In the rush to critique Google for its inability to patch older and some current versions of Android at all or promptly—a rush I was absolutely part of—it’s good to not ignore the baggage we’re carrying around as well. Google was rightly criticized for the tradeoffs it made starting with the release of Android 1.0 to allow handset makers and cellular carriers to control, more or less, what went onto Android handsets.
This included alternate user interfaces and bloatware, but also prevented a quick path for security updates and software flaws. The only exceptions are Google-released flagship phone models for which the company controls the destiny, and phones sold with or rooted to run CyanogenMod, a venture-capital-backed Android fork designed to put the OS’s updates and behavior in the hands of a device’s owner.
Put Apple is leaving its users behind in iOS, too, although less rapidly than it was just a couple of years ago. The reason Google gets the opprobrium isn’t bias so much as the number of devices affected and the rapidity of change. This gives crackers smaller windows of access to exploit flaws that are likely less valuable. But bluntly, developing malware for Android has a better chance of paying out and continuing to pay out than malware for iOS.
Let a thousand versions bloom
“Fragmentation” has been the watchword of critics of Google’s approach, and a word I’ve often used. It mostly affects developers, who with some releases and features have had to do an inordinate amount of work compared to monolithic iOS to get their apps to work correctly on the majority of active Android devices. But it’s also relevant to security.
Google’s statistics about Android devices checking into its Google Play Store show that only about 18 percent are running a version of Android 5; the majority run a 4.x release. When the Stagefright exploit was revealed more than two weeks ago, the estimate was that even though the exploit had been disclosed to Google and patched in its internal code base, over 95 percent of phones were vulnerable to a simple MMS-based attack. Carriers have worked at the network level and with MMS settings they can change remotely to reduce the risk. But from 20 to 50 percent of Android phones will never receive a patch. (Android owners should read this advice from our Greenbot colleagues about reducing risk.)
Contrast that with the news of an attack in the wild that’s fairly serious and affects iOS devices, but you may not have heard of. It’s a variation of the previously discovered Masque Attack, which I wrote about last November. This exploit allows an app to be replaced with one that has certain identical attributes, but originally required a user to trust an enterprise certificate, or carry out another step to accept an app.
Earlier this year, FireEye found that malicious substitute apps could be downloaded and installed without the user having to tap Trust. Last week, research firm FireEye announced they’d found 11 iOS apps in the Hacking Team data breach that were designed to exploit Masque Attack. These apps didn’t require a jailbroken phone, even.
I’ll be honest: even though this is part of my bread and butter, I didn’t hear about last week’s announcement for a few days—because iOS 8.1.3 closed some holes and 8.4 some others, so it didn’t cause a blip online. In response to researchers who found some related problems in June that relied on the Mac and iOS App Store, Apple repaired some exploits and had said it was researching the rest. Ostensibly, critical fixes will appear in iOS 8 releases to come, and full fixes in iOS 9. Versions before iOS 8 haven’t been patched.
Why aren’t Apple critics shouting fragmentation and a lack of support for older devices? Why aren’t we seeing malware in abundance for vulnerable hardware that could be exploited by well-documented flaws? Because most iOS users are running iOS 8.
Why was iOS 6 afraid of iOS 7?
Somewhere from 10 to 20 percent of devices are running iOS 7 or an earlier version. (MixPanel pegs it at 10 percent, while David Smith’s tracking of usage related to his Audiobooks app puts it around 20. Over a billion iOS devices have been sold since the first iPhone, but it’s impossible to know how many remain in use unless Apple were to provide figures. I suspect at least 30 percent, if not many more, have joined the choir invisible, and that somewhere in the 700 million range are in use.
So 70 to 140 million users of systems that predate iOS 8 (and most iOS 8 users have upgraded to 8.4) seems like a large audience to exploit, even though a significant portion are using older devices. However, there are somewhere in the 1.5 billion range of Android devices in use, and vendors still sell hardware that runs versions prior to Android 5—that’s about 1.2 billion previous version Android users, of which a good portion are phones. Faced with 70 million potential victims or over a billion, after an exploit just affected 95 percent of all Android phones in use, which would a malware developer seek to find flaws in?
It would be exceedingly smart and polite of Apple to maintain a patch tree for critical flaws that propagated back a version even if it were only for devices that are incapable of being upgraded to a newer iOS release. It hasn’t done so in the interests of keeping the pressure on people to run the latest and greatest, which has an impact on folks buying new apps and using new paid services. And old hardware is dying every day, making the universe of devices to exploit ever smaller.
With iOS 9, the window will stretch back further than at any time in the iOS release history for compatible devices—back to 2011 for the iPhone 4s and iPad 2 (and 2012 for the iPod touch 5th generation). And some leaks about iOS 9 make it sound as though the release will be optimized for older devices, chewing fewer processor cycles for features they can’t well support or support at all.
Malware developers try to pluck low-hanging, plump fruit, because they make their money or reap other rewards by selling their exploits or access to them to criminals and sometimes governments. Apple’s choices do leave a significant number of users of older versions of iOS at risk, but simultaneously make them slim pickings compared to other options.