a security architect. I don't need to speak with an [uneducated?] iOS developer. Developer driven security is some of the worst security I have seen.

Plus, I can program in Objective C. I've integrated secure containers and secure channels with both Cocoa/CocoaTouch.

> I doubt that's going to happen though, and I'm not really

> interested in convincing you.

No problem.

Here's one of the conferences you might want to get familiar with before making those spectacular claims: ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. Felt submitted a paper to last year's conference that could be of interest to you. Or you can keep reading press releases....

Jeff

Lol... I'm a security architect.

Security "architect," huh? Yup. I suppose that could be a real job description in some tech company somewhere. But if you're claiming to be an expert in computer security, it's interesting that you don't use the terms properly.

> Security "architect," huh? Yup.

You're right again. I'm just making that up. I suppose the folks I used to work with in New York (fiancial instituions) did not exist either. http://www.google.com/#q=security+architect+job+description.

> But if you're claiming to be an expert in computer security

Actually, no. I don't have a PhD - I stopped at a Masters of Science in Computer Science. So I don't consider myself an expert in anything.

Jeff

noloader wrote:

 

Lol... I'm a security architect.

Let's see. You've been a member of these forums since April of 2011 but have 0 points. Either you've never tried to help anyone or no one has ever found your posts helpful. On the other hand, very, very many people (including me) have found Thomas helpful. I know who I'm most likely to believe.

Best of luck.

> Let's see. You've been a member of these forums since

> April of 2011 but have 0 points. Either you've never tried

> to help anyone or no one has ever found your posts helpful.

> On the other hand, very, very many people (including me)

> have found Thomas helpful. I know who I'm most likely

> to believe.

Believe whom you'd like. Or, you could read Felt's paper and believe the expert. I'm indifferent - I can't say I care one way or the other.

Jeff

I've already given you one example - Jailbreakme.com. It works on a non-jail broken device.

 

"worked" not "works".  iOS has been updated since then.

you could read Felt's paper and believe the expert.

Is there some reason you only provided us with a link to a conference schedule and not a link to this paper?

> ...you'd know how difficult it actually would be to create real malware for iOS,

Apple has an effective security model,and I don't contest that. Code Signing (the Gatekeeper service), Sandbox (the Seatbelt service) and strict control of the App Store has done a great job.

> and why there currently is none.

That's the leap that is incorrect. You do not know that. I gave you a counter example, and Felt gives you counter examples. I would agree with you if you said "there are so few".

For what's its worth, the sandbox has forced us to move security controls (such as antivirus and firewall) from teh device to the server in the Enterprise and Federal. But we still place the security controls.

Jeff

I gave you a counter example

You gave no counter-examples. The discussion is about malware... jailbreakme.com is not malware.

> You gave no counter-examples. The discussion is about

> malware... jailbreakme.com is not malware.

So, help me out here.... Define malware so we are on the same page.

Perhaps you would believe a work that has been technical and copy edited:

"The infamous FinFisher cyber espionage tool has gone mobile, malware style. Multiple mobile Trojans for the Android, iOS, BlackBerry, Symbian, and Windows Mobile platforms have been discovered as have many Command and Control (C&C) servers around the world that they communicate with", http://thenextweb.com/mobile/2012/08/29/finfisher-malware-goes-mobile-infects-an droid-iphone-blackberry/.

"Even though malware is increasing in iOS, it still remains relatively low compared with other operating systems", http://news.cnet.com/8301-1009_3-57506159-83/apples-ios-and-android-are-new-favo rite-malware-victims/"

"All platforms have some malware but it is less common on Blackberrys, Apple iOS devices like the iPhone and Windows Phone handsets", http://www.techrepublic.com/blog/cio-insights/mobile-malware-cheat-sheet/3974959 7.

Here's what seems to be tripping some folks up:

"The Juniper MTC database does not include malware samples for Apple’s iOS platform . This does not necessarily mean it does not exist or that the iOS platform is not vulnerable to malware . Indeed, there have been instances of applications pulled from Apple’s App Store for violating Apple’s terms of service . The inability to quantify iOS threats is largely due to Apple not releasing data or opening its platform for analysis", http://www.juniper.net/us/en/local/pdf/additional-resources/jnpr-2011-mobile-thr eats-report.pdf.

Meg St._Clair can believe whom she likes. I'm still indifferent.

Jeff

> "worked" not "works".  iOS has been updated since then.

Do you realize Apple is still handing out iOS 4.3 devices under warranty? I got one about 5 weeks ago when one of my older iPads died (an iPad 1 kept around for legacy testing).

Jeff

> Existence of vulnerabilities does not imply the existence

> of malware that takes advantage of them. Often, vulnerabilities

> are closed before anyone actually takes advantage of them.

"The security flaw in iTunes that FinFisher is reported to have exploited was first described in 2008 by security software commentator Brian Krebs. Apple did not patch the security flaw for more than three years, until November 2011. Apple officials have not offered an explanation as to why the flaw took so long to patch", http://en.wikipedia.org/wiki/FinFisher.

"The infamous FinFisher cyber espionage tool has gone mobile

Yes, I'm familiar with FinFisher. Very little has been made publicly available about how it works, but one thing certainly seems clear: it is not something that can infect a non-jailbroken iOS device, unless perhaps it is manually installed by someone with physical access to the device on which it is to be installed. If there were any evidence at all that FinFisher could infect a non-jailbroken iOS device, that would be HUGE news, and that would not be something that any security company would keep quiet.

"Even though malware is increasing in iOS, it still remains relatively low compared with other operating systems"

This statement, by a C|Net "journalist" I've never heard of before, comes as the last sentence in a paragraph discussing the Flashback malware. Flashback only affected Mac OS X, not iOS. Clearly, the writer did not understand some aspect of what she was saying, as any mention of iOS does not make sense in the context she used it. If she had substituted "Mac OS X" where she said "iOS," the statement and the context would have made perfect sense.

"All platforms have some malware but it is less common on Blackberrys, Apple iOS devices like the iPhone and Windows Phone handsets"

Odd choice of quote... why pick the more generic statement, rather than the far more specific:

Apps that appear in the Apple iPhone and iPad’s iOS App Store are vetted and approved. The system keeps the store pretty much malware free but it has been compromised in the past. A security researcher demonstrated a - now patched - vulnerability that allowed apps to download unsigned code not vetted by the App Store’s review process and there has been an instance of a Trojan making it onto the app store.

To provide additional information, the vulnerability that Charlie Miller found was patched some time ago and was never exploited in the wild. The "trojan" that made it into the App Store as a proof-of-concept, not an actual piece of malware. As such, it did nothing at all malicious, yet even so it was big news at the time. That was, at this point, the only time anything like that happened. There is obviously no guarantee that real malware couldn't be smuggled past Apple at some point, but it hasn't happened yet.

Let's stick to facts here, please.

Edit: By the way, I notice you've completely dropped the whole issue of this paper by Felt since I asked for a link to it. Are you unable to provide that link?