Will Apple's Spectacular Success Invite More Malware?
Apple's iPod Touch, iPad and iPhone 4.
Apple's spectacular earnings report reveals it sold 15.4 million iPads, 37 million iPhones and 5.2 million Macs from October through December. So where's the predicted wave of OS X and iOS malware? Isn't the market share big enough to make either platform an attractive, easy target for criminals?
Experts, citing Apple's security controls and the easy opportunities for crooks to profit elsewhere, say massive sales do not automatically equate to massive malware. The wave of malware may break, but it won't be for quite some time. For now, Apple's waters are calm, and people keep diving in.
iPhones are in the clear … for now
Tim Armstrong, malware researcher for the security firm Kaspersky Lab, agrees.
"I still feel like the wave has yet to come. We're in a transitional phase," Armstrong told SecurityNewsDaily. "Malware writers have had years to find ways to monetize their attacks on traditional platforms and hardware. In some ways they need to reinvent the wheel to successfully and consistently make money attacking mobile platforms, especially with regard to iOS."
Apple pushes out frequent software and security updates, and subjects app developers to a strict vetting that makes it difficult for malicious apps to sneak in the market. For potential malware writers, these walls are not worth the climb, said Charlie Miller, the principal research consultant at Accuvant.
"It is tough to get malware on iOS devices because apps have to go through the App Store, which requires Apple's approval," Miller told SecurityNewsDaily. "The way iOS is designed allows Apple to have a big hand in what software runs on the device. All apps have to be approved by Apple before they can be downloaded to your device. The most obvious pieces of malware will be caught by this, or perhaps malware authors don't even bother trying."
"Obviously, this isn't perfect," Miller added, "but it at least makes it tougher and so on iOS I wouldn't expect major malware problems anytime soon."
Miller knows Apple's security infrastructure well — perhaps too well. Formerly part of Apple's developer program, Miller was famously kicked out in November after sneaking a proof-of-concept malicious app into the iTunes App Store.
Big bad Android
It's impossible to talk about potential iPhone threats without discussing the big green alien in the room.
Android puts its customers at an immediate disadvantage by slacking off on security updates and, to the dismay of anyone who's ever downloaded a fake app, leaving glaring holes in the vetting process for new apps.
"It is far easier for criminals to upload their malicious applications onto the Android market than to sneak them through Apple's app review process," Armstrong said. "I believe it's really a matter of return on investment for the criminals, and other platforms offer greater returns."
Apple's iOS isn't completely bulletproof, said Kevin Mahaffey, chief technical officer and founder of Lookout Mobile. "It’s a potentially dangerous fallacy to believe that any mobile platform is impervious to threats."
It's the difference in the types of threats Android users face — banking Trojans in the Android market as opposed to Web-based threats like phishing emails — and the ease in building Android malware, that make Android devices much more alluring targets.
"Android and Windows are more popular in places where malware has historically been written, specifically Russia and China," Mahaffey told SecurityNewsDaily. "In order to write iOS and OS X software, you need a Mac. Malware writers are unlikely to have a Mac on their desk, making it rather difficult for them to build iOS/OS X malware."
Mahaffey added that there is "a tremendous amount of information," disseminated among the programming community, on how to write Android malware.
Mac or PC?
It's necessary to point out that no computer or smartphone is ever going to be completely impervious to cyberattack. As long as a device exists, someone will find a way to tamper with it.
But even with Apple's staggering profits, and the dozens of glowing white Apple logos you see at your local Starbucks, hackers are still keeping their sights trained on Windows machines. The reason? That's where the money is.
That's not to say there isn't a great deal of malware being written for Mac's OS X platform. But it's all relative, Miller said.
"Mac OS X is not inherently more secure than Windows," he said. "It used to be much less secure, actually, but has caught up for the most part with Windows security-wise. We did see some new malware in 2011 for OS X, and I imagine we'll see more, but that amount of malware comes out for Windows in about three seconds, so it is still two very different worlds at this point."
Miller added, "5.2 million Macs is a lot, but compared to the number of Windows computers sold during that time, I bet it's quite small."
Armstrong agreed. "Even with the surge of new Mac users appearing every day, "the size of the user base pales in comparison to the Windows world," he said. "Attacking OS X has unfortunately offered some successes to the criminals, but they have been far more successful attacking via other strategies on the more common Windows platforms."
Cybercriminals, Mahaffey said, will continue to concentrate their efforts on the systems that present maximum profit with minimal danger. For now, Apple doesn't fit the bill.