How malware gets published in AppStore, and other AppStore unfair practices.

[Distinctly Average]

9 minutes ago, IkeaGnome said:

But Apple can't get viruses!

/s

And there in lies the problem. Apple got themselves a reputation years ago when we were all getting hit, and I am going back to the Amiga days. Early 90s and Apple did have a good track record, probably as not many owned one and those that did were

probably less likely to use pirated software.

 

So as time went on fanboys lauded this over mere plebs with PCs, and Apple were certainly not going to urinate on their parade as it showed them in good light. With the press lapping it up Apple were heavily in the limelight whenever a potential bug arose no matter how small a risk it was. Apple set themselves up as a target as they grew and that is impossible to shake.

 

We are now at a point where all OS’s are super complex that it is inevitable there will be an increasing number of holes and bugs. So the target is easier to hit.

[IkeaGnome]

12 minutes ago, Distinctly Average said:

And there in lies the problem. Apple got themselves a reputation years ago when we were all getting hit, and I am going back to the Amiga days. Early 90s and Apple did have a good track record, probably as not many owned one and those that did were

probably less likely to use pirated software.

 

So as time went on fanboys lauded this over mere plebs with PCs, and Apple were certainly not going to urinate on their parade as it showed them in good light. With the press lapping it up Apple were heavily in the limelight whenever a potential bug arose no matter how small a risk it was. Apple set themselves up as a target as they grew and that is impossible to shake.

 

We are now at a point where all OS’s are super complex that it is inevitable there will be an increasing number of holes and bugs. So the target is easier to hit.

I don't think it's that they were ever virus free or a lot harder to infect. They just had too small of a market share to make it "worth it".

2.32% OS market share in 2002, and 15% today. My guess is that's pretty close to the reason you HEAR about less viruses on Linux than Windows. If someone writes the same virus for all 3 OS, you'll hear way more about Windows than Linux or iOS. Especially if it's only hitting 1 or 5% of users of each OS. If 5% of users here collectively got the same virus on what ever OS they're running, Windows will have the most complaints, then the other two. This doesn't make Linux or iOS any more "virus free" than Windows, it just means there's less people on those OS to be effected.

https://www.statista.com/statistics/218089/global-market-share-of-windows-7/

[Sauron]

29 minutes ago, Distinctly Average said:

Any app that gathers information could be considered malware.

Only if it does so without telling you. The type of information it gathers is also important. The way it gathers information also matters; for example if it's logging your keystrokes in other programs or your location while the app isn't open through some system exploit, it's not just spyware.

30 minutes ago, Distinctly Average said:

As you say, IOS, and Android are guilty, so are M$, Linux and most browser companies. Not saying it is right, just that there is a widespread issue when it comes to spyware.

Aside from the fact "Linux" is not a corporation, it definitely contains no spyware. Hundreds of security researchers routinely inspect the Linux kernel. As for browsers, if they collect data they should tell you (and most do). Microsoft only sort of tells you... which is why a lot of people don't like their approach. Anyway, out of the cases you listed, only Apple uses privacy/security as an excuse to enforce a monopoly.

33 minutes ago, Distinctly Average said:

We still have very little in the way of figures regarding to actual damage done, is doubt we ever will. If however a particular app or OS does cause a major issue I am sure it will be shouted about in the press, especially so when it is Apple.

It IS "shouted about". All the time. And every time people rush to play defense for things they'd never tolerate from other companies.

[Distinctly Average]

7 minutes ago, Sauron said:

Only if it does so without telling you. The type of information it gathers is also important. The way it gathers information also matters; for example if it's logging your keystrokes in other programs or your location while the app isn't open through some system exploit, it's not just spyware.

Where is the evidence of a mass problem with this on IOS? If hundreds of apps are infected as some suggest, apps with millions of downloads, where are the thousands of people affected? This is why we need figures, a sensible evaluation. Few people do that and IMO it is something we need. Until we do companies are hard to hold to account.

7 minutes ago, Sauron said:

Aside from the fact "Linux" is not a corporation, it definitely contains no spyware. Hundreds of security researchers routinely inspect the Linux kernel. As for browsers, if they collect data they should tell you (and most do). Microsoft only sort of tells you... which is why a lot of people don't like their approach. Anyway, out of the cases you listed, only Apple uses privacy/security as an excuse to enforce a monopoly.

