I don’t really know how to take this article on Eugene Kaspersky’s interview at InfoSec The iPhone will be niche in 5 years because it’s closed? We should have databases of smartphone users?
I’m really hoping some if it is few translation and context issues, which is quite possible. And I’m glad he didn’t say the iPhone is less secure because it’s closed, which is a common trope from a few folks in the AV world.
I believe that closed systems can actually be better for security, when designed properly. Otherwise why are we all obsessed with FIPS-140 tamper resistance?
Perhaps it’s because ‘closed’ has multiple meanings – and we need to differentiate between three of them for security:
- Closed as in locked down. The platform uses controls to restrict what can run on it.
- Closed as in proprietary. In other words, not Open Source.
- Closed as in super secret. Code/hardware/etc. is hidden and/or obfuscated.
The common argument for proprietary or hidden being bad is that you can’t see what’s inside and evaluate it (or fix it). I do think this is true for things like crypto algorithms, but not for complex applications. A little obfuscation could help security, and to be honest your odds of crawling the code and finding problems are pretty low. Especially since dynamic analysis/fuzzing are so effective at finding holes. There is a ton of testing you can do without access to the source code.
But the closed I think is important to security is the locked platform. If done properly, this reduces attackers’ ability to run arbitrary commands/code, and thus improves security. This assumes the vendor is responsive when cracks are discovered.
So back to the iPhone. It sufferings far fewer real-world security incidents than Android because it’s closed. It’s not perfect, but how many apps has Apple had to pull? Compared to Google? If they can even pull them (there are other marketplaces, remember)? And hardware controls make it pretty darn hard to perform deep exploitation (so some really smart researchers tell me).
In an interview last week I suggested that Apple should do the same thing with the App Store on Macs, but there make it optional. Opt in and the system will only let you install App Store apps. Us geeks can opt out and continue to do what we want. I suspect this would go a heck of a long way toward protecting nontechnical users, especially from things like phishing attacks.
Anyway, just some random thoughts. And keep them in context – I’m not saying closed is always better, but that it can be.
Reader interactions
6 Replies to “When Closed Is Good”
@Aaron –
I don’t think there is evidence that Apple has actually intentionally engineered safer software; they certainly haven’t publicized any practices to do so and it was only very recently that they started hiring recognized names in software security. Vulnerability discovery (at least according to NVD) puts Apple at either comparable or worse vulnerability rates than their competitors (I think it deeply amusing that Apple criticizes the windows platform when Quicktime is a leading infection vector for the platform. They have literally manufactured their criticism).
There also isn’t evidence that apple actually reviews the software it posts in the app store for security problems. I would contend that the financial incentive that drives Apple to have a closed ecosystem and review apps running on it is a business model built on control. The closed ecosystem forces every app developer to give up 30% of their profits to Apple. The software review ensures that people are not monitizing the platform without Apple’s blessing and without Apple getting a slice of the pie (for example, using a non-Apple blessed ad platform).
It just so happens that a side effect of Apple’s model to control how 3rd parties monitize their platform is that certain controls are put in place that also happen to provide *some* restrictions on what a malicious user can do.
Andre hit the nail on the head when he brought up the difference between Objective-C of Apple and the Pseudo-Java of Android. The majority of apps being pulled from the Android market are primarily phishing apps modified from existing popular apps, and the reason that plagues Google and not Apple has nothing to do with the respective levels of open/closed of the platforms or with the review policies of the respective appstores. It’s because it is a lot easier to modify an existing app based on Google’s Pseudo-Java than it is in Objective-C and malware authors tend to go for maximum return on investment.
(as an aside, it will be interesting to see how microsoft solves this problem for WinPhone, as decompiling and modifying silverlight/XNA is arguably even easier than Google’s Java derivitive, or at least the techniques and tools are more mature to do so)
I’m glad to hear someone else refer to Apple’s closed environment as a legitimate layer of security. In the past I’ve made that argument and received the RCA Dog look in return.
The argument I’ve made is that Apple’s brand has much to lose if it allows a backdoored application into the App Store. The beautiful thing about this situation is that it gives Apple a financial incentive to make sure it offers the safest software possible in its outlets.
Just as financial incentive coaxed nerds out of their parents’ basements to field legions of botnets, financial incentives encourage Apple to offer safer software. I think we’d see fewer instances of weak or dangerous software if there were more closed systems following Apple’s model.
Counterpoints welcome.
Closed software protection, closed sandbox, and closed app store solve short-term problems that have long-term consequences.
You should note that all of these mobile platforms and apps have serious application security issues (just like all platforms and apps). I don’t believe that only the Android platform is fake-app trojan-malware friendly.
All of the mobile platforms are immature. The software protection solutions for them are immature. The anti-malware solutions for them are immature. They are constant moving targets.
There already does exist an Android app store (a third-party Market) that reviews for application security issues, but I’m keeping it on the down-low for now. This is the power of openness. Expect even more to come. If Apple were to create a “security-focused” app store, it would be a joke by comparison.
You should also note that Obj-C and Java have entirely different sets of software weakness problems, just like Cocoa/iPhone-SDK and the Android-SDK do.
Also, Android vs. iPhone really comes down to different classes of users with different agendas. Both are going to dominate and be around for awhile, especially since they are both evolving into monsters.
Apple can indeed pull apps from the phone – there was a big hoopla a couple of years ago about the “kill switch” that a couple of researchers found. They have had to use it on occassion when apps were harvesting personal information off of the phone (one of them ironically being a mafia game). These weren’t really malware in the same way that the Android store was plagued, but still shaddy.
if you’re wondering how to take kaspersky’s statements, focus on the second one you mentioned first. the database of smartphone users is entirely in line with his previous calls for enforceable internet identity / internet identity cards. there are numerous rebuttals to his calls for the abolishment of anonymity, including one by dancho danchev (http://www.zdnet.com/blog/security/5-reasons-why-the-proposed-id-scheme-for-internet-users-is-a-bad-idea/6527).
as for the remark about the iphone becoming niche because it’s closed, i don’t think there was any security concept in play with that opinion. rather it’s a recognition that consumers prefer choice and apple’s paternalistic condescension with regards to the way it’s locked down the device does not foster such consumer choice to the same extent that android does.
Apple can pull applications from the AppStore, at least when copyright issues are involved
http://www.tuaw.com/2011/01/08/vlc-app-removed-from-app-store/