

Apple Explains Why iOS Don't Need No Steenkin' Anti-Virus - larrys
http://www.forbes.com/sites/timworstall/2012/06/04/apple-explains-why-ios-dont-need-no-steenkin-anti-virus/?partner=yahootix

======
myspy
The security via obscurity argument is floating around this discussion for
years. And I don't buy it that OS X is not tested by malware experts.

I don't know who has read that reddit AMA of a malware writer but he stated
that 90% of all bad guys can't write code.

And apart from that he stated that his malware can bypass anti virus software.

To get programs on your Mac that cause real trouble it's necessary to type in
your password during installation. The last big trojan used a Java hole.

Therefore I state that Mac is secure enough for the average user as long as he
gives no privilegs to obscure programs and does not use Java (and Flash?) in
the browser.

I don't know how else you can get malicious code onto an iOS device apart from
jailbreaking it, getting something through the App Store checks or someone
getting it in his hands.

For the real bad stuff a virus scan won't help you, these bad guys know how to
work around. It's all about the user and his knowledge about what precautions
he should apply (not giving th device in other hands, not jailbreaking).

Are there ways to hack a phone via browser, let's say with a JavaScript hack?

~~~
gurkendoktor
> To get programs on your Mac that cause real trouble

I think this is the big fallacy of the UNIX security model. Every program you
download can delete your home folder without warning, it only can't mess up
the OS (and other users, but those are increasingly rare). That's terrible
because restoring /System is the easiest thing in the world, restoring user
data isn't. I think you can't delete Time Machine backups without admin
rights, but malware could easily purge TM with an artificial mammoth file too.

I am super paranoid about downloading software to my work Mac even from the
App Store. And even for iOS I only try random free apps on my iPad where I
don't have my address book synced.

~~~
Turing_Machine
iOS apps don't have access to a home folder, and the new Sandbox model for OS
X is that way, too. Each app has its own folder, with no access to the folders
of other apps. There are APIs to access data from other apps that share it
(for example photos and the address book, so you're right to be wary there),
but no direct access to arbitrary folders. This is both good and bad, of
course. It forces you to jump through hoops if you legitimately need access,
and makes certain types of programs difficult/impossible to write.

~~~
gurkendoktor
myspy is talking about OS X in the present tense.

~~~
Turing_Machine
Present tense? Apps in the Mac App store have to use the sandbox as of June 1.
It's hard to get more "present" than that. :-)

------
falcolas
The author mentions getting malware from a jailbroken device, without
realizing that the jailbreak itself is a great example of "malware" (from
apple's point of view) that is constantly getting around their presented
security.

As long as jailbreaks work, Apple's security stack isn't worth much.

~~~
gurkendoktor
I figured it depends on the type of jailbreak. The drive-by web browser
jailbreak was scary - the hole could easily have been used to install malware
in the background.

But how dangerous is the average jailbreak that requires a USB connection?

------
stevoski
For everyone wanting to comment, "but Mac OS X is like this or that"...do note
that this article is specifically about iOS, not about OS X.

------
arkitaip
Apple's arrogance and their security theater puts their customers in danger
because it creates a false sense of security. It's just a matter of time
before hacktivists make an all assault on Mac OS and iOS just to make Apple
consumers more conscious about security.

~~~
voidr
Actually iOS has more security than you could ever get on a Windows platform
with an anti virus.

The only way to run executable code on iOS is to install it via the AppStore,
to get to the App Store you need to pass the review process, you have to be
really clever to be able to hide your malware. Even if your malware gets
trough you are still stuck in your apps sandbox and once Apple realizes what
you have done, they can remotely pull all instances of your app and the police
will be waiting for you outside.

So virtually it's impossible to spread virus on iOS, an anti virus would be
just crapware.

~~~
arkitaip
"to get to the App Store you need to pass the review process, you have to be
really clever to be able to hide your malware.

Let's hope no one sets up The International Obfuscated Objective-C Code
Contest; or that the code reviewers at Apple are competent and experience
enough to work with advanced software security threats.

"Even if your malware gets trough you are still stuck in your apps sandbox"

Sandboxes can and are exploited. Recently [1]

"So virtually it's impossible to spread virus on iOS, an anti virus would be
just crapware."

Sure on HN we all know that security is more than (anti) viruses.

[1] [http://www.techspot.com/news/47731-google-rushes-out-
chrome-...](http://www.techspot.com/news/47731-google-rushes-out-chrome-patch-
for-sandbox-exploit-other-still-lurks.html)

~~~
cantankerous
_Let's hope no one sets up The International Obfuscated Objective-C Code
Contest; or that the code reviewers at Apple are competent and experience
enough to work with advanced software security threats._

Apple isn't doing thorough code reviews of every app they get. They're just
checking sanity and adherence to "the rules". Even if the code was obfuscated
and they wanted to review your code, they could write you an email that says
"your code is unreadable, make it better or you're not going to get on the app
store".

 _Sandboxes can and are exploited._

So are you saying that because Chrome was exploited, that the sandbox model in
iOS some how makes the system less secure? The notion doesn't follow. Yes,
sandboxes can be exploited, but it's _NOT EASY TO DO THIS_. The idea behind
good, secure design is not to try to secure from every attack vector possible,
but to eliminate low hanging fruit entirely, and make elaborate breaches very,
very expensive to find and create. Apple is doing all of this here with the
sandbox design, and it works quite well for them.

 _Sure on HN we all know that security is more than (anti) viruses._

Case-in-point: iOS. Quite secure, doesn't require anti-virus software to be as
secure as it is.

------
jack-r-abbit
IMO, the more Apple shakes their stick, yelling "You're not getting into my
house" the more likely the right person is going to take on that challenge and
succeed. You can only yell "Come at me bro" so many times before someone
actually does come at you.

~~~
gurkendoktor
This is a note most of us wouldn't have read without it being posted to HN via
Forbes. Apple ran _TV ads_ claiming that Macs had no viruses years ago - those
were much more provocative and not much happened. Or maybe the Flashback worm
just took a long time to develop :)

~~~
jack-r-abbit
Times change. Maybe there wasn't quite the incentive/appeal years ago. And
this is Hacker News. I understand "hacker" in this case is not exactly the
same thing as a malware writer. But if I were to bet on a TV ad years ago vs.
an article posted here today (along with others on the topic in the recent
past) my money would _not_ be on the TV ad.

