BOSTON—Accountability, not superior technology, has kept Apple’s iOS ecosystem free of viruses, even as the competing Android platform strains under the weight of repeated malicious code outbreaks, say researchers Dan Guido of the firm Trail of Bits and Michael Arpaia of iSEC Partners.
The two researchers said an empirical analysis of existing malicious programs for the Android and iOS platforms shows that Google is losing the mobile security contest badly – every piece of malicious code the two identified was for the company’s Android OS, which made up 50% of the U.S. smart phone market, while Apple’s iOS remained free of malware, despite accounting for more than 40% 30% of the same market.* Apple’s special sauce? Policies that demand accountability from iOS developers, and stricter controls on what applications can do once they are installed on Apple devices.
Guido, whose company Trail of Bits helps enterprises defend against targeted attacks, told Threatpost that mobile operating systems are far more secure than their desktop counterparts, forcing scammers to follow a well worn path to own mobile devices – what Guido refers to as the mobile “kill chain.” Mobile malware is delivered in a bundle with mobile applications, which are typically uploaded to and promoted from mobile marketplaces like Google’s Android Market. Once mobile attackers have a foothold on a device, they use vulnerabilities in the operating system or application permissions model to escalate their privileges on the device, connect to an Internet-based command and control network and then begin to siphon saleable data from the device, Guido said.
Guido and Arpaia’s survey of mobile malware identified 100 unique instances of mobile malware that were used in around 500 separate campaigns. Together the malware was downloaded hundreds of thousands of times by mobile device users. But even as Apple, Google and Microsoft battle it out for mobile market share, in the eyes of mobile malware authors, there’s no contest: all of the malware the two researchers identified was for Google’s Android operating system, they said.
“We looked for iOS malware, but there is none to collect,” he said. “It’s amazing that there’s just none out there.”
The reasons for that are complex, and don’t suggest that iOS has any technological superiority over Android. “This isn’t a technology issue or an application security thing,” Guido said. “It’s not like there are fewer vulnerabilities in iOS.”
The researchers findings are supported by other surveys of mobile malware. Juniper Networks’ 2011 Mobile Threats Report (PDF), for example, found 13,302 samples of malware targeting the Android platform between June and December, 2011 – a more than 3,000 percent increase over the period covering Android’s release in 2007, through May of 2011. During the same period, there were no examples of iOS-specific malware.
The key differences between Apple’s iOS and Google’s Android are what Guido termed “design decisions” that both platform makers made that have created incentives and disincentives for mobile malware writers and cybercriminals in the intervening years, he said.
Foremost among them is Apple’s insistence that mobile application developers verify their identity before they can introduce new applications. That includes submitting actual identifying documents like a Social Security Number or official articles of incorporation.
“There’s something that gets back to you,” Guido said. “That way, when Apple finds a malicious application, there’s the possibility that you could suffer real world punishment.”
In contrast, Google’s Android Marketplace and Google Play platforms have much more generous terms for developers, who must pay a small ($25) fee and agree to abide by the company’s Developer Distribution Agreement to begin publishing. That’s a low bar that makes it easy for malicious authors to get their wares out to hundreds of millions of Android users, according to Guido.
“You can upload dozens of applications at once. If any get banned, you can just resign, sign up under a new identity and resubmit them,” Guido said.
Beyond that, Guido said that Apple’s iOS ecosystem has put controls in place that squeeze malware authors in other ways. An automated and manual application vetting system includes static analysis of compiled binaries that make it very difficult for developers to merely repackage malicious or legitimate applications for sale on the AppStore. That prevents infections of Trojaned applications like the DroidDream malware, which frequently popped up on Google’s Android Market.
Further, Apple rejects applications that use self modifying code, which could appear legitimate or malicious depending on the context in which it was run. Apple’s decision to ban star researcher Charlie Miller from its Application Developer program for submitting an application that could dynamically update its runtime code was proof that the company takes that prohibition seriously, Guido said.
“Of course, they knew who Charlie was when he submitted that,” he said.
In contrast, Google’s decision early-on to allow self-modifying applications in the Android Marketplace means that attempts to spot malicious applications using its BOUNCER dynamic analysis technology will likely miss a healthy percentage of malicious applications, he said.
Despite the researchers’ dour views on the security of Android, both Guido and Arpaia said that -based on their survey – much of the coverage of mobile security issues and mobile malware is overblown, and misses the point.
“People blab about ‘there are so many vuln(erabilitie)s.’ It’s like the sky is falling,” Guido said. “The truth is that every piece of software we use is vulnerable. These things are a fact of life and we have to learn to live with them.”
But Guido said that his study of the contemporary mobile malware scene revealed a shocking lack of sophistication. Every piece of malware for the Android platform relies on one of three OS exploits – all of them developed by those looking to jailbreak the platform, not by malware authors.
Rather than focusing on vulnerabilities in the underlying platform, enterprises and the security community should look for easy ways to break the mobile “kill chain” – for instance by limiting access to mobile stores and enforcing accountability for application developers and by limiting what applications can do after they are installed. Beyond that, the security community should start to rank mobile threats based on how difficult they would be to carry out, and the access they would provide to data that would be useful to attacks – in particular: data that could be resold. And, when it comes to thwarting attacks, both platform makers and the security community should focus on making the repercussions for writing mobile malware real by making it easy to get caught and punished, Guido said.
(*) comScore data
Editor’s note: This story originally included incorrect information on Apple’s smart phone market share in the U.S. The story has been updated with the correct market share data. (4/20/2012)