A few months ago there was a small trend for news regarding Android security breaches that I thought was way overhyped, but of course all those little non-news stories ran on all Apple related sites and some major tech news sites.
If there’s a security flaw, I don’t mind it being uncovered. I think that’s actually great. There shouldn’t be security by obscurity. But I just thought they were making it seem much more dangerous than it really was, and were trying hard to push this image that Android is a less secure OS – than iOS of course (because it’s still far more secure than say Windows).
But in the past few weeks, after iOS5 arrived on both the iPhone 4S and iPad 2, I’ve started hearing about all these hacks that happened, like the smart cover unlocking for the iPad 2, or unlocking the iPhone with Siri, and so on. iOS5 seems to be the least secure iOS version ever, and a new type of hack that can give almost full control over someone’s iOS device can prove that.
This major security flaw could give hackers remote unauthorized access to an iOS device as soon as you install an app that has already been vetted by Apple. So much for the whole vetting process that Apple is touting.
Accuvant LABS computer security researcher Charlie Miller has uncovered this security flaw, but it isn’t just theoretical. He actually tested it himself. He made an innocent-looking app first, got it passed Apple’s vetting process and into the app store, and then he could update the app with malicious code that could give access to most of the phone’s functions, contacts, files, settings and so on.
Of course, instead of thanking him for revealing this exploit that other hackers with bad intentions may have found out about it, too, Apple decided to punish him for even trying to reveal this, and got his developer account banned.
Remote full access to the phone is something that can’t really happen on Android because each app and task has to be given permissions, as they operate in sandboxes, so they can’t interact with each other unless you give them permission. And even then, Google didn’t make it so you can give an app a permission to have full control over your phone. All the permissions are restricted, so they only do what they’re supposed to do.
My only gripe about Android’s permission system is that they should be made a little more clear, so we don’t just accept them without knowing exactly what that app is going to do. When people see “Full Internet Access” or “Read/Write Access” to SD, they get a bit scared, because they imagine the worst. Google could do a better job there explaining exactly the type of activities the apps can do with those permissions.
Even with these permissions, there is some danger that some apps will get data that they aren’t supposed to get, but that can only really happen if you’re not careful with what sort of apps you’re installing from 3rd parties. Apple doesn’t let you install apps from other sources, and they decide what’s best for you (sometimes even by eliminating political satire from the store).
Should Google think for you, too? If you want them to do that, just use the Android Market, but if you’re going to use other sources, then part of the responsibility is yours, too, just like it is when you download something from the Internet on your PC.
That doesn’t mean we shouldn’t be allowed to download what we want from the Internet, though. It just means we need to be more careful about what we’re downloading and take the necessary precautions, like installing an anti-virus.