Why Apple's "walled garden" is a good idea
Many developers and users of Apple's iOS devices bemoan the "walled garden" of the App Store approval process, but it appears that the company's measures have prevented mass data theft from iPhones, and iPads.At the Black Hat security conference being held in Las Vegas this week, mobile security firm Lookout announced that an app distributed in Google's Android Market had collected private information from millions of users, then forwarded it to servers in China. Worse than that, the exact number of affected users isn't known, since the Android Market doesn't provide precise data. Estimates are that the app was downloaded anywhere from 1.1 million to 4.6 million times.
The app appeared to simply load free custom background wallpapers, but in fact collected a user's browsing history, text messages, the SIM card number, and even voice mail passwords, and then sent the data to a web site in Shenzen, China.
This is different from the recent AT&T website leak that could have let a hacker access 144,000 iPad 3G user email addresses, since in this case the data theft actually did happen, was being perpetrated by malicious hackers, involves much more personal information, and affected many more people.
So what's the difference between the security methodologies used by Google and Apple? Apple approves iOS apps only after they've gone through a strict (and frustrating to developers) process, while Google's Android Market simply warns the user that an app needs permission to perform certain functions during the installation. iOS apps must be signed by an Apple-created certificate, which means that malicious developers have a harder time distributing malware anonymously.
Lookout also noted that iOS remains virus-free, since third-party apps can only be distributed through Apple's heavily-moderated App Store, and the apps run in a sandbox environment where they can't affect the system. Lookout chief executive John Hering said that "he believes both Google and Apple are on top of policing their app stores." It's just those odd cases where apps don't do what they're advertised to do that can cause problems for users.
[via AppleInsider]
Share
Many developers and users of Apple's iOS devices bemoan the "walled garden" of the App Store approval process, but it appears that the...
Add a Comment
It seems this whole article is moot considering the fact the exploit was not accurate:
http://www.androidcentral.com/android-privacy-concern-lookout-response
There is a middle ground to all of this:
- Paying developers can pay Google/Apple an annual fee (e.g. $99/year) to have their apps stamped by Google as safe.
- All developers can post apps in the market but consumers will be less trustworthy of the non-stamped apps.
- Apps can be sideloaded (as they can with Android or a jailbroken iOS device. They shouldn't need to be jailbroken to do it.
I will say I feel safer being told what parts of my phone an app needs access to. Most games, for example, shouldn't require any special privileges. Good app design uses OAuth and other protocols to handle integration with things like Twitter, etc.
I honestly don't understand why simple solutions are never the ones big companies come up with.
Damned if your open, Damned if your closed...
I noticed the whole "Open or Closed" thing seems to be a lose, lose situation. If you stay closed, like Apple, you lose in the fact people complain your "too controlling" and sometimes you have to pull software. If you stay open, like Android, as this article describes you start to let in malware, viruses, phishing software and it will get to the point where there will need to be a "Norton Antivirus for Android".
But my personal opinion is I rather the company be considered "too controlling" than have viruses flooding my cell phone and need a phone antivirus program slugging the device down.
So would you be okay with Apple, Microsoft etc. locking down which applications can or cannot be sold for desktops? Would you prefer a walled garden for the desktop? Because that's essentially what you're advocating and why so many people are bailing on the iPhone for Android. If it's NOT necessary for the desktop, as I suspect you'll agree, then why is it needed for your phone?
FWIW, and to make my point even further, the article is completely wrong on all levels - the developer has responded with a satisfactory explanation, and the author of the report has walked his claims back heavily, saying in no uncertain terms the apps were NOT malicious. Given Apple's recent bouts with malicious apps that steal iTunes account info or sneak "features" in (it was tethering, but could have just as easily been malware), you are no safer in your walled garden, you just have less freedom.
This article is BS. The walled garden is NOT that the App Store has a approval process (that is not an issue). The walled garden is that you are allowed to get apps ONLY from the App Store! If Google decided to get like Apple with the Android Market, that wouldn't make Android walled because you can still get apps off the market.
If Apple would open up the iPhone to other apps and markets, yet keep their control over the App Store, I can assure you, all the bad PR of Apple would go away.
"If Apple would open up the iPhone to other apps and markets, yet keep their control over the App Store . . . "
Sorry if I misunderstood you for I am but a mere peasant, but that sounds very much like putting airport-grade security on the front door and leaving the sliding door to the rear deck wide open.
No, if people want security and all that, then they will keep to the App Store. If they want more, then they will go to the internet and get what they want. Normal Android users do this, they just use Android Market however, people who want more, can go to other markets or the internet.
This is not a complicated concept.
As for your airport analogy, no, it is like having one big Airport that is very secured and that goes ONLY to places where the boss wants people to go. But if you want to go to somewhere where the big airport doesn't take you, then you can go to one of the smaller, and less secured ones.
The current situation is that the big airport controls every legal flight in the world. So if you want to go to the where it doesn't take you, you have to take a one-man plane, that is being held together by duct-tape, that you rented from a hobo-looking man in a creepy port.
I'm an iOS developer with an app in the store (The Fox & The Grapes) and I happen to feel that the App Store, with all its warts, is generally a good thing.
That's not to say there couldn't be other licensed stores, but the idea of a moderated, curated, easy to install, easy to remove store is essential for the next generation of non-pc devices if we don't want to recreate the security, virus, and malware problems of the last decade or so with Windows.
