I’m a Free Software loving, Church of GNU man-page thumping zealot for open source. I love the fact that Android is open, but iOS isn’t. I also hate Apple, and especially the Cult of Apple
Fresh out of the box, an iPhone running iOS is more secure than a typical Android phone.
A “not small” number of phone manufacturers flat the hell out violate the GNU GPL because they know it won’t be enforced for them in a meaningful way. Android might be open source, but that device-specific firmware you need in order to boot Android on your phone? That hasn’t been vetted by the open source community behind Linux, and most are buggy as hell.
The security of devices using open source software depends on the code being released publicly in order to be vetted. This is “Linus’ Law” or “with enough eyeballs, all bugs are shallow”. For the majority of Android devices, the full code stack has not been evaluated and the “security by openness” assumption is invalid.
Apple’s devices all have code vetted by Apple engineers, and in theory don’t contain any code that hasn’t.
Finally… fresh out of the box, there’s no business incentive for Apple to spy on you, but there exists a business reason for Google to. Nearly all “Certified” Android devices install the Play Store app by default (and most people think Android isn’t functional without the Play Store), and Google is a known threat to confidential data stored on mobile devices.
Basically, never just assume that you’re safe. We have yet to discover the security problems with google drive that likely exist, and it’s entirely possible that iCloud has more problems yet to be discovered. The same goes for the iOS and Android operating systems. In fact, if you use anything made by anyone on this slide:
There’s probably vulnerabilities you don’t know about, that someone else does.
The stats don’t really matter. In the case of non-free software, the company only has so many employees, and they may not all have full access to the source code. With free software, anyone in the population with Internet access can theoretically read through the source. Instead of thinking of it in terms of numbers between them, think of which one involves you being respected, and giving you the option to take things into your own hands. Rather than being at the mercy of a company, you can know that if you really wanted to, you could read through the source. You could be an average joe, and you could go learn programming just to audit a piece of software you feel a bit uncomfortable with. You do not have this option with non-free software. The closest you’ll get is people slowly and painfully reverse-engineering things.
The stats represent actual real world performance, vs. some theoretical fantasy land where you have millions of eyes on the code, finding every bug that may exist.
Most people are more concerned about practical reality, rather than hypothetical fantasy. i.e., the stats DO matter.
Facts are:
most people who use the code don’t look at it
most CODERS can’t write secure code
ergo, out of those few who look at the source, most aren’t competent enough to audit it, let alone write secure code. Some of those may think they are anyway, and give it a shot…
For an example of open source failure in this respect, recall OpenSSL. Heartbleed did not impact Microsoft’s crypto library…
Open source is great, and I use a lot of it myself, but holding it up as some sort of security panacea (especially in the case of iOS vs. Android, which is what this thread is about) just doesn’t reflect reality. Sure, it gives you more options, but that’s it.
Pretty sure that “hack” and others like it were due to use of shared passwords and recovery of credit card details from other leaks that could then be used as password reset validation.
It’s not a hack. It is, as per your own wiki article, phishing. Which isn’t a hack of the service. It’s a hack of the user.
