Return to Level1Techs.com

Is iOS really more secure?


#21

All these replies are great insights but I was thinking more along the lines of physical security. Similar to the gray key unlocker. I’m just kind of curious as if there’s anything similar on Android


#22

Heartbleed (and the mess that is/was OpenSSL in general - for DECADES) called to say hello. Open source can have unfound bugs hidden in plain sight too. Your claim that closed source has less auditing is entirely anecdotal… and here’s why.

I get it, people CAN audit open source but the number of eyes, and the number of eyes that are actually competent that are eyeballing it are a lot fewer in reality than some might hope for.

The flip-side is that with closed source, qualified people are actually being paid to audit the code as their day job. In some cases, the reputation/share price/profits of the company depend on it. So there’s often a real incentive there beyond hobbyist end user interest. Sure, there are people who get paid to do open source too, but claiming open source is audited more because the code is open is a bit of a leap, IMHO. The potential is there, the reality differs. You only have to look at how “hard” things in the open source world get ignored or half-assed (like the desktop UI for example). Security is one of the “hard” things. So my confidence in it being audited as hard as some seem to fantasise about is just not there.

In terms of open vs. closed source, after doing this stuff for 20+ years, I’d say its a wash. Assume everything has bugs in it. In terms of architecture, iOS is pretty good. Sure there may be implementation details that mean there are holes but they can be fixed as they are discovered.

The core security architecture seems pretty sound (and that’s the important bit, doesn’t matter how bug free your code is if your design isn’t good to start with).

Open source has plenty of benefits and in theory security is one of them, but in reality the benefit is minimal at best IMHO.

For another few anecotes that sway my personal decision:

  1. The US government isn’t complaining about being unable to break into Android devices (my suspicion is because most of them in the wild are low end garbage and easily hacked as things like full device encryption aren’t turned on by default. the number of android users running high end handsets AND making use of the available security features is relatively few vs. the entire android market).
  2. apple leadership have publicly (at least) told the government to get fucked.
  3. Apple are not in the business of monetising your data as their business model, thus end to end encryption is less of a conflict with their business model

As an aside…
Id laugh my arse off if the jailbreaks for mobile devices are actually NSA malware (or a vector for future NSA malware installation)… if i was in that position it’s totally what i’d be putting out…


#23

There is always a way to break into something if you have physical access. It just depends on how much effort you’re willing to put forward.

iOS might make the initial barrier slightly more difficult than android, by disabling the USB protocol or whatever when the device is locked, but that can’t be too difficult to get around.


#24

It really comes down to idealogy.
A centralized appstore where you decide like the king/queen of england which apps make it through to the public, aswell the decentralized model opensource where the SRC is open to anyone for review, and find flaws.
Will allways beat a open appstore like googles, where it’s a matter of throwing a few $ at it, and your software is released in the store.
The latter obviously being the less secure.
Im not a proponant of Apple at all, infact ill quote Grizzle here “Don’t buy apple products”, but they do rule that app store with a iron fist. And they do lock down that platform like there is no tommorrow, excluding you from doing anything they dont want you to, which is more secure.


#25

That is a great question, that I never researched. I googled around and people on forums said that you would loose sandboxing if you rooted/jailbroke your device, so I just took their word for it with out doing the research.


#26

find my iphone and remote wipe is a wonderful thing. :slight_smile:


#27

If you root/jailbreak your device, all bets are off (whether it is iOS or android). and whether sandboxing supposedly works or not.

The whole point of a jailbreak is that you are circumventing the security controls to run arbitrary code, so if your device can be jailbroken, it is wide open to malicious code. Jailbreak software is basically doing the exact same thing as malware.

If you have jailbroken it, then closed the jailbreak hole (maybe?) and are then running third party code - who is auditing it? Do you trust them? Do you trust all the random third party software that is not permitted into the play/app store for whatever reason?

2c, but in my book, if you’re rooting/jailbreaking a mobile device your security has gone completely out the window.

At least if the device is locked down to the vendor signed code, you just have to make a decision on whether or not to trust the vendor. If you’re running arbitrary third party code that couldn’t make the app store… well… good luck with that.

