Why Apple's "walled garden" is a good idea
Many developers and users of Apple's iOS devices bemoan the "walled garden" of the App Store approval process, but it appears that the company's measures have prevented mass data theft from iPhones, and iPads.At the Black Hat security conference being held in Las Vegas this week, mobile security firm Lookout announced that an app distributed in Google's Android Market had collected private information from millions of users, then forwarded it to servers in China. Worse than that, the exact number of affected users isn't known, since the Android Market doesn't provide precise data. Estimates are that the app was downloaded anywhere from 1.1 million to 4.6 million times.
The app appeared to simply load free custom background wallpapers, but in fact collected a user's browsing history, text messages, the SIM card number, and even voice mail passwords, and then sent the data to a web site in Shenzen, China.
This is different from the recent AT&T website leak that could have let a hacker access 144,000 iPad 3G user email addresses, since in this case the data theft actually did happen, was being perpetrated by malicious hackers, involves much more personal information, and affected many more people.
So what's the difference between the security methodologies used by Google and Apple? Apple approves iOS apps only after they've gone through a strict (and frustrating to developers) process, while Google's Android Market simply warns the user that an app needs permission to perform certain functions during the installation. iOS apps must be signed by an Apple-created certificate, which means that malicious developers have a harder time distributing malware anonymously.
Lookout also noted that iOS remains virus-free, since third-party apps can only be distributed through Apple's heavily-moderated App Store, and the apps run in a sandbox environment where they can't affect the system. Lookout chief executive John Hering said that "he believes both Google and Apple are on top of policing their app stores." It's just those odd cases where apps don't do what they're advertised to do that can cause problems for users.
[via AppleInsider]
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
THJ said 3:07PM on 7-29-2010
I agree, the 'walled garden' approach is great for regular users, and power users can (eventually) jailbreak if they want additional functionality/customization.
Reply
robogobo said 4:21PM on 7-29-2010
Took the words right out of my mouth. The iPhone/iPad is meant to be a supplemental ecosystem, for entertainment and mild utility. Anyone who wants to go further is able to leave the garden and go on their own into the jungle. Risky, but Intelliscreen and SBsettings are out there to be your finicky friends.
The Count Of MonteCristo said 3:12PM on 7-29-2010
This is the most misinformed article I've read on this site since a long long time.
http://blog.mylookout.com/2010/07/introducing-the-app-genome-project/
TWICE as much free applications on the iPhone gather private information about the user than on the Android platform. What's the point of having a walled garden when you can't even protect users from something as simple as that.
Android users are even more protected than Apple iOS users because the market actually warns the user what applications are capable of. It's the user's choice to allow the app to do so.
And yes, I am an iPhone owner. I just don't blindly believe in Apple's App Store policy.
Reply
Ben said 3:20PM on 7-29-2010
Jackeey Wallpaper app?
Ben said 3:32PM on 7-29-2010
but seriously, which app on the iPhone App store is stealing user personal information?
At least give us a name... like "Jackeey Wallpaper for android" then I'll know.
According to my research 99% of Android apps are stealing user information. BUT I am not going to give you any names.
Jason said 3:48PM on 7-29-2010
My rebuttal two cents is that;
The Android warnings are way too vague to be of any use.
"This app wants access to phone information."
"This app wants access to the network."
Does that mean it uses the dialer when you click an icon in app? Does that mean the app IS a dialer and uses your phone capabilities? Or does it mean it's going to monitor all your calls and then send them over the network to a rogue third party?
And answer is, who the hell knows.
jeff said 4:29PM on 7-29-2010
You might want to state the truth when quoting something. More than twice as many apps on the iPhone can access Location and Contact Data. While I agree that the fact that apps can access contact data at all is alarming, that does not mean that it has any ability to send that contact data to a private server to use in a malicious way. Not only that, whenever an app on the iPhone tries to access Location data, IT ASKS THE USER FOR PERMISSION!
Talk about misinformation.
slembcke said 8:51AM on 7-30-2010
I reaaaaaally doubt the author of this article has much programming experience. Do you believe that Apple does some sort of deep code inspection to figure out if you do this in your code?
Do you really think they have any way whatsoever to determine if doing anything naughty? Heck, there have been programs that were pulled because users found out that it was sending contact information off the phone and complained to Apple about it. Remember Aurora Feint's friend finder feature? The only way it was know that it did this is because it the game told you that it was going to and gave you a chance to opt out.
What could they possibly do to catch somebody trying to be malicious if they were trying to hide it and be clever about it. Even if they had all the original source code it would be very difficult to catch this sort of thing for even relatively simple programs.
Don't believe the FUD. Seriously.
Reply
Justin said 3:24PM on 7-29-2010
From TUAW in this article:
"Apple approves iOS apps only after they've gone through a strict (and frustrating to developers) process"
From Engadget 9 days ago:
http://www.engadget.com/2010/07/20/handy-light-for-iphones-dirty-little-secret-tethering-video/
Need I say more?
Reply
michas_pi said 4:27PM on 7-29-2010
Came here to post this very link. Thank you.
Oh, brave new Told!
caustic said 4:50PM on 7-29-2010
Except that app didn't access private information or even priviledged APIs. It just opened up a proxy.
Apple's review process does look for usage of protected data and APIs. I'm certain you can be tricky and get around some of the checks, but the app you cite isn't an example of someone doing that.
joey said 3:25PM on 7-29-2010
Handy Light.
Reply
Daniel said 3:39PM on 7-30-2010
This is possibly one of the most misinformed article i've read on here in a long time. Do you honestly think that Apple has the time, and indeed the staff, to detect backdoors or other malicious code?
they can't even do that with OS X, let alone IOS or any other platform.
Seriously this is fanboi FUD at its best.
Reply
Howie Isaacks said 3:42PM on 7-29-2010
What is really pathetic and sad is that it took TUAW such a long time to understand this.
Reply
oZ said 3:53PM on 7-29-2010
And yet, showed a fundamental misunderstanding of what the approval process is and is not.
Tired_ said 3:53PM on 7-29-2010
Why eating children is a good idea:
http://www.gutenberg.org/files/1080/1080-h/1080-h.htm
Reply
DefPo3t said 3:53PM on 7-29-2010
This site is basically worthless nowadays
Not one article is based on fact every week the go from anti iphone to iphone fetish
Reply
aardivark said 2:17AM on 7-30-2010
And yet here you are! :-)
David said 4:22PM on 7-29-2010
I've got to admit, a walled garden is a lot more enjoyable than an wallless wasteland.
Reply
Roger Gilblat said 4:27PM on 7-29-2010
There is nothing that prevents an iPhone app from doing the exact same thing. It's just that it hasn't happen yet or hasn't been discovered.
Apples frustrating review process is a joke. Just look at the flashlight app from a week ago that allowed full tethering. Apple didn't catch that, so why would that catch some person info being sent to a hackers server. All the app has to do is not send any personal info for the first few weeks it's out and Apple will be none the wiser.
Also, because of the walled garden, users can't install software such as LittleSnitch to help protect themselves. Apple won't allow it.
Reply