I wrote up my thoughts about it on my web site, http://causticmango.com/files/dont_fear_the_app_store.html, the gist of it is that my experience with Ubuntu's repositories convinced me it's the best thing for users.
You want you primary PC, your phone, your tablet, you're whatever to safe, reliable, and as pristine as possible. You want it to be a "production" device.
If you have a sandbox system you want to hack on or screw around with, that's fine. Maybe you're a programmer or hobbyist or just curious. But you're the edge case, not the primary case and the distribution system shouldn't be optimized for you.
Good points, although a few things to consider:
Apple doesn't check the source code. Malicious code can (and has) gotten past Apple if they hide it well. Recently an app stole iTunes account info. (Remember?)
Google does monitor their market, as you mention, although not as heavily. You have to go into your settings on your phone to allow Apps not installed/approved through the market.
Attacks are done through trojans and exploits. Torjans might be a tad harder in iOS, but they can still happen. Exploits can happen on either platform. Apple's cost is the loss of either the freedom to install Apps outside of the App Store or your warranty. I, personally, think the default to limit Apps to the Store/Market but the option to install other Apps if you want (as it is in Android) is preferable. Perhaps if Apple kept their hard moderation, but there was an option to go in and allow third party apps that could only be turned on by the user would be ideal... but Apple would never allow that.
(1) No app has ever stolen iTunes Account Credentials. That is not what happened. Prove me wrong.
(2) "You have to go into your settings on your phone to allow Apps not installed/approved through the market."
Right, but you forget about the detail that /this wallpaper app was sanctioned and IN THE MARKET.
(1) This was big news, I'm surprised you haven't heard of it.
http://thenextweb.com/apple/2010/07/04/app-store-hacked/
Do a search on the web, if you'd like to find other sources. It's quite possible this was done through other means, I'm not sure whether if it was determined if it was just brute force or an app.
(2)
Hidden functionality has been sneaked into Apple apps. Both for good and bad.
Here's an example of a "good" instance:
http://www.macrumors.com/2010/07/20/flashlight-app-sneaks-tethering-into-app-store-for-now/
Programs such as the above is demonstrative that it is fairly trivial to get things past Apple. The above could have been malicious. Proof of concepts of such have been made.
It's easy to say that the the Wallpaper App is telling on how ultimately secure Apple's model is, but we are seeing more and more instances of things getting past Apple, and even more so, vulnerabilities in the operating system its self, which is perhaps worse. That's what the jailbreaks use to root the phone after all. Going to a webpage to auto-jailbreak your iPhone is great if that's what you want to do, but if a bad guy knows the same thing they can easily install and you'll never know.
http://news.cnet.com/8301-31021_3-20012511-260.html
I'm not trying to beat down iOS. It's a great mobile OS. I admit I like Google's open model more, but that's besides my point. My point is that EVERY operating system is vulnerable. Easy over-the-web Jailbreaks are an example of this. The flashlight app is an example of code getting past Apple, even if for a short time. I'm sure if people wanted to they could break WebOS. I'd just prefer Apple's App-Store with the option to enable third-party apps, like what Google does. That's all. :)
There is nothing that prevents an iPhone app from doing the exact same thing. It's just that it hasn't happen yet or hasn't been discovered.
Apples frustrating review process is a joke. Just look at the flashlight app from a week ago that allowed full tethering. Apple didn't catch that, so why would that catch some person info being sent to a hackers server. All the app has to do is not send any personal info for the first few weeks it's out and Apple will be none the wiser.
Also, because of the walled garden, users can't install software such as LittleSnitch to help protect themselves. Apple won't allow it.
That's a bad thing? Installing, and MANAGING a firewall on a phone would have to be one of the most aggravatingly poor experiences I could ever think to have on a mobile device.
August 02 2010 at 4:33 PM Report abuse Permalink rate up rate down ReplyI've got to admit, a walled garden is a lot more enjoyable than an wallless wasteland.
July 29 2010 at 4:22 PM Report abuse Permalink rate up rate down ReplyThis site is basically worthless nowadays
Not one article is based on fact every week the go from anti iphone to iphone fetish
And yet here you are! :-)
July 30 2010 at 2:17 AM Report abuse Permalink rate up rate down ReplyWhy eating children is a good idea:
http://www.gutenberg.org/files/1080/1080-h/1080-h.htm
What is really pathetic and sad is that it took TUAW such a long time to understand this.
July 29 2010 at 3:42 PM Report abuse Permalink rate up rate down ReplyAnd yet, showed a fundamental misunderstanding of what the approval process is and is not.
July 29 2010 at 3:52 PM Report abuse Permalink rate up rate down ReplyHot Apps on TUAW
Deals of the Day
more deals- Sony Dock 20W Speaker System for iPhone / iPod for $51 + $15 s&h
- Soulo Karaoke App and Wireless Mic for iPhone / iPad for $80 + free shipping
- Verizon Leather Sleeve for Tablets for $4 + free shipping
- Wicked Jaw Breaker Noise-Isolating In-Ear Headphones for $6 + free shipping
- Refurb Apple MacBook Air Laptops: 12" 64GB SSD for $699 + free shipping
- JVC Motion Sensing Clock Radio with Dual iPod Docks for $55 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
36 Comments