Researchers craft Android app that reveals to find horrific menagerie of hidden spyware; legally barred from doing the same with iOS

So where can I find a link to this? There doesn’t seem to be one on the Exodus page.

Privacy is now against the law in the USA. Please ask tRump if evidence is needed…

But this post, in its pursuit of making Apple’s walled garden the primary villain, implies the latter is decisively more important than the former. That is, unlike the source article, you suggest it’s better to have a platform that cannot and does not block harmful software, so long as researchers have a way to detect it; and that it’s worse to have a platform that can and does, if researchers are (potentially) unable to audit it.

This seems to me like a false dichotomy. Simply booing Apple (much less cheering Google by default) rules out learning from what Apple gets uniquely right.

In Apple’s design, there is no way for software to run on your phone unless (1) the user consciously put it there, (2) it has a cryptographic paper trail connecting it to its author, (3) it runs within a restrictive sandbox, and (4) it has been manually verified against a list of legal, ethical and quality criteria (unless you compiled it yourself). That guarantee is only possible because of Apple’s totalitarian control; it couldn’t be sustained if the ecosystem included jailbroken phones or sideloaded software.

That means there’s less malicious code out there to begin with, and what does get through is more limited in what it can do, and the defendant for any lawsuit is always well-defined, and there exists a means to globally remove the code and prevent it ever being installed in the future. If the question is “what can courts or governments do about malicious software?”, for iOS the answer is “quite a lot”, where for every other platform the answer is “pretty much nothing”.

Neither iOS nor Android represents a perfect answer, but luckily for us there aren’t just two monolithic choices. I suspect the future will look something like Apple’s model, but with the uglier edges filed off. Sort of like how Portland has a police department, I guess?

Or apple decides to put it there or allow third parties to do that. And without the means to look for malware, there is no way to be sure.

Yes, sad that you can’t get this for iOS. Only alternative is to be woke and when in doubt, not to install.

But is there any doubt that there are magnitudes more spyware amongst Android apps than iOS apps? And, BTW, aren’t Google’s apps and Facebook essentially spyware?

Right, but in the absence of any platform that satisfactorily answers all concerns, the best you can do is look at what choices actually expose you to more threats. Apple has a pretty good track record, and are straightforwardly financially motivated to keep malware off your phone.

(Plus: since you always implicitly trust your hardware vendor, in the case of Apple, it is moot whether you trust the OS vendor anyway)

(Also: with the means to look for malware, there is no way to be sure)

Surprised? The creator of the Android ecosystem is an advertising company who believe we should be tracked.

This article is legit. Letting app creators know where their installs are coming from is important information. (Expensive advertising or free word-of-blog?) It’s what it doesn’t mention that raises my eyebrow. They have to be tracking unique installs by device, to make sure that it’s not some guy in India continually re-installing the app for pay. There’s no mention of user security and that there’s no way to track the provided data back to an actual device.

Now, that could be because that’s been worked out years ago and it’s not an issue, or … it’s an afterthought.

The real problem with spyware is that we don’t really have the choice. Sure, one can install lineage os and use fdroid to stay google free, but as soon as one wants to use anything commercial, say to watch videos, buy music, communicate with non-geeks, order a taxi, whatever… any app will simply take control of your phone and send all the data it can grab to its home server. And if you don’t do it on your phone yourself, all your friends are doing it anyway and their phones share all the data they know about you.
We have a real problem and we are only starting to realise the size of it.

The iOS thing has nothing to do with iOS being more secure than android against a snooping app - the reason the resarchers didn’t port the app and run it on iOS was all about the law. So the analogy isn’t that there is a security guard / vault door present. It’s that there is a piece of paper describing how they will sue you under DMCA and various other laws for entering the vault and having a look. - A defense that keeps legitimate researchers out but doesn’t really stop a criminal from producing an app or infecting a third party one before it’s signed / delivered to the app store. And of course if you root your iphone so you can pirate apps then of course that app could be malicious without needing a signing signature.

I think you both meant “Lepoard”.

shows self the door

Please could you clarify?

This is a bullshit equivalence. There’s nothing stopping them from whipping up Xcode and writing a POC on an iOS device. No “DRM unlocking” required.

Not quite right. What my reading of it gave me was that Apple claims that its security features are Technological Prevention Measures, aka DRM under the DMCA, which means it’s illegal to break them.

What security features are being referred to here? The quoted section is referring to using public APIs and SDKs to stealthily track users. There’s nothing about breaking security features in the OS.

I believe the breaking of security features would come in when the researchers’ app attempts to monitor the use of public APIs and SDKs by other apps - i.e., breaking out of the sandbox to see what the other apps are up to.

You don’t need to do this on-device, though. You can set up a proxy like Fiddler or WireShark as a MITM to see what’s being sent. Obviously this will only help you when the trackers actually phone home, but it’s not like this is impossible to monitor without breaking out of the sandbox.

It’s a Douglas Adams reference. ‘In the basement, in the bottom draw of a file cabinet in an unused lavatory with a sign labeled “Beware the Lepoard”’ if memory serves me correctly…

Leopard.
I thought it might be some obscure reference to Mac OS 10.5 with a deliberate mis-spelling.

Apologies, my spel cheker is borken.