I know IOS isn't perfect, however, when I read articles like this, I just have to smile. There's something to be said for a tightly controlled platform and ecosystem.
They get so much wrong, so often, you have to wonder if they really look at the apps at all or just have some checklist, screenshots and a quota to hit. They explicitly approved all the garbage practices that Apple Arcade's billing protects users from.
That doesn't feel like the same thing at all. A shady developer tricking people into a subscription because they don't know any better is way different from malware that reinstalls itself even after a factory reset. People have to agree to pay for the subscription from an OS-level prompt in the first instance. They don't have a choice in the 2nd.
> A shady developer tricking people into a subscription because they don't know any better is way different from malware that reinstalls itself even after a factory reset.
A shady developer tricking people and a shady website tricking people result in bad things.
To get this trojan I'd need to go into settings and tick this box:
Then go to the dodgy website, then download the apk, then install it then pikachu face when I get a trojan.
And you can talk about how great Apple's security is but to fix this issue all Google has to do is remove that tick box in settings so no more sideloading apps.
But that also comes back with drawbacks that I assume an Apple user like yourself wouldn't know about, because all you know is a walled garden. Sort of like how Chinese people love the fact their internet is censored. So safe, so secure.
> And you can talk about how great Apple's security is but to fix this issue all Google has to do is remove that tick box in settings so no more sideloading apps.
And yet, they don’t.
> But that also comes back with drawbacks that I assume an Apple user like yourself wouldn't know about, because all you know is a walled garden.
Funny how Android users keep saying that. I’m an Android developer by profession, which is why I use an iPhone as my personal phone and would never recommend an Android device even to my worst enemy. I’ve seen how the sausage is made and it isn’t pretty. The best thing you can say about Android is that it’s free, which correctly reflects what it’s worth.
>I assume an Apple user like yourself wouldn't know about
Yes, truly... because there's no way that someone who uses an iPhone might know about the existence of Android/Windows/Linux/macOS or any other system that allows for sideloading and/or installing un-certed apps.
The point is, even if Apple allowed sideloading, there's no way that the iOS sandbox model would allow for what's being described here. The comparison wasn't accurate.
Your condescension and ignorance doesn't help that argument at all.
Apple's capricious app store review policy aside, iOS is so locked down that even a completely malicious sideloaded* iOS app can't dig itself into the system like this. Without a local privilege escalation exploit there's just no way to set up a persistent background service and no way to escape the sandboxing to allow an app to leave a mark on the system after your app is uninstalled.
(*a developer can basically sideload any app on their iOS device with an Apple developer license)
If shady devs can get a malicious app past Apple they can definitely get one past the average user. Does Apple get it right 100% of the time? Of course not. Does Apple get it right far more often than I would? Without a doubt.
Getting a malicious app past Apple in this context might mean as little as getting past a cursory review from a single indifferent employee. Apple has let enough bad apps through that, without further information, my default assumption is that the reviewer is doing little more than checking some boxes.
To be fair, if you stick to just using the Google Play Store, _this_ malware wouldn't hit you.
> According to Malwarebytes, the source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.
While they were live, they didn’t steal data or gain control of a victim’s device,
....And while the worst effects you’d feel as a victim in this case would be a quicker battery drain and a higher data bill, this latest wave of iOS malware is most notable not for what it does but for how it got there.
Which is a far cry from an unremovable app. It didn’t even get outside of the sandbox and wasn’t an escalation of privilege attack.
The comments upstream are debating whether there's been malware on the app store. There has. Goal posts aside, it's worth remembering that no app review process is infallible, including Apple's.
The actual submission is about apps that install an unremovable piece of software that cause an escalation of privilege. The article you posted is about apps that can be removed just like any other software, don’t escape the sandbox and the most harm they can do is use an above normal amount of CPU and data.
Those aren't links to malware. Those are links to stories about malware that was removed from the App Store. Kinda makes the opposite point of what you're implying, doesn't it?
Sure, except that once you get past the idea of trusting others for your security, and instead learning and securing stuff yourself, you quickly realize that "tightly controlled" is just a synonym for "you don't really own your device, we just let you use it how we see fit". As so recently demonstrated by Apples ability to remove the HKmap.live app.
In general really wonder why people still defend Apple these days. Even if you overlook a combination of stuff like infinite attempts for icloud logins that led to the Fappening, their role in HK protests, and of course their pretty terrible labor practices that go so far as even to supposedly break the Chinese labor laws (which is a feat in itself), there is still issues with stuff they produce. Their hardware and software quality has been on a hard decline, especially if you compare it to alternatives rather than on its own merit. They don't really innovate despite opposite marketing claims, and they still participate in this "technology as a jewelry" thing with their $1000 monitor stands.