People seem to think they can make a judgement call on jailbreak software (or unauthorised apps loaded post-jailbreak) based on trusting the developer (i.e., some random third party hacker from “the internet” hiding behind a psuedonym) without examining the source, but then in the same breath don’t want to trust the hardware OEM.

I don’t get it.

Unless you are personally auditing the source (“ain’t nobody got time fo that!”), you’re flying blind…


#28

By looking at other peoples phones (coworkers, mainly), iPhones tend to have more resistance against app embeded malwares.
Can’t really elaborate on that, just sharing what i’m seeing.


#29

That is true. It’s an awesome feature. Too bad android doesn’t have something similar. I wonder if we could petition for it.


#30

This is one of the benefits of an integrated hardware/software solution i believe.

If you were to petition for it, who do you petition? Google? Why should they support third party hardware?

Samsung? They don’t seem to give a shit once they’ve sold you the device… if your device gets stolen because remote wipe/brick makes it more attractive and you need another device, that’s another sale :smiley:

But yes, if someone in the Android market could offer that feature, it would be a plus.

Sure you can do it via Exchange server and/or MDM, but most home users don’t have those things.

Maybe its something the telco(s) could offer, but i have no doubt you’d need to run the telco-branded crapware filled image to get it.

That’s a whole other reason I choose iOS… but /tangent…


#31

That’s a good question. I didn’t really think it through much, just a “shower thought” sort of thing.

I completely agree that the integrated hardware/software makes this a main benefit.

If Samsung or whoever would do that, I’d move to them within the month, assuming headphone jack.


#32

You can install pretty much everything on Android (even if not rooted). You just aren’t able to hand out root access to apps. On the Google Play Store there are plenty of apps that require root (regardless of wether or not you have root, it just won’t work if you don’t). It’s not something you have to do, but you got the freedom to do so without anyone standing in your way. While on IOS, well you first gotta go threw apple to do that for things that you dont even need root on android.

There are really only two things that really annoy me as far as IOS goes. First iTunes, second I cannot have my own apps on my phone without having to buy an mac, a apple developer account and by the way I also don’t have an iPhone. Even if you program with react or xamarin you still need a mac to compile the damm thing and also want at least one iphone to make sure it actually still works on ios. On android if you can also just upload the apk to your site and people will be able to use it. Do i trust it? Well depends. For instance my dads aquarium lights come with an android app thats not in the store and does not have an ios app. Why? Well you just bought the product with a manual in the box explaining for dummies how to install the apk. Sure, you are able to download the apk without having bought the lights, but then what do you do with it?

You dont have to go around and install all the cr4p you find just because you can. But its nice that you can. Especially, because you actually can make your own stuff without much hassle.

What would you say if Microsoft decides to go all out windows store and you have to ‘jailbreak’ your pc to install an exe.


#33

Have you checked your Google account options ?


#34

Something to consider in the scheme of things:

If apple falters to such basic requests, what other exceptions have they made for others?

@sgtawesomesauce You can get even more fancy with find my device on android. FMD only works when your phone has an internet connection and is online.

However you can install a service which can control the phone via a received sms message or activated via a trigger event or even a ‘dead mans’ switch (certain secure phones require a periodic authentication) and tell it to do certain things even when mobile data / wifi is off. There is also a mode that allows transmitting information via undocumented emergency channels without a sim card.

In South Africa having no mobile data on a stolen phone, thus making it difficult to find is a fairly common situation.

Further more on particular modded phones running lineageos there is a way one can install a script into the recovery & modem partition which survives most factory resets and reinstalls of even the recovery partition.

After being wiped or tampered with it then reinstalls a service as a system level application from the baseband & modem partition on the android operating system with kernel level permissions and phones home even after you’ve fully wiped the device and installed a new sim card or have no sim card.

When the service has detected a trigger event (such as being reported stolen / factory reset) it goes into full blown espionage mode. Keylogger activates, call & voice recording activates, pictures are taken when someone interacts with the screen, GPS coordinates are transmitted without the users knowledge, and the phone can be fully remote controlled via SMS(entirely invisible to the user), MMS or internet.


