What I wanted to point out is that with an automatic static analysis you can only hope to discover the most trivial cases of abuse. If you want to discover more sophisticated abuses you need an expert analyzing how the app works, and even then the expert could very well miss the abuse if it's obfuscated cleverly enough.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researchers Show How Apple's App Approval Process Can Be Beaten by Malicious Apps
- Thread starter MacRumors
- Start date
- Sort by reaction score
No, there's not.
Both Google and Apple require just an email address and perhaps a credit card to pay for being a developer. That's it for distributing free apps.
Remember, the Apple App Store got so big because of all the free apps thrown in by people from all over the world, many of them kids.
(For paid apps, both stores require a bank account and tax info.)
Any article... especially from someone who sells anti-virus service... that starts with the "Android platform strains under the weight of repeated malicious code outbreaks" is impossible to take seriously.
The majority of Android users outside of BRIC countries use vetted stores like Google Play or Amazon App Store, and now, even the sideloaded stuff can be scanned before installation by a Google tool.
In real life, unless you're downloading apps from a China site, or opening and installing apps you get a link to in a phishing email, malware simply isn't an issue most people run across.
I think this is a story more because of a lack of understanding the App approval rather than the process itself.
I've never submitted an app but I still know not to expect thorough code inspection. It's just not feasible.
Should Apple beta test all 3rd party apps too??
I've never submitted an app but I still know not to expect thorough code inspection. It's just not feasible.
Should Apple beta test all 3rd party apps too??
So, Apple doesn't further verify identity after an app is submitted?
Attachments
iOS is a proprietary platform, until there is manual code review of every app (which there won't ever be), we can only blindly trust apple and the millions of developers that choose to release on the platform. Want to live in a fairytale, perfect, safe mobile world, don't use iOS 
iOS is a proprietary platform, until there is manual code review of every app (which there won't ever be), we can only blindly trust apple and the millions of developers that choose to release on the platform. Want to live in a fairytale, perfect, safe mobile world, don't use iOS
What's your alternative? Android is even worse. Beyond those two, nothing else is a real alternative.
Well, there are actually completely open operating systems for various supported phones, even including hardware drivers (lack of documentation/source code for various components is the main issue holding progress back) - available right now.
The future is looking bright with huge vendors like Samsung/tizen, Google/Motorola and (initially?) smaller scale projects like jolla, Ubuntu, Mozilla etc, off the shelf hardware sold to the ignorant masses can actually ship with oss and put various vendors under even more pressure to release hardware docs and turn the world into my idealistic fairytale land
That was my (half-jokey) point - I don't quite live on planet Stallman.
Realistically though (with a tin hat on), if you don't have the source (and the ability to trust review) for everything through firmware to applications, you can't be 100% safe.
I'm only stating the obvious/pointless in frustrated reaction to the many childish apple vs megacorpX comments that are thrown around - Regardless of publicity, for an average user there's little protection in apples bubble compared to the realistic alternatives. Compromised code is relatively trivial to run on all platforms that allow for human beings to press buttons on
great, spread this news as much as you can, so all the hackers put their malicious apps into the app store, sometimes, the world seems really dumb
You just moved the goalposts. I was responding to:
As I said, there is no big difference in vetting to create a developer account.
Heck, Apple doesn't even care if you're actually even a developer, or just someone getting multiple accounts so they can sell more beta slots. (They say they do, but it never seems to result in any large scale shutdowns.)
--
Re: the diagram. Not sure what that is supposed to represent. Where did it come from, so that I can see its context. Thanks!
Ah, ok I interpreted it in the opposite way.
I agree, you can't be 100% safe, but then again, you may be struck by lightening when you walk out the door of your house. I'm only stating the obvious/pointless in frustrated reaction to the many childish apple vs megacorpX comments that are thrown around - Regardless of publicity, for an average user there's little protection in apples bubble compared to the realistic alternatives. Compromised code is relatively trivial to run on all platforms that allow for human beings to press buttons on
As far as apps goes, the protection is pretty damn good with this approach imho, a developer is tied up with real identity, and the apps are reviewed.
Obviously, I was referring to it in the context of submitting an app to be distributed given the nature of this thread.
It's a research article from the Trail of Bits website.
To summarize, the article shows the security benefits of iOS in comparison to Android. It explains why the iOS security paradigm is working more effectively than that of Android.
It overviews the vetting process of submitting and distributing an app for both platforms. Apple takes more measures to verify the identity of a developer than Google. Apples method isn't perfect but it puts more hurdles in place to motivate criminals to attack other platforms with less barriers in place.
It references Charlie Miller's earlier use of basically the same technique as used by these researchers. A vulnerability is required to dynamically modify code in iOS because dynamic code isn't allowed to be present by default via Apple's vetting process. Dynamic code has historically been allowed in Android.
http://www.trailofbits.com/resources/mobile_eip_3.pdf
http://www.trailofbits.com/
Last edited:
I find articles like this one puzzling. Here we have an article that seems to come from the perspective that it is surprising that the app approval process isn't bulletproof, something that, as others have noted, should be obvious to anyone with an ounce of common sense. So the response is to say that the process should be more onerous?
It seems like an excuse to criticize Apple. So, the approval process is too onerous and app stores are better if they aren't so highly curated. But then it's noted that the approval process isn't bulletproof, so they had better make it tougher to get apps through! Double standard, anyone?
I think that Apple seems to be doing a pretty good job of making it not worth the while of malware writers to make big efforts to get their wares into the iOS ecosystem. Is it flawless? Of course not. The only way to have a flawless security is to write your own OS and your own apps and not share it with anyone. But that's not very realistic, is it?
It seems like an excuse to criticize Apple. So, the approval process is too onerous and app stores are better if they aren't so highly curated. But then it's noted that the approval process isn't bulletproof, so they had better make it tougher to get apps through! Double standard, anyone?
I think that Apple seems to be doing a pretty good job of making it not worth the while of malware writers to make big efforts to get their wares into the iOS ecosystem. Is it flawless? Of course not. The only way to have a flawless security is to write your own OS and your own apps and not share it with anyone. But that's not very realistic, is it?