You pay attention to what you install, and take advantage of things like unlocking/rooting to remove apps or use a firewall app to limit access of other apps.
They certainly didn't know it was malware but yes, according to the article they installed the software intentionally (they even had to do extra steps and follow instructions on a random website to circumvent the google store).
You can theoretically have the best of both worlds, apples strong vetting without their draconian control. Strong vetting and allowing side loading are not mutually exclusive.
It's basically how linux systems work, most stuff comes from the package manager which has been pretty good at keeping out malware and users can install whatever they want from elsewhere.
It seems like they could get a better outcome by having levels of trust for unsanctioned apps. Like the default for side-loaded apps would be just as an app only. No background processing, notifications, loading services. To get the latter functionality you could make the user jump through a bunch of hoops with nasty warning messages or even just not allow it.
Note that if you enforce this for all side loaded apps are turning Android closer to the walled garden that is iOS.
There are already many legitimate apps distributed outside of Google Play for various reasons, such as weird Google policies or simply being booted out with no or spurious reason & the developer not being able to ever reach a human to fix this.
I wish apple would allow side loaded apps. I'm not saying eliminate side loaded apps all together. Merely, it seems like its a binary view. Either allow side loaded apps and make no attempt to design the installation process with security features, or deny un-approved applications entirely in the name of security.
I think Apple's desktop solution to unverified developers is a good way to split the difference. Deny by default but allow whitelisting. They go even further under the privacy tab and only allow certain applications permission to access accessibility features or full disk access, etc.
This actually seems broadly similar to the issue with "self-XSS" and the developer console in browsers (which is hidden behind a couple of menus). So far most of the mitigations involve the site printing messages into the console telling users to not paste in anything here unless they are a developer.
Maybe it's a good idea to hide the "Allow sideloaded apps" under the developer menu in Android or something, or generally to display a scarier message.
The end result of this is largely to discourage competition. The Google Play Store is not good at security, and the prohibition on sideloading is far less effective at preventing infection than it is at preventing app developers from avoiding Google's 30% app tax.
According to claims on Reddit, this malware can re-enable "Allow installing untrusted apps" checkbox after user unchecks it.
This and it's ability to survive factory reset may indicate, that xhelper can gain complete control over device (probably via improperly built firmware or unpatched root exploits). No amount of sandbox enhancements can stop this kind of priviledge escalation.
I think a large part of "the older generation" doesn't even understand that smartphones have software running on them called "android". My mom calls her Samsung Galaxy "iphone".
I don't know why you're being downvoted. You've got a point. There's no perfection in the App Store when it comes to review, but it's an ecosystem that is built around trying to create a sense of control and privacy. Sorry if you don't disagree but I reckon facts overwhelmingly disagree with you if you do.
That's not to say in any way ANDROID BAD or anything like that, it's just a broader attack vector that you're up against with Android unless you're a very careful experienced customer. Most people aren't. :/
I didn't downvote but I understand why others did (I would have if it wasn't already grey).
It's incredibly frustrating to read these pro-walled-garden-arguments. By the same argument you could say that the people in Hong Kong or elsewhere should just shut up and accept that their leaders will know what's best for them.
I worry about a future where these locked-down devices will be the norm for all of us. Don't defend Apple for locking you in. That's ridiculous.
One crucial difference is whether you can opt-out. Another big difference is the stated intention of the party/entity: i.e. Apple is not a company "of the people, by the people, and for the people".
My objection is that it's not that useful to only look at whether a party wants to restrict freedom. Personally, I don't think that's a very useful dimension at all -- I don't consider the existence of a road limiting to my freedom to drive wherever I feel like it.
Also didn't downvote personally, but I can certainly see why someone would.
Fundamentally, the problem exposed by this particular piece of malware was the ability for it to persist across removals and device resets, not that it was "sideload-able" by the user. Malware persistence should not be possible on a well-designed system, especially one where applications are generally untrusted and sandboxed. Had this been malware that requires sideloading but could be removed when noticed, it wouldn't even have made the headlines at all.
The problem with making the walled-garden argument here is like saying nobody will get sick if we just put everyone in isolation all the time. Like, sure, it is _a_ solution, and assuming the isolation is perfect, it _does_ achieve the goal... But this merely sidesteps the problem, and anything that slips through the wall (which as pointed out by other commenters, does happen on iOS too) will be just as dangerous as before.
The real solution is to "buff up everyone's immune system" and make it easy to restrict and treat malware apps when they inevitably end up on a device, walled garden or not.
