All Devices iOS 0-day exploits now cheaper than Android ones

[BigDO]

Interesting...

During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we've recently started refusing some [of] them.

On the other hand, Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it's even harder to develop zero click exploits not requiring any user interaction.

In accordance with these new technical challenges related to Android security and our observations of market trends, we believe that time has come to allocate the highest bounties to Android exploits until Apple re-improves the security of iOS and strengthens its weakest parts which are iMessage and Safari (Webkit and sandbox).

https://arstechnica.com/information...er-android-0days-cost-more-than-ios-exploits/

 

[bydandie]

Of note that Cyber criminals are “paying $2.5 million and $2 million for zero-click exploit chains for Android and iOS, respectively, top price for comparable exploits targeting desktop OSes tops out at $1 million.”

The challenge, of course, is the delivery of Android fixes to everyone due to the fragmented delivery chain. Compare that to the source detail from Google’s labs blog which showed that as long as you get updates, then you’re covered. The 5s from 2013 was covered in Q4 2018 which is far better than a Google Nexus from the same year.

 

[velocityg4]

The challenge, of course, is the delivery of Android fixes to everyone due to the fragmented delivery chain. Compare that to the source detail from Google’s labs blog which showed that as long as you get updates, then you’re covered. The 5s from 2013 was covered in Q4 2018 which is far better than a Google Nexus from the same year.

That's the crux of the problem with Android. It is hypothetically more secure. In practice. Given device manufacturer control. Your mileage may vary. This can be because of manufacturer apathy. Manufacturer OS modifications which have poor security or lack updates. Intentionally or unintentionally installed first or third party malware by the manufacture. Plus additional hurdles put up by carriers.

Google has helped improve this by applying pressure to speed up distribution of security patches. Along with patches through the Google Play Store. It's still lacking as all security patches aren't immediate. Those patches can't do anything about manufacturer or carrier apps and mods. Which are not user removable.

The Pixel line then Android One devices are likely the most securely patched. Followed by manufacturers quick to apply security patches to the OS and their apps. Once device support is dropped. Which is usually within two years. You're probably better off running LineageOS. As that third party Android ROM is pretty quick about applying security patches and offers a fairly vanilla Android OS.