Become a fan of Slashdot on Facebook
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
TFS makes it sound like 159,000 iOS devices had their firmware backdoored, but that number is talking about Peachpit-enabled malware apps downloaded from the iOS app store. Precisely 0 iOS devices have been found with backdoored firmware.
Interested parties should probably read the actual PDF [humansecurity.com] from Human Security to get the correct information.
Agreed! Thanks for posting the PDF.
What I found interesting is that Badbox affects only Android devices.
The other, the malware campaign, affects multiple devices, including iOS and is delivered through multiple app marketplaces.
But, it does not say it was delivered by Apple’s official AppStore.
Perhaps, these iOS devices downloaded apps to jailbroken devices?
And, if that is case, does it bolsters Apple’s argument NOT to open up their ecosystems to other, 3rd party, app stores?
Apple has bet the farm on being the gatekeeper. So far, it has worked out surprisingly well. Not perfectly, but well enough to keep the iOS ecosystem remarkably clean, although stuff does get through (such as insecure cryptocurrency wallet apps).
The issue with Android is that without some form of gatekeeper, it isn’t too tough to make apps that can exfiltrate a lot of data. This isn’t the operating system’s fault, but the fault of where apps come from. We have seen this in China with no-name Android app stores which function as a repository, but without doing any integrity checking, allowing anyone to throw up a
The solution would be a dedicated, curated repository. However, having the manpower and equipment to not just vet apps, but keep abreast of how the bad guys obfuscate things is not cheap.
Apple has bet the farm on being the gatekeeper. So far, it has worked out surprisingly well. Not perfectly, but well enough to keep the iOS ecosystem remarkably clean, although stuff does get through (such as insecure cryptocurrency wallet apps).
The issue with Android is that without some form of gatekeeper, it isn’t too tough to make apps that can exfiltrate a lot of data. This isn’t the operating system’s fault, but the fault of where apps come from. We have seen this in China with no-name Android app stores which function as a repository, but without doing any integrity checking, allowing anyone to throw up a
The solution would be a dedicated, curated repository. However, having the manpower and equipment to not just vet apps, but keep abreast of how the bad guys obfuscate things is not cheap.
Apple has bet the farm on being the gatekeeper. So far, it has worked out surprisingly well. Not perfectly, but well enough to keep the iOS ecosystem remarkably clean, although stuff does get through (such as insecure cryptocurrency wallet apps).
The issue with Android is that without some form of gatekeeper, it isn’t too tough to make apps that can exfiltrate a lot of data. This isn’t the operating system’s fault, but the fault of where apps come from. We have seen this in China with no-name Android app stores which function as a repository, but without doing any integrity checking, allowing anyone to throw up a
The solution would be a dedicated, curated repository. However, having the manpower and equipment to not just vet apps, but keep abreast of how the bad guys obfuscate things is not cheap.
It is the Operating System Publisher’s (Google) fault; for not having exactly the same type of mandatory “App Curation” (Gatekeeper) Rules as Apple has with their Mobile OSes.
But in their mad Marketing push to appear more “Open”, Google’s real joke is on Android’s Users.
And oh, BTW, Google certainly has enough cash in their war chest to change to a “Curated” App Store. “Cost” is a very poor excuse; and just underlines that Google cares more about Profits than People. Besides, all they have to do is increase their Developer Fees just a teeny bit, and it’s magically all paid for!
What Google needs to do is have a multi-tier app store. Tier 1 is curated just as meticulously as Apple’s is, perhaps with an upcharge for developers to use it. Tier 2 is what they have right now. From there, have devices default to only tier 1 at the start, with the user given the ability to go to tier 2, with a warning about one can’t just walk into Mordor.
This is not revolutionary stuff. Red Hat, Debian, and Ubuntu do a great job at keeping their ecosystems clean.
What Google needs to do is have a multi-tier app store. Tier 1 is curated just as meticulously as Apple’s is, perhaps with an upcharge for developers to use it. Tier 2 is what they have right now. From there, have devices default to only tier 1 at the start, with the user given the ability to go to tier 2, with a warning about one can’t just walk into Mordor.
This is not revolutionary stuff. Red Hat, Debian, and Ubuntu do a great job at keeping their ecosystems clean.
What Google needs to do is have a multi-tier app store. Tier 1 is curated just as meticulously as Apple’s is, perhaps with an upcharge for developers to use it. Tier 2 is what they have right now. From there, have devices default to only tier 1 at the start, with the user given the ability to go to tier 2, with a warning about one can’t just walk into Mordor.
