Mystery meat: Security survey results lack details
What time is it? It’s salacious Apple security results o’clock! Also, time to get a new clock because any clock that has “salacious Apple security results” as one of the positions isn’t a very good clock.
But our good friends at Business Insider (disclosure: not actually friends in any way, not exactly enemies, either, more like two people who don’t know each other and are annoyed at being seated together at the last table in a crowded restaurant) are on it, like high pants on Roger Moore in a 1980s James Bond movie.
“New study finds that iPhones are actually more vulnerable than Android phones.” (Tip o’ the antlers to @JonyIveParody.)
Here’s the nut of the argument.
Checkmarx and AppSec Labs combed through hundreds of the most popular apps in the Apple App Store and Google’s Play Store and found that there were several security risks and vulnerabilities.
According to the report, about 40% of all iOS apps were found to have potentially catastrophic vulnerabilities for system stability and data protection, compared to 36% of Android’s apps.
Of course we don’t know if the difference between the two is within the margin of error of the study because, well, we don’t know very much about how the study was conducted but, yeah, go ahead and put “BREAKING: IPHONES LESS SECURE THAN ANDROID ZOMG” in the headline. The Macalope downloaded the report even though it required him to give his name, affiliation, email address and phone number. Certainly mining for contact information isn’t one of the goals of publishing controversial results. Perish the thought. Don’t even think about it, girlfriend. Don’t go there. Nuh-UH-uh.
At any rate, the Macalope would like to apologize to whoever has the number 867-5309 in Cupertino. He feels just terrible about that. Sorry, Jenny. They’ve got your number.
It will come as no surprise that both of these vendors sell tools purported to solve the problem they’ve created, uh, cough, identified. Seriously, the security industry always seems one slow quarter away from walking into companies’ offices and saying “Dis is a nice bidness you got here. It’d be a shame if sumpthin was to happen to it.” And then knocking a Hummel off the mantel.
(Jony Ive? Huge Hummel collector. True story.)
It could easily be a coincidence or trick of the ol’ browser history, but the Macalope was amused to find that when he took a break from writing this piece to watch the latest trailer for Star Wars: The Force Awakens there was an ad for Checkmarx before it.
It’s possible this survey is 100 percent accurate. Not likely, but possible. The thing is, we can’t tell because the details are slim to none to marketing mumbo jumbo. One of the biggest problems with it as Rich Mogull noted to the Macalope is that it provides no details about the vector of attack for these vulnerabilities. They could require interception of network traffic, physical access or even your severed but still living thumb for all we know.
They don’t discuss exploitability, just vulnerabilities. Not all vulnerabilities are necessarily exploitable, and all automated tools have false positives and negatives.
It’s not like there isn’t room to criticize Apple on security and no one is saying iOS is invulnerable, it’s just that it’s hard to really take a survey seriously when the details are so scant and it’s so tightly tied to marketing.
(Disclosure: The Macalope has done some writing and editing work for Rich Mogull.)