Mobile vulnerability statistics

[munkery]

The following article published by Symantec states that iOS has more vulnerabilities than Android.

http://www.symantec.com/content/en/...-istr_main_report_v18_2012_21291018.en-us.pdf

Other articles suggest the same as the Symantec article but the statistics don't match and other articles seem to have more accurate numbers at least in relation to iOS.

http://www.zdnet.com/iphones-most-vulnerable-among-smartphones-7000013129/

The Symantec article does state that iOS is still more secure than Android because of the wall garden approach of Apple.

But, I wonder where Symantec and others got the data for the statistics stating that iOS has more vulnerabilities.

A quick search of CVE shows that Android has more vulnerabilities than iOS.

Android = 338 (at time of this post)
- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Android

Apple iOS = 260 (at time of this post using two searches: Apple iOS and iPhone OS)
- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Apple+iOS
- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=iPhone+OS

I think the issue with the numbers provided by these articles is that the articles only report numbers attributed to vendors and not the OS platforms as a whole. Many of the vulnerabilities in Android are attributed to third party projects used in Android but not to Android as in use in the wild. This practice makes the statistics not represent the real world numbers of vulnerabilities.

 

[0dev]

iOS is a highly secure platform. If you can find a workable exploit for it, the black market price for that exploit would be literally hundreds of thousands of dollars. As far as I know, the same goes for Android.

Both platforms are highly popular and all smartphones contain a lot of personal information, if there were usable exploits out the wild someone would be out there exploiting them. The fact trojans exist for Android in dodgy app stores proves the interest is there. Yet no actual viruses spreading for either platform.

So really no one has anything to worry about really.

 

[jrswizzle]

I'm always a little wary of companies, which make and sell anti-virus software, coming out with "studies" that say a platform, which isn't known for vulnerabilities and therefore doesn't have a large market for anti-virus software, is very vulnerable or more vulnerable than other platforms with large amounts of vulnerabilities.....

IMO, anti-virus software is worthless unless you are completely clueless or don't want to pay attention to what you download or where you surf the web.

It has it's place, but I don't think Symantec or McAfee will ever convince me I need AV software for my Mac or iPhone.....or for that matter for my HTC One or Nexus 4.

 

[0dev]

I'm always a little wary of companies, which make and sell anti-virus software, coming out with "studies" that say a platform, which isn't known for vulnerabilities and therefore doesn't have a large market for anti-virus software, is very vulnerable or more vulnerable than other platforms with large amounts of vulnerabilities.....

IMO, anti-virus software is worthless unless you are completely clueless or don't want to pay attention to what you download or where you surf the web.

It has it's place, but I don't think Symantec or McAfee will ever convince me I need AV software for my Mac or iPhone.....or for that matter for my HTC One or Nexus 4.

I think it's good to have for peace of mind as long as it doesn't impact performance and doesn't cost extra money. I use MSE on Windows and Avast on Android for this reason. But you're right, closed devices like the iPhone don't really need it, especially since iOS is already very secure. Even the jailbreak teams are having a hard time cracking iOS these days. There's even people in the jailbreak scene saying the days of jailbreaking are numbered.

 

[0dev]

everyone knows that iOS is more secure than android. i have used both iOS and android and i think that iOS not only securer but also way more easier to use, but android offers more customization it has more features, let's hope that with the new look in iOS7 apple also adds some basic features which android users have been enjoying for years now.

Android is more secure than you think, Samsung Android phones have been approved for use in the US military.

Of course anyone who really truly cares about having the best security available on any phone will get a BlackBerry. Security is pretty much top priority for those guys and the QNX base is very solid, so much so that it's a system trusted to run nuclear power plants.

 

[0dev]

If iOS has more vulnerabilities then Why Does Android Gets Attacked by malwares.
http://www.sophos.com/en-us/securit...oes-mobile/why-ios-is-safer-than-android.aspx
http://news.cnet.com/8301-1009_3-57335692-83/apple-ios-is-safer-than-android-mcafee-says/

Android gets trojans, not viruses. Trojans do not exploit the OS, they exploit the stupidity of the users by tricking them into installing malware. For example, if I pirated a game from the Play Store, added a bit of code that sent the user's contacts list to me, then put that on a warez site, it'd probably get a lot of downloads but it's not because the OS has security holes, it's because users install dodgy software from dodgy sources.