Where have I said any OS contains malware? I insinuated they are vulnerable, which is true. Most distros come with a suite of apps and the ability to install almost anything. I have not said any OS contains spyware, and without evidence never would. I’ve dealt with plenty of it in my career on many operating systems/

7 minutes ago, Sauron said:

It IS "shouted about". All the time. And every time people rush to play defense for things they'd never tolerate from other companies.

As I said above, Apple have drawn a huge target on themselves. They loved the attention and free advertising when press and fanboys gloated while other OS’s were routinely hit by nasty attacks. So much so they have now painted their own target in bright colours for all to see. Add to that some of their more controversial practices and they have become a marmite company. So now things that would barely raise an eyebrow on other platforms becomes big news.

[Distinctly Average]

24 minutes ago, IkeaGnome said:

I don't think it's that they were ever virus free or a lot harder to infect. They just had too small of a market share to make it "worth it".

2.32% OS market share in 2002, and 15% today. My guess is that's pretty close to the reason you HEAR about less viruses on Linux than Windows. If someone writes the same virus for all 3 OS, you'll hear way more about Windows than Linux or iOS. Especially if it's only hitting 1 or 5% of users of each OS. If 5% of users here collectively got the same virus on what ever OS they're running, Windows will have the most complaints, then the other two. This doesn't make Linux or iOS any more "virus free" than Windows, it just means there's less people on those OS to be effected.

https://www.statista.com/statistics/218089/global-market-share-of-windows-7/

Yeah, I know all that. I actually wrote a test virus for Mac OS back in the 90s. They (viruses) were about, especially if you look into the flourishing demo scene back then. As you say, there were a lot less owners and they were certainly more professional types back then unlikely to be installing iffy disks.

[Sauron]

1 hour ago, Distinctly Average said:

Where is the evidence of a mass problem with this on IOS? If hundreds of apps are infected as some suggest, apps with millions of downloads, where are the thousands of people affected?

I showed you a case where over 1000 apps were found to be infected. Do you think it's unrealistic to think thousands of people were affected for each of them?

1 hour ago, Distinctly Average said:

Where have I said any OS contains malware? I insinuated they are vulnerable, which is true

You used the word "guilty", which to most people indicates wrongdoing.

1 hour ago, Distinctly Average said:

As I said above, Apple have drawn a huge target on themselves. They loved the attention and free advertising when press and fanboys gloated while other OS’s were routinely hit by nasty attacks. So much so they have now painted their own target in bright colours for all to see. Add to that some of their more controversial practices and they have become a marmite company. So now things that would barely raise an eyebrow on other platforms becomes big news.

It's simply profitable to attack iOS users and I wouldn't blame Apple for that - what I blame them for is pretending this isn't a problem and lying to justify a monopoly.

[Dracarris]

3 hours ago, Sauron said:

if Uber can just spy on customers through their Apple approved store app and only get caught by independent researchers.

Apple themselves figured that out which resulted in the CEO of Uber getting an invitation to the oval office of Tim Apple.

[Kilrah]

12 minutes ago, Dracarris said:

Apple themselves figured that out which resulted in the CEO of Uber getting an invitation to the oval office of Tim Apple.

And they sorted it out over a drink, while anyone else who's not a big silicon valley company that brings the $ would have been permanently booted from the store without possible recourse...

[Dracarris]

9 minutes ago, Kilrah said:

And they sorted it out over a drink, while anyone else who's not a big silicon valley company that brings the $ would have been permanently booted from the store without possible recourse...

Pretty sure that conversion was a lot more unpleasant than enjoying a drink together. And there was no sorting out. Mr Apple ruled that if this ever happens again, they will be permanently banned from the platform.

 

Yes, big companies give each other special treatment since they benefit mutually from such - now where's the news?

[Distinctly Average]

31 minutes ago, Sauron said:

I showed you a case where over 1000 apps were found to be infected. Do you think it's unrealistic to think thousands of people were affected for each of them?

One doesn’t necessarily lead to the other. One security firm believe they have found certain code in many an app. Apple suggest that code is not an issue. Where are the victims? Until we hear cases from victims using this attack we cannot determine to what extent it is a problem. We can make assumptions only.

31 minutes ago, Sauron said:

You used the word "guilty", which to most people indicates wrongdoing.

When you take it out of context. You then form a conclusion based on something that was never said.

