Suspected PayPal Hackers Seek Deal To Stay Out Of Prison
Did A Google Earth Mistake Cause A Couple's Brutal Murder?
Trend Micro thinks Android's open source makes it less secure than iOS; wrong!
News just in: the open-source-is-less-secure myth was dispelled more than a decade ago. Take a look at Linux, Apache, Firefox, or Chrome -- four huge open-source projects, and all many times more secure than their closed-source brethren (Windows, IIS, Internet Explorer). Open source projects are more secure than closed-source projects due to peer and code review, and vested interest! Trend Micro fails to appreciate that while maybe a handful of people have seen the iOS source, thousands have eyeballed Android's innards to look for bugs. Don't forget that Android is also based on Linux, which must be one of the most rigorously tested pieces of software ever made.
Later in the interview, Chang even goes on to mention the iOS sandbox "that isolates the platform"... which Android also has!
Anyway, Chang's ultimate point is that as smartphones become more intrinsic to our everyday life, their security becomes an ever-growing concern. Smartphones need to be treated as real computers, and locked down in the same way; either by the platform, or with third-party software. There will come a point, in the next few years, when smartphone OSes receive even more attention from malware authors than Windows -- we need to be ready.
[If you're looking for a good, free Android antivirus tool, checkout Lookout Mobile Security. Image credit: laihiu]
Comments
18
Subscribe to commentsEd ChamberlainJan 13th 2011 6:40AM
IOS Kernel is based on Darwin. Darwin is Open Source.
Tard.
Sebastian AnthonyJan 13th 2011 6:47AM
@Ed Chamberlain Very true! But it's based on... not exactly the same. It's hard to say (i.e. impossible) if it's as secure as Darwin.
JetShredJan 13th 2011 9:47AM
The reason that being open source makes it less secure it the fragmentation of Android. There are a ton of phones still running 1.5 and 1.6. Open source is great when you can get the updates, but otherwise all the flaws are out in the open and you have no way of fixing it.
Sebastian AnthonyJan 13th 2011 10:09AM
@JetShred That's a good point, actually :) If only the Trend Micro guy had said that, instead of some other stuff...
Slow roll-out of updates is going to be a problem for all smartphone platforms, though. At least with Windows and OS X you get first-party updates -- with phones, we have to wait for the mobile operator... and that seems to take a very long time :(
Jacob GillespieJan 13th 2011 10:38AM
While I totally agree that open source does not equal insecure, I would still believe that Android is a more insecure platform because it's an open platform - you have more freedom to run what you want, including potential malware and spyware. Apple, on the other hand, restricts the apps you can run (obviously), and one of the (few) benefits to this closed environment is less exposure to malware.
True, Android has an OS-level sandbox, but Apple has a closed app store, requiring review and approval before apps can make their way to end user devices.
Yes, there are many positives and negatives for Android's open approach just as there are for Apple's philosophy.
Whether Android or iOS is more vulnerable in itself is another question, but IMO a phone running withing the iOS ecosystem is much safer than one in the Android ecosystem.
codedigitalJan 13th 2011 3:34PM
Another thing you're forgetting is Android's closed-ness until the OS is dropped.
codedigitalJan 13th 2011 3:35PM
And your title is bad journalism.
Sebastian AnthonyJan 13th 2011 4:24PM
@codedigital I did struggle with the title, it's true.
ChrisSskJan 13th 2011 4:13PM
Open source projects being more secure than closed-source projects due to peer and code review does not apply to android.
Google uses a closed development model for Android. They develop in-house and then release the finished code under Apache. So before a versions release only handful of people have seen the source to look for bugs.
So bugs missed by Google developers and identified by the community after the release will have to be fixed in future updates. And as JetShred said a lot of phones may never get the updates so they become even less secure since they have unpatched known bugs
Sebastian AnthonyJan 13th 2011 4:23PM
@ChrisSsk Yeah, I thought about that when I wrote this story.
Still, at least the source is seen at all -- at least bugs CAN be seen (and fixed) by the community.
Also, I don't think the version of Android that mobile operators get is the same as the one that Google puts on its Nexus phones. There's usually quite a few months between a new version, and it actually appearing on non-Google phones -- plenty of time for bugs to be found!
NyaRJan 13th 2011 5:18PM
a lot of people running iphones are running old versions to support jailbreak, they do this specifically because it is not "open".
Mes215Jan 13th 2011 5:26PM
Um, TrendMicro just released an anti-virus app on the Android Market, it's no surprise they are trying to gin up fear to drive downloads. Nothing to see here, move along.
SilverWaveJan 13th 2011 7:08PM
heh because everyone knows that closed source code is so secure....
cough. ms. cough.
lol
Either Steve Chang is ignorant or he is selling something.
SilverWaveJan 13th 2011 7:10PM
I wonder how many AV vendors actually produce viruses to boost their sales?
Sebastian AnthonyJan 13th 2011 7:24PM
@SilverWave Oh the dark pit of despair that is your soul!
... but no, seriously, they probably do that... :(
Michael QuinnJan 14th 2011 7:57AM
I guess all these Firefox security patches are just a scam by my ISP to use up my data? And my Apache Linux server needing updates all the time is another scam by my server managers?
It's nice all these security problems get fixed - but shouldn't the awesome peer reviewed neckbeard code have been secure in the first place???
Actually I don't use Firefox - that was a lie. Ugly ass open sourced piece of crap ;)
Sebastian AnthonyJan 14th 2011 8:07AM
@Michael Quinn The fact that they _are_ regularly updated (nightly!) is what makes them so secure.
Of course, the problem still remains that users have to update to the most recent build -- which is actually how most devices/servers/etc get hacked: outdated software.
The only real different with closed platforms like iOS is that it's more likely someone has found a bug, is exploiting it, and no one else knows about it. It's still a small risk, of course, but it's a risk all the same.
Nicholas RobertsJan 20th 2011 3:56AM
@Michael Quinn That's hardly an argument against Firefox- 'Ugly ass open sourced piece of crap'. Sure, aesthetics are fine, I ditched Safari from my selection of browsers (except when some purportedly big new feature pops up) because it, quite frankly, looked bland (combined with the apparently finicky way it deals with searching directly from the address bar (like the 'en.wiki, tab, ' that chrome has)). Coupling aesthetics with what type of source it happens to be...isn't really valid. Explain /why/ its a piece of crap...speaking of which, what's that compared to? Safari? Internet Explorer 9?
Also, another point of contention comes to mind...which real-world (i.e. actual stats, not just conjecture) examples of a closed-source OS having less security exploits than a counterpart (in the same field) open source OS can you produce?