If you jailbreak an iPhone it's susceptible to exactly the same kind of malware. In fact sometimes trojans sneak into the App Store. Don't be fooled into thinking the walled garden makes you safe, it merely makes you blissfully ignorant.

At the end of the day the biggest security risk for any computing device is the user. If you're an idiot you'll get infected no matter how secure the OS is.

 

[aristobrat]

Android is more secure than you think, Samsung Android phones have been approved for use in the US military.

Huh?

The article mentions Samsung Knox, which is an application that Samsung had to write in order to provide a "secure enviroment" on Android, no?

 

[sentinelsx]

I usually pity the guys who sacrifice their battery life and performance by running anti-virus on their android phones. Why do you even need that? Do you install apps from shady places routinely?

I have never seen a malware on any of my android phones. That is not to say there are no malwares, but atleast so far i haven't seen something that will auto-install the moment i visit a website like its been with windows computers all that time.

Let's not forget jailbreakme on iOS A simple webpage can break your security.

 

[0dev]

Huh?

The article mentions Samsung Knox, which is an application that Samsung had to write in order to provide a "secure enviroment" on Android, no?

Image

Yeah, so? Samsungs are the most common Android devices and older Galaxy phones will be updated with Knox shortly. Since it's all open source I'm sure it'll get ported to other Android ROMs soon.

It shows how flexible Android is that it can be hardened like that. The NSA did a similar thing using SELinux just like Samsung.

 

[sentinelsx]

Yeah, so? Samsungs are the most common Android devices and older Galaxy phones will be updated with Knox shortly. Since it's all open source I'm sure it'll get ported to other Android ROMs soon.

It shows how flexible Android is that it can be hardened like that. The NSA did a similar thing using SELinux just like Samsung.

Just to clarify, android being open source doesn't mean OEM added features are. KNOX could be closed source and hence only samsung would be able to use their own feature, not anyone else.

 

[cynics]

There are versions of Android with "military grade" security. But neither iOS or Android is out of the box, maybe a Samsung phone with KNOX.

I can't even bring my iPhone to some places I work. However Blackberry is ok, only if it doesn't have a camera though.

 

[aristobrat]

It shows how flexible Android is that it can be hardened like that.

It does, but I think it goes against your point "Android is more secure than you think."

If Android was more secure than we thought, then why did Samsung have to develop a special application (Knox) that essentially hides the sensitive data from Android?

To me, that seems to say "We don't trust the security of Android, so we're going to add our own special layers".

No argument that Knox shows the flexibility of Android. It's just that if you have to harden the OS that much more in order to meet military requirements, it doesn't really point to the OS being that hard to begin with.

 

[maxosx]

Sensationalized news is the norm these days. Let's face it, negative news sells.

As one who follows security closely, and has used both Android phones and iPhones concurrently since they were introduced, I say we are reasonably safe.

It's a handheld computer so anything is possible, but rather unlikely in the case of individual usage. I don't believe in comparing Android vs iOS, as though one has to pick a winner. They're both well thought out, well engineered, developed, and subject to continuous improvements.

Neither are perfect, nor is anything as highly technical as computers and smartphones. But given the high skill level of those who create these products, I have chosen to trust, practice safe computing and smartphone usage, and take the rest with a grain of salt.

 

[0dev]

It does, but I think it goes against your point "Android is more secure than you think."

If Android was more secure than we thought, then why did Samsung have to develop a special application (Knox) that essentially hides the sensitive data from Android?

To me, that seems to say "We don't trust the security of Android, so we're going to add our own special layers".

No argument that Knox shows the flexibility of Android. It's just that if you have to harden the OS that much more in order to meet military requirements, it doesn't really point to the OS being that hard to begin with.