#35

Yes, androids catching up but iOS still beats it.
The proprietary nature helps it a bit, iboot before it was hacked was almost alien to anyone but apple, it was extremely well guarded by apple and worked well, using systems like verified boot to make sure the entire boot stack and build was certified by apple.
Iboot has since been broken but I think they are designing something else due to the breach (source code leak)

The app store is strict and over-lorded by apple, they have very strict requirements and will cut an app off at a moment’s notice if it’s a risk, I believe every app is vetted also, Microsoft does something similar with their store.

Android one is the way forward for Google but it still lacks, the only android device I know that can compete with ios is blackberry, if the build is tampered it will kill the verification system forever hence why there’s no roms, and it’s a custom harderned build of android.
Also don’t suspect a system is out of date/ vulnerable because it’s on android 7.1 and not 8.1 I have a BB (7.1) and a Nokia 5 (8.1) I trust the BB more for my work and security requirements, even over iOS.


#36

you haven’t needed to use itunes with an iphone since 2011.


#37

How else do I get my music on my iPhone then? Didn´t find any half decent software for that. Don´t personally need that, but my parents would. There are some, but they all didn´t seem that good, cost money, or come with adds or and bloatware for basically a drag and drop functionality. I would have made them pay for some program, but as I don´t personally use an iPhone I don´t really have any long term experience with any of them. Now we have “the iTunes CD ripping and sync it slave”-PC and you can´t sync with any other iTunes as then the music that´s not in iTunes is gone.

Sure, I don´t need itunes to run my iPhone, but i use my phone 50% as a music player. It´s like it´s primary function for me, followed by alarm clock. And then comes googeling stuff on the go, then gps. And lastly what a phone is actually supposed to to. Well that was me now. But my parents have all their music on CDs from the last xyz years. So they also need to rip and sync those.

Though, not like it´s all cherry blossoms on android either. There i can drag and drop songs, but it´s still annoying to manage and I don´t yet know of any good music player that works on Linux Windws and Adroid (AT LEAST), does not s*ck on any of them and syncs everything everywhere including playlists. Not interested into streaming.


#38

The easiest way is to just sign up for apple music and get all the music in the store (like, Apple’s entire music library, not just yours) available for free (and downloadable, so you don’t need to stream it constantly - though i believe it still needs to do a periodic DRM check or such) on all your apple devices.

I’m not sure what you value your time at for ripping CDs, uploading, juggling to different devices, etc. But it adds up quick and $9/month (or whatever it is locally, it’s like a few cups of coffee) is not expensive for that service.

if you don’t like the Apple store, use spotify, etc. instead.

Maybe i work differently to yourself, but i haven’t plugged my last 2-3 iphones into a PC for any other reason than to charge whilst using personal hotspot.


#39

Does not solve the problem there are sure gonna be songs that they don’t have. And the songs are not mine still. They can give and take away content just like Netflix. Yet, I still have it and had spotify for a bit (well i mean you always have spotify, just a matter of wether or not you actually use it and care about removing advertisement). But I dont have either as a strict replacement.


#40

The flip-side is there are literally millions of songs you get that you don’t currently own. Are those massively obscure edge case songs that apple does not have a deal breaker? For me i’d say no… YMMV. But i think you’re making a mountain out of a molehill with that particular issue…

No solution is perfect as you’ve discovered. You pick your trade-offs and make your choice, personally i’m pretty happy with the current streaming/DRM-download alternatives. I don’t even need to think about what i want on my device. so long as I’m at home i can listen to anything, if i like it i can either just do “add to library” and/or download…

again … replace apple music with spotify or whatever as you like…

edit:
Ask your parents (as you say they’re the ones who need it)

“What if i told you, that you could have access to almost every commercial album ever released by a major label in the world for $9/month?”

They might not think that not having “Ass Bomber” by my mate David from 1998 (for example) is a deal breaker.

edit:
this has kinda split of onto a tangent, apologies…