31 minutes ago, Sauron said:

It's simply profitable to attack iOS users and I wouldn't blame Apple for that - what I blame them for is pretending this isn't a problem and lying to justify a monopoly.

Which part is the monopoly? Apple only have a 13% share of the phone market, 16% of the PC market. Apple are huge and do a lot I don’t agree with. All these big companies spend half their time sniping at each other in and out of court. Gotta keep the lawyers in Ferraris somehow. 

[RedRound2]

4 hours ago, Sauron said:

Citation needed my friend. Clearly App Store security isn't doing anything if Uber can just spy on customers through their Apple approved store app and only get caught by independent researchers. Nothing about iOS itself seems to make it more secure if you can just access high privilege system APIs at will and the store is unable to catch that. So... what exactly makes it safer in your opinion? Other than Apple just claiming it is...

Yeah, good thing I'm not the one doing that...?

Uber did some pretty shady stuff to get around. Is it really realestic to think that all app review employees will go around and test all app submitted for review around the world to cover all kinds of cases? And when Apple did find out about it they took strict action against them. And btw, the thing you keep referring to is extremely old news

https://www.theverge.com/2017/4/23/15399438/apple-uber-app-store-fingerprint-program-tim-cook-travis-kalanick

 

Would you expect the same from Google. Nope. They wont do anything. And nobody bothers to even check anything on the play store sitaution, because its an open secret that its filled with malware

https://www.zdnet.com/article/play-store-identified-as-main-distribution-vector-for-most-android-malware/

 

So yeah, iOS is so much better than our other options. It IS SAFER because the probability of you encountering such malware apps on iOS is pretty low. And its likely they will get caught or one of the iOS updates (you know the thing iOS users enjoys from anywhere between 4-6 years) breaks it

Quote

If anyone is making claims about Apple's high security performance it's you, and you're painfully short on evidence.

We literally do.

 

https://www.tomsguide.com/news/iphone-apps-infected-malware

 

Are 1200 apps infected with the same malicious code enough evidence of a potentially more widespread problem for you? It's not just random no-name developers doing this either, Uber was caught doing this. Granted, these don't brick your phone - why would they? It's much more profitable to log your data.

1200 apps using a same advertising malware vs 10-24% of all android users have come across a malware app and most of them being distributed by play store

https://indianexpress.com/article/technology/mobile-tabs/google-play-store-is-the-largest-malware-distributor-on-android-phones-7049607/

 

That's statistics. It's like saying just because a few among the millions of Volvos accidents caused passenger deaths means that it only as safe as Yaris. Do you see how stupid that conclusion sounds? Is volvo not allowed to say that they're better than a yaris?

Quote

And hey, just to be clear: Google is no better in this regard https://www.bleepingcomputer.com/news/security/new-android-malware-steals-millions-after-infecting-10m-phones/

 

...but at least they don't prevent me from sideloading another store with the excuse of "security". Oh, and they tend to fix 0-days when they are reported rather than banning the researchers from the store and ignoring the problem.

Sideloading apps from shady sources is a security concern. It dramatically increases the liklihood of a malware getting into your device. I dont understand how you seem to be unable to comprehend numbers, but just see it as pure black and white

[HRD]

13 hours ago, Kato0909 said:

 

Summary

 An critique article about Apple's App Store review policy, methods how some malware is cheating App Store review process and anticompetitive strategies and entitlements for chosen developers.

 

Quotes

 

My thoughts

This article is from the same author who recently got ignored by Apple in their bug bounty program about three iOS 0-day vulnerabilities (one is silently fixed in iOS 14.7)

https://linustechtips.com/topic/1375750-apple-failed-to-fix-zero-days-and-ignore-person-who-found-them/

 

This is another proof that AppStore is not fully secure, is not free of scam and malware and Apple's practices are not ideal, contrary to their claims. And it is another flawed point in Apple's defence straregies on the matter why AppStore is the only allowed app distributing platform on iOS and iPadOS. But I can't really say that I am surprised.

 

 

Sources

 https://habr.com/en/post/580272/

 

 

 

Apple doesn’t claim that the AppStore review process is perfect. Tim cook himself said that under oath in epic vs apple. 
Is review perfect?
“It’s not 100%. It’s not perfect. You will find mistakes being made. But if you back up and look at it in the scheme of things … we do a really good job."