It doesn't, it just takes advantage of SELinux within the kernel and implements it within the Android system. Having SELinux on for all Android phones wouldn't really make much sense and it would make managing the system more of a task for your regular user (SELinux has to be set up by someone to work as you want it to, look up how to make it work on desktop Linux, it's not something a noob can do), so it's not on by default. A big part of what Knox does is also create separate spaces in the phone - one for work, one for personal use. That isn't extra security as much as it is optimisation for enterprise.

As I said though, if security is the number one concern, BlackBerry has that down better than anyone else.

 

[nizmoz]

Android is more secure than you think, Samsung Android phones have been approved for use in the US military.

Of course anyone who really truly cares about having the best security available on any phone will get a BlackBerry. Security is pretty much top priority for those guys and the QNX base is very solid, so much so that it's a system trusted to run nuclear power plants.

They just did with the S4 now. IOS has been secure for years. We already use iPhones in the government. I work for them.

 

[munkery]

About half the Trojans targeting Android include a privilege escalation exploit to gain more leverage over the system than could be acquired just by tricking the user.

The reason such vulnerabilities are being exploited is because the vulnerabilities facilitate the installation of more profitable malware, such as premium rate SMS malware.

This isn't occurring because Android has a lot of privilege escalation vulnerabilities. It's because most Android devices aren't running the most recent fully patched version of Android.

 

[cody92]

I'm also weary of reports published by companies or by organizations associated with companies. Does Symantec have something to gain by making this claim? I have no idea. I met some of the engineers in person from Symantec before and they definitely knew what they were talking about. I don't know that this matters if the company wants throw in their bias.

 

[mib1800]

I'm always a little wary of companies, which make and sell anti-virus software, coming out with "studies" that say a platform, which isn't known for vulnerabilities and therefore doesn't have a large market for anti-virus software, is very vulnerable or more vulnerable than other platforms with large amounts of vulnerabilities.....

IMO, anti-virus software is worthless unless you are completely clueless or don't want to pay attention to what you download or where you surf the web.

It has it's place, but I don't think Symantec or McAfee will ever convince me I need AV software for my Mac or iPhone.....or for that matter for my HTC One or Nexus 4.

From the OS architecture point of view, I think Android is more easily secured (and less vulnerable) than iOS since Android apps can only run in VM.

 

[cody92]

From the OS architecture point of view, I think Android is more easily secured (and less vulnerable) than iOS since Android apps can only run in VM.

I agree about android being more secure, but even in android native code can be easily used which is not run by Dalvik. Technically they all run virtually, in every modern OS, thanks to virtual memory management, user and kernel mode instruction privileges, and some other things.

 

[munkery]

New Android malware in the wild.

It utilizes two previously unknown and currently unpatched vulnerabilities, including one privilege escalation vulnerability.

http://arstechnica.com/security/2013/06/behold-the-worlds-most-sophisticated-android-trojan/

Also, new Trojan found in Google Play.

http://www.cnet.com/news/malware-masquerading-as-bad-piggies-found-on-google-play/57589290

 

[Assault]

New Android malware in the wild.

It utilizes two previously unknown and currently unpatched vulnerabilities, including one privilege escalation vulnerability.

http://arstechnica.com/security/2013/06/behold-the-worlds-most-sophisticated-android-trojan/

Also, new Trojan found in Google Play.

http://www.cnet.com/news/malware-masquerading-as-bad-piggies-found-on-google-play/57589290

Old news my friend. This was taken out of the Play Store already. BTW, same thing happened on iOS a while back. And if you want to talk about security issues, you might want to ask Apple why it took 5 years for them to enable 2 step verification? Or why it still isn't fixed completely?

Different companies may have different numbers, but it still points out that Apple is far from invulnerable and in fact is at least on par with Android in the threat/security arena.

Apple's iOS mobile operating system (OS) had the most security vulnerabilities in 2012, according to Symantec, but malware authors are still attacking Android because it is more open.
Symantec's report revealed that there are 387 documented vulnerabilities on Apple's iOS software, compared to a mere 13 on Android. However, despite Apple's higher iOS vulnerability score, Android remained the leading mobile operating system in the amount of malware written for it in 2012.

