
Bruce Schneier: The iPhone Will Not be Safe From Malware - evo_9
http://thenextweb.com/apple/2011/11/25/iphone-will-not-be-safe-from-malware-even-with-apple%e2%80%99s-rigid-policies-expert-says/
======
dasil003
What is the context of this quote?

> _I don’t believe the iPhone will be more secure because of Apple’s rigid
> policies for the app store._

I think it's pretty obvious that at this point in time the iPhone _is_ more
secure because of Apple's rigid policies, so why would Bruce say something
like this? Of course there are other attack vectors, but it's not as if Apple
is just skipping through the marigolds with pigtails and a giant lollipop.
What they are doing with sandboxing (and dogfooding it) on OS X is extremely
security conscious, certainly on par with anything anyone else is doing in
consumer device security.

Anyway, I blame the article author, because I'm sure Bruce has some
interesting insight that is utterly impenetrable from a fluff piece like this.

------
Hoff
Here's the direct link to Schneier's posting:

[http://www.schneier.com/blog/archives/2011/11/android_malwar...](http://www.schneier.com/blog/archives/2011/11/android_malware.html)

And the question around Apple's policies is one of the questions in the
comments.

------
mbesto
What's the justification? Loophole in Apple's policies? (it's not clear from
the article)

~~~
gavingmiller
My educated guess: "Time Bomb" style code - ie malicious code that activates
after a certain date.

Objective-C supports dynamic method invocation, so it would be trivial to
obfuscate calls to private APIs. Slip something like that into a decent app
and you're set. Likely Apple's binary analysis wouldn't be good enough to
catch all of this so with a little bit of guess and check it could be
accomplished.

Something similar to this has been proven (attack vector was safari) and the
security researcher ended up getting his developer account banned [1].

Add in the incentive of harvesting credit card information (future) and
contacts (current), mix with a little bit of social sharing via twitter
(@my_friend I found an awesome app that makes Justin Bieber fart sounds), and
you've got yourself a semi-decent infection cycle.

[1]:
[http://www.dailytech.com/Developer+Demonstrates+Serious+Secu...](http://www.dailytech.com/Developer+Demonstrates+Serious+Security+Breach+in+iOS+Apple+Bans+His+Account/article23216.htm)

