Shatters Apple's argument that all of these hurdles are better for security. I wonder if testimony like this could affect any of their antitrust lawsuits or right to repair lobbying.
Not "shatters", as while it is a valid counter, it doesn't tell you the relative strengths and weaknesses of the two approaches, only that Apple isn't perfect which should already have been assumed.
A stronger counter to Apple's argument is the relative pricing of exploits… but the story I'm remembering is old enough that I don't want to just assume it's still true, even though it's near the top of my search results:
It doesn't really shatter anything does it? People here are going to understand that there are trade-offs to every decision made.
I suspect iOS is not worse than the more open Android simply because senior management at Kaspersky are using iPhones. If anybody is choosing their platform with security in mind, it has to be them and they are going with iOS.
And on that same page it says the Android version didn’t even require an exploit. The sneakiest thing that was required on Android was to write the word “Samsung” on the app icon so that users would click it.
Near the end, they say:
> This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need.
> It's absurd to say a company should not blow the whistle on a sophisticated attack when that companys job is just that!
They should definitely do it.
They should also acknowledge that they did a shoddy job. They let the malware run unchecked for several years. It is clear that the safeguards they had in place did not work, not for protection, but especially for detection.
Instead, they chose to boost the image of their own products and bash a third party vendor with a questionable reasoning.
> Shatters Apple's argument that all of these hurdles are better for security.
Sorry I don't buy that this "shatters" anything besides peoples misguided assumptions that anything can be perfectly secure without being fully disconnected.
Apple's iOS 16 supports iphone 8 which was released in 2017, 5 years ago.
Apple's iOs 15 supported iphone 6 which was released in 2015, 7 years ago.
> Samsung’s previous promise to provide three years of upgrades and ensures millions of Galaxy users have access to the latest features for security, productivity, visual experience and more, for as long as they own their device.
> Samsung will now provide up to five years of security updates to help protect select Galaxy devices
They do mention 5 years of updates but only for _select_ galaxy devices (presumably the top of the line).
---
I am assuming anyone rooting/flashing is taking way more risks and security concerns into their own hands. But in length of support/security updates alone apple is winning.
I also wonder how long it actually takes a vulnerability patch (let's say for a zero day) to get out on android and then through OEM security updates. (I haven't been android in too long to know this.) Apple actually just released a way for them to do this and have already used it once, they call it "Rapid Security Responses" (which you can switch off although idk why you would).
Because they were deceived by Apple's quality promises?
If Apple really wanted to improve security (instead of just producing marketing claims about it) they would provide anyone with debugging symbols, root privileges and anything else needed for research and debugging.
It's entirely rational to have believed iPhone to be more secure in the past, now believe Android is more secure, and yet remain on iPhone:
1. At some point, weigh probabilities of exploits
2. Update Bayesian priors as new evidence arrives
3. Even if the initial decision currently appears incorrect, there needs to be a high enough difference in probability to justify switching, because in switching, you're still exposed to any persistent exploitation via the old exploits plus new exploits on the new platform
Switching back and forth the instant your Bayesian prior swings over/under 50% for Android being more secure than iPhone is a terrible strategy. (Also, you need to risk-weight your various exploit probabilities... security is a multidimensional quantity, so collapsing to a scalar is at least context-/threat-model-dependent.)
So, they discover a vulnerability in ios and publish the details of the symptoms of the exploit -- something that Apple themselves were unaware --, release a tool to detect indicators of compromise in iphone backups and yet, somehow they have poor judgment?
What should they be doing? Keep the discovery to themselves so those who claim iPhone is secure can continue living obliviously with their worldview unchanged? Wouldn't we accuse them of poor judgment if they did that?
It is quite reasonable for them to say the ecosystem being closed is making analysis and detection difficult. It is up to Apple to do what they want with that information.
They knew all along it was closed source, but that doesn't mean they believed all along (or at least were confident enough in their belief) that closed source resulted in higher risk of extant exploitable flaws.
A stronger counter to Apple's argument is the relative pricing of exploits… but the story I'm remembering is old enough that I don't want to just assume it's still true, even though it's near the top of my search results:
https://www.wired.com/story/android-zero-day-more-than-ios-z...