[AnthonyMouse]

> And where does this Sandbox wrapper for third party app stores exist for the Android ecosystem where it is both allowed and their are five time more devices?

https://seap.samsung.com/sdk/knox-standard-android

https://yajin.org/papers/asiaccs15_appcage.pdf

> Have any statistics to back that up? Is Android more secure or less buggy than iOS?

Obvious confounder:

https://en.wikipedia.org/wiki/Darwin_(operating_system)

But what metric would you use anyway? Number of discovered bugs doesn't work because the whole premise is that a higher percentage of the bugs will be found.

It's inherently difficult to measure. But refute the logic: Bugs found by vendor + everyone else > Bugs found by vendor alone. The only assumption is that bugs found by everyone else is non-zero, which is clearly true for any number of open source projects including both Android and Darwin.

[scarface74]

So your solution to a sandbox app is to buy a Samsung device and use a corporate MDM product to manage that one device?

But what metric would you use anyway? Number of discovered bugs doesn't work because the whole premise is that a higher percentage of the bugs will be found. It's inherently difficult to measure. But refute the logic: Bugs found by vendor + everyone else > Bugs found by vendor alone.

Google and third parties have been finding bugs in other people’s closed source products for decades. Again just because people can look at code doesn’t mean that people are looking at code.

You made the claim that there are less bugs in open source software, without any citations, studies, etc.

Android and Darwin are open source but a large part of both iOS and Android are closed source.

[AnthonyMouse]

> So your solution to a sandbox app is to buy a Samsung device and use a corporate MDM product to manage that one device?

You implied that no one was making any such thing. They do. An app distributor that wanted to do the same for apps it distributes could do so likewise, but not if Apple stands in their way.

> Google and third parties have been finding bugs in other people’s closed source products for decades. Again just because people can look at code doesn’t mean that people are looking at code.

And if the product was open source, they could also fix the bug, rather than having to rely on the vendor to do it -- which they sometimes don't.

It would also be easier for them to discover the bugs, which would result in more of them being discovered.

> You made the claim that there are less bugs in open source software, without any citations, studies, etc.

Because it's an argument from logic rather than an argument from observation. The claim isn't that some specific number of people have been observed using published source code to discover bugs, only that the number is non-zero -- which doesn't require statistics, only a single counterexample that I can provide myself from personal experience in having done it.

> Android and Darwin are open source but a large part of both iOS and Android are closed source.

Then why propose to compare them as though it would provide some useful information about the effect of open source on finding bugs?

[scarface74]

Of course I knew about MDM software, it’s been around forever - before the iPhone ever cane out. We used it for Windows Mobile software, deployment of vertical software for both iOS and Android, etc. And if the product was open source, they could also fix the bug, rather than having to rely on the vendor to do it -- which they sometimes don't. It would also be easier for them to discover the bugs, which would result in more of them being discovered.

In reality, Android is suppose to be “open” but between Android, iOS, and Windows, the Android ecosystem has the worse track record of both correcting bugs and getting the patches out to users.

In the real world, no one is voluntarily going through each line of either Android or iOS looking for exploits out of the goodness of thier hearts.

Because it's an argument from logic rather than an argument from observation. The claim isn't that some specific number of people have been observed using published source code to discover bugs, only that the number is non-zero -- which doesn't require statistics, only a single counterexample that I can provide myself from personal experience in having done it.

And that “logic” falls apart with one widespread example - the HeartBleed bug that was in the OpenSSL implementation for a year and a half.

The number is also “non zero” of bugs found by third parties in closed source software....

[AnthonyMouse]

> In reality, Android is suppose to be “open” but between Android, iOS, and Windows, the Android ecosystem has the worse track record of both correcting bugs and getting the patches out to users.

The process of identifying bugs and the process of distributing patches are two separate things. And there is a very specific reason the "Android ecosystem" is slow to distribute patches -- an important piece, namely the hardware drivers, is not open. The reason you can't install the latest stock Android with all the latest patches on your device is that the device is stuck with proprietary blob drivers that aren't compatible with newer kernels.

And the operating system with the best security record is unambiguously OpenBSD.

> In the real world, no one is voluntarily going through each line of either Android or iOS looking for exploits out of the goodness of thier hearts.

They don't have to do it out of altruism, there are plenty of self-interested reasons to do it. Security researchers build their reputations by discovering vulnerabilities. iOS jailbreaks are valuable. Some companies that use Android in their own products pay to audit the code that runs on them (and incidentally on everyone else's devices). Programmers that discover their device unexpectedly doing something "weird" are more likely to investigate, and more likely to succeed in discovering the cause, when the code is available.

> And that “logic” falls apart with one widespread example - the HeartBleed bug that was in the OpenSSL implementation for a year and a half.

https://www.cvedetails.com/vulnerability-list/vendor_id-26/p...

Take a look at how many of those also affect Server 2008, implying they've been there for at least a decade before being discovered.

> The number is also “non zero” of bugs found by third parties in closed source software....

And how many of those were discovered specifically because the source code wasn't available?

[scarface74]

The process of identifying bugs and the process of distributing patches are two separate things. And there is a very specific reason the "Android ecosystem" is slow to distribute patches -- an important piece, namely the hardware drivers, is not open. The reason you can't install the latest stock Android with all the latest patches on your device is that the device is stuck with proprietary blob drivers that aren't compatible with newer kernels.

So that whole tweet from Andy Rubin about “the definition of ‘open’” has always been BS.

And it doesn’t matter why people can’t get security updates. The fact is that iOS users get security updates faster and more reliably than Android users for phones that are up to 5 years old.

They don't have to do it out of altruism, there are plenty of self-interested reasons to do it. Security researchers build their reputations by discovering vulnerabilities. iOS jailbreaks are valuable.

So since security researchers including people from Google have found security exploits in closed sourced software that kind of makes the whole open vs closed thing a moot point...

People really overestimate the difficultly for someone who knows what they are doing to find security exploits in closed source software. Heck, I was disassembling and patching 16 bit x86 code and 8 bit 65C02 code in middle school.

And how many of those were discovered specifically because the source code wasn't available?

Again, there is nothing magic about “source code”. It’s a little harder, but a skilled developer can follow the logic of assembly language.