This is not revolutionary stuff. Red Hat, Debian, and Ubuntu do a great job at keeping their ecosystems clean.
Not revolutionary stuff; which only underscores just how little Google cares about its Vict. . . er, Users.
More to the point, low cost handset manufacturers are a trivial vector for hacked firmware. No amount of operating system vetting or App Store curation is going to fix physical access to phones that nobody pays enough to care about. You’re not hearing about this on Samsung or Pixel phones. It’s not impossible, but they’ve got somewhat tighter supply chains, as does Apple.
More to the point, low cost handset manufacturers are a trivial vector for hacked firmware. No amount of operating system vetting or App Store curation is going to fix physical access to phones that nobody pays enough to care about. You’re not hearing about this on Samsung or Pixel phones. It’s not impossible, but they’ve got somewhat tighter supply chains, as does Apple.
More to the point, low cost handset manufacturers are a trivial vector for hacked firmware. No amount of operating system vetting or App Store curation is going to fix physical access to phones that nobody pays enough to care about. You’re not hearing about this on Samsung or Pixel phones. It’s not impossible, but they’ve got somewhat tighter supply chains, as does Apple.
That’s a flimsy excuse.
I agree that, in this particular case, it appears that an evil middleman in the OEMs’ supply chains was involved; but there have been far too many infections of Android devices (including “premium” brands) by malicious, poorly-vetted Android Apps, to blame just the Budget Device OEMs.
It is the Operating System Publisher’s (Google) fault; for not having exactly the same type of mandatory “App Curation” (Gatekeeper) Rules as Apple has with their Mobile OSes.
It is the Operating System Publisher’s (Google) fault; for not having exactly the same type of mandatory “App Curation” (Gatekeeper) Rules as Apple has with their Mobile OSes.
Nope. It’s the end-user’s fault for installing random shit on their personal “my entire life is on here” all purpose spying device without a care in the world. No device can keep you safe in that case. Not even Apple, but these same idiots will happily champion Apple being responsible for them. (Because why should they have to do anything?)
And oh, BTW, Google certainly has enough cash in their war chest to change to a “Curated” App Store. “Cost” is a very poor excuse; and just underlines that Google cares more about Profits than People. Besides, all they have to do is increase their Developer Fees just a teeny bit, and it’s magically all paid for!
And oh, BTW, Google certainly has enough cash in their war chest to change to a “Curated” App Store. “Cost” is a very poor excuse; and just underlines that Google cares more about Profits than People. Besides, all they have to do is increase their Developer Fees just a teeny bit, and it’s magically all paid for!
Funny how someone else assuming responsibility over you and paying for your protection is considered “secure” in a country where big government is constantly feared and
It is the Operating System Publisher’s (Google) fault; for not having exactly the same type of mandatory “App Curation” (Gatekeeper) Rules as Apple has with their Mobile OSes.
Nope. It’s the end-user’s fault for installing random shit on their personal “my entire life is on here” all purpose spying device without a care in the world. No device can keep you safe in that case. Not even Apple, but these same idiots will happily champion Apple being responsible for them. (Because why should they have to do anything?)
And oh, BTW, Google certainly has enough cash in their war chest to change to a “Curated” App Store. “Cost” is a very poor excuse; and just underlines that Google cares more about Profits than People. Besides, all they have to do is increase their Developer Fees just a teeny bit, and it’s magically all paid for!
Funny how someone else assuming responsibility over you and paying for your protection is considered “secure” in a country where big government is constantly feared and taxes are always considered too high.
Oh? It’s because Apple is a faceless unassailable corporation capable of virtually killing you and accountable only to it’s shareholders, while the fed is a faceless unassailable government capable of physically killing you and accountable only to it’s campaign contributors, with both constantly engaging in revolving door politics with each other? I see….that’s completely different.
It is the Operating System Publisher’s (Google) fault; for not having exactly the same type of mandatory “App Curation” (Gatekeeper) Rules as Apple has with their Mobile OSes.
It is the Operating System Publisher’s (Google) fault; for not having exactly the same type of mandatory “App Curation” (Gatekeeper) Rules as Apple has with their Mobile OSes.
Nope. It’s the end-user’s fault for installing random shit on their personal “my entire life is on here” all purpose spying device without a care in the world. No device can keep you safe in that case. Not even Apple, but these same idiots will happily champion Apple being responsible for them. (Because why should they have to do anything?)