P.S. How do you suppose iOS gets jailbroken? The easter bunny and fairy dust?

 

[munkery]

BTW, same thing happened on iOS a while back.

Link to source to any real malware threat in iOS App Store?

P.S. How do you suppose iOS gets jailbroken? The easter bunny and fairy dust?

Bootrom exploits (ie connected to computer via cable) used to Jailbreak iOS can't be leveraged in malware like the privilege escalation exploits used against Android.

Jailbreakme 2 and 3 against iOS used these types of privilege escalation vulnerabilities but these types of vulnerabilities are more rare in iOS than Android. Search CVE to see the numbers. Also, iOS now has more runtime security mitigations to prevent exploiting these types of vulnerabilities than when these jailbreaks were demonstrated. Obviously, these types of vulnerabilities have not been used in malware against iOS.

In relation to comments stating that Android is more secure than iOS, all data on the android device was compromised and malicious programs were able to be installed after being exploited at the last mobile pwn2own. The exploit included using a zero day privilege escalation vulnerabity.

Only the browser was exploited on the iOS device which allowed much less critical data to be exposed and didn't allow malware to be installed because a privilege escalation vulnerability wasn't able to be leveraged.

 

[mib1800]

Link to source to any real malware threat in iOS App Store?



Bootrom exploits (ie connected to computer via cable) used to Jailbreak iOS can't be leveraged in malware like the privilege escalation exploits used against Android.

Jailbreakme 2 and 3 against iOS used these types of privilege escalation vulnerabilities but these types of vulnerabilities are more rare in iOS than Android. Search CVE to see the numbers. Also, iOS now has more runtime security mitigations to prevent exploiting these types of vulnerabilities than when these jailbreaks were demonstrated. Obviously, these types of vulnerabilities have not been used in malware against iOS.

In relation to comments stating that Android is more secure than iOS, all data on the android device was compromised and malicious programs were able to be installed after being exploited at the last mobile pwn2own. The exploit included using a zero day privilege escalation vulnerabity.

Only the browser was exploited on the iOS device which allowed much less critical data to be exposed and didn't allow malware to be installed because a privilege escalation vulnerability wasn't able to be leveraged.

You are kidding when you said that privilege escalation vulnerabilites dont exist/rare in iOS compared to Android? Arent iOS/android derived from os and using the same wireless/networking technology? There is little comfort in you saying that cable needs to be connected since when does anyone not plugin cable to phone regularly. In fact, iphone is more vulnerable with cable attached (+Itunes) as that actually cause privilege escalation which can be exploited.

 

[cnev3]

I usually pity the guys who sacrifice their battery life and performance by running anti-virus on their android phones. Why do you even need that? Do you install apps from shady places routinely?

When I had Android phones, I ran virus scans for troubleshooting purposes. The virus scanner was already included, so I considered it an essential utility. And I let it do its automatic scans whenever I restarted, downloaded an app, or reinserted the SD card. I just didn't have enough faith to remove it from my phone. My phone had a lot of funky issues, and the virus scans were like insurance, and a troubleshooting step to assure me my issues were not related to malware.

 

[munkery]

You are kidding when you said that privilege escalation vulnerabilites dont exist/rare in iOS compared to Android? Arent iOS/android derived from os and using the same wireless/networking technology? There is little comfort in you saying that cable needs to be connected since when does anyone not plugin cable to phone regularly. In fact, iphone is more vulnerable with cable attached (+Itunes) as that actually cause privilege escalation which can be exploited.

Check CVE, iOS has contained fewer privilege escalation vulnerabilities than Android and Andriod has contained more privilege escalation vulnerabilities that are accessible via client side apps, such as the web browser.

As for malware coming from computers while connected to an iOS device, any iOS malware in the wild to back up this assumption of yours?

Nope. Why? Because why go through all that effort when it is much easier to make malware for Android.

Why is it easier to target Android? Because it is an easier target.

The state of mobile malware in the wild supports the fact that Android is the weaker target given that a vast majority of Mobile malware targets Android.