 

what you have to prove is that it is not helpful at all not that it is not perfect because perfection is not required for it to be a reasonable business practice.

[Arika]

2 hours ago, Distinctly Average said:

Where are the victims? Until we hear cases from victims using this attack we cannot determine to what extent it is a problem. We can make assumptions only.

Tell me how exactly an iPhone user would know if they are being actively spied on?

 

If the assumption is the iOS is the privacy king when compared to android, the lay person is not going to even think they are infected and any thing that might set off a more technologically knowledgeable person may just be ignored.

 

Did you know that you most likely have 5 viruses in your body right now that your immune system is currently fighting off? If you don't have symptoms then you don't care. Feeling tired one day? "Maybe I just didn't sleep well"

Unless your going and getting bloodwork done every day then you're not going to know you're infected. Same case here.

 

[Distinctly Average]

4 hours ago, Arika S said:

Tell me how exactly an iPhone user would know if they are being actively spied on?

 

If the assumption is the iOS is the privacy king when compared to android, the lay person is not going to even think they are infected and any thing that might set off a more technologically knowledgeable person may just be ignored.

 

Did you know that you most likely have 5 viruses in your body right now that your immune system is currently fighting off? If you don't have symptoms then you don't care. Feeling tired one day? "Maybe I just didn't sleep well"

Unless your going and getting bloodwork done every day then you're not going to know you're infected. Same case here.

 

Spyware vs malware, they are different things. Are users being spied on for purposes of advertising etc, or to steal from for passwords, cc info etc. We have little evidence of the latter. The former goes on all the time in every browser. Where is the line drawn? I think we can all assume privacy is long dead whatever platform you use.

[mr moose]

14 minutes ago, Distinctly Average said:

I think we can all assume privacy is long dead whatever platform you use.

Unfortunately very true.    I tried to create an instagram account the other day so I could enter a competition, they won;t let me use it without giving them my phone number.  Fuck that.

 

 

 

[Dracarris]

6 hours ago, mr moose said:

I tried to create an instagram account the other day so I could enter a competition, they won;t let me use it without giving them my phone number.

I think they are doing that primarly to make creating fake accounts harder. As some super chat on last weeks WAN show however said, there are now services which give you non-banned phone numbers with browser-based SMS inbox for a few cents each.

[mr moose]

11 minutes ago, Dracarris said:

I think they are doing that primarly to make creating fake accounts harder. As some super chat on last weeks WAN show however said, there are now services which give you non-banned phone numbers with browser-based SMS inbox for a few cents each.

Given instagram is owned by facebook I find it incredibly hard to believe they are doing it for genuine goodness only.  The idea that my private phone number can be linked to an entire database of personal information is scary enough without even contemplating what happens when that data base is breached.

 

They can shove instagram and facebook high up their posterior orifices. 

 

 

[Dracarris]

47 minutes ago, mr moose said:

Given instagram is owned by facebook I find it incredibly hard to believe they are doing it for genuine goodness only.  The idea that my private phone number can be linked to an entire database of personal information is scary enough without even contemplating what happens when that data base is breached.

I certainly agree and such breaches have already happened. However fake accounts, especially controlled as bot nets, are a huge problem for their platforms. Besides manipulating like counts of content and comments, they severely degrade the quality and user experience; every 1-2 days I get follow/friend request from fake XXX accounts. It's annoying as hell.

 

Note that fb ist not the only company requiring a phone number for registration, most do these days. So I am at a point where I seriously consider paying a bit for phone numbers that cannot be linked to me. Sort of like the next VPN realization.

[mr moose]

24 minutes ago, Dracarris said:

I certainly agree and such breaches have already happened. However fake accounts, especially controlled as bot nets, are a huge problem for their platforms. Besides manipulating like counts of content and comments, they severely degrade the quality and user experience; every 1-2 days I get follow/friend request from fake XXX accounts. It's annoying as hell.

 

Note that fb ist not the only company requiring a phone number for registration, most do these days. So I am at a point where I seriously consider paying a bit for phone numbers that cannot be linked to me. Sort of like the next VPN realization.

I'm old enough that I can just stop using those services.  I can play the "old man don't get it" card if I don't want to argue with ignorant kids.

 

[Kato0909]

On 10/1/2021 at 11:19 PM, Kilrah said:

a big silicon valley company that brings the $

Isn`t Uber actually not profitable since start of a company?