And oh, BTW, Google certainly has enough cash in their war chest to change to a “Curated” App Store. “Cost” is a very poor excuse; and just underlines that Google cares more about Profits than People. Besides, all they have to do is increase their Developer Fees just a teeny bit, and it’s magically all paid for!
And oh, BTW, Google certainly has enough cash in their war chest to change to a “Curated” App Store. “Cost” is a very poor excuse; and just underlines that Google cares more about Profits than People. Besides, all they have to do is increase their Developer Fees just a teeny bit, and it’s magically all paid for!
Funny how someone else assuming responsibility over you and paying for your protection is considered “secure” in a country where big government is constantly feared and taxes are always considered too high.
Oh? It’s because Apple is a faceless unassailable corporation capable of virtually killing you and accountable only to it’s shareholders, while the fed is a faceless unassailable government capable of physically killing you and accountable only to it’s campaign contributors, with both constantly engaging in revolving door politics with each other? I see….that’s completely different.
Ah, there it is!
I was wondering when the Android Shills would show up!
Two words: You’re wrong.
Another shithead for whom Apple can do no wrong. Quit gargling Tim Cook’s balls for fuck’s sake.
Holy shit. And apple isn’t all about profits. They intentionally slow down their phones and make repairs almost impossible to keep their profits high. Only reason they get away with it is their user are tech illiterate.
Holy shit. And apple isn’t all about profits. They intentionally slow down their phones and make repairs almost impossible to keep their profits high. Only reason they get away with it is their user are tech illiterate.
Four Decades as an Embedded Developer (both hardware and software) here. So, try again.
Citation required.
Citation required.
I’ve got your Citation right here.
Agreed! Thanks for posting the PDF.
What I found interesting is that Badbox affects only Android devices.
The other, the malware campaign, affects multiple devices, including iOS and is delivered through multiple app marketplaces.
But, it does not say it was delivered by Apple’s official AppStore.
Perhaps, these iOS devices downloaded apps to jailbroken devices?
And, if that is case, does it bolsters Apple’s argument NOT to open up their ecosystems to other, 3rd party, app stores?
Agreed! Thanks for posting the PDF.
What I found interesting is that Badbox affects only Android devices.
The other, the malware campaign, affects multiple devices, including iOS and is delivered through multiple app marketplaces.
But, it does not say it was delivered by Apple’s official AppStore.
Perhaps, these iOS devices downloaded apps to jailbroken devices?
And, if that is case, does it bolsters Apple’s argument NOT to open up their ecosystems to other, 3rd party, app stores?
Yes. Yes it does.
Backdoored at school? Not the first time that’s happened, is it?
Download all their memes for fun and profit!
It is all that serious that students are bringing in their own compromised devices on campus? If the school district’s IT is letting students use WiFi that has a route into more sensitive parts of the network, well that’s not the fault of the malware that’s an infrastructure problem.
How was Google’s GMail not the first to discover this? Surely 150000 devices sending and receiving the same messages would trigger at least a Google Play Store policy bypass.
Is the responsibility of the end-user (or the organization) – not Google or Apple.
It is not Google or Apple’s responsibility to keep bad actor apps and such off your devices once it’s been shipped from the factory. It’s not theirs anymore, its yours. IT dept ordering hundreds or thousands of devices? Great, but that IT dept better check each device before it gets setup with an employee or student. Neither app store is perfect at blocking them, and yes Google is worse at it, but it doesn’t really matter beca
The OS does not need to be open source or user modifiable for the users to still be responsible for basic data security. It being open source and user modifiable doesn’t prevent this firmware injection at the supply chain. Nor does it prevent malicious apps. It may help in closing the holes that are abused, but that doesn’t prevent other malware that doesn’t need those. The end-user or organization should be knowledgeable enough to check/flash their firmware, not install shady apps, and run actual security
Ok, I don’t know what happened here and why your thoughts ended up taking 4 posts. None of what you said is relevant or related to anything I said or the topic at hand. In fact, I’m not even sure you actually said anything at all.
Ok, and you are still speaking in a generic way that applies to nothing here.
CCP party people talk about the wealth of information they gain from US schools.
When Chinese students exposed to that “wealth of information” they all rebel against CCP and start following K-POP bands on social media.
CCP party people ask “What did we do wrong? Copy from America should be good thing, right?”
There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.
Freak Accident in San Francisco Traps Pedestrian Under Robotaxi
Scientists Discover the Highest Energy Gamma-Rays Ever From a Pulsar
Term, holidays, term, holidays, till we leave school, and then work, work, work till we die. — C.S. Lewis
Recent Comments