• stevedidwhat_infosec@infosec.pub
    link
    fedilink
    English
    arrow-up
    80
    arrow-down
    22
    ·
    9 months ago

    Ignoring the users in here who obviously don’t understand how critical SMS actually is and how fucking awful it is from a security standpoint because they’d rather be armchairs than actually learn anything useful or true…

    Wondering if this sudden move is at all to do with Apples announcement of their quantum encryption. US govt intel complex is probably seething rn

    • Philippe23@lemmy.ca
      link
      fedilink
      English
      arrow-up
      28
      arrow-down
      2
      ·
      9 months ago

      If Apple cares about protecting privacy they’d use an open, interoperable, cross-platform standard instead of just making cracks like, “just buy your Mom an iPhone.”

      • stevedidwhat_infosec@infosec.pub
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        35
        ·
        edit-2
        9 months ago

        But android does this exact thing and has far more vulnerabilities

        Open source doesn’t magically make things more secure unfortunately, no matter how many people seem to think this

        • FiniteBanjo@lemmy.today
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          1
          ·
          9 months ago

          AOSP Development was almost completely separated from the commonly distributed Android OS around version 2.2 in like 2010-ish, if I’m not mistaken. If you do get an OS built upon the old open source versions, they are usually quite secure and value privacy heavily, such as CalyxOS.

          So no, Android is not Open Source nor is it free, but yes proprietary Android software has more potential vulnerabilities.

          • stevedidwhat_infosec@infosec.pub
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            7
            ·
            9 months ago

            Last year android had 1400 vulnerabilities to iOS’ 482.

            402 of androids were above a CVSS score of 7 & 221 for iOS.

            Android is less secure than iOS on average and Apple is widely known to be more secure than android. That’s not to say I’m a fan of things apple does. I’m purely speaking vulns for one OS to another.

            • TurtledUp@lemm.ee
              link
              fedilink
              English
              arrow-up
              7
              arrow-down
              1
              ·
              9 months ago

              The more used OS will always have more people looking for ways to break it. Same shit happened with windows and Mac. The old picture of the house in the city with bars on the windows vs a house in the country with unlocked doors still applies.

              The only vulnerabilities you even really need to worry about are zero days which won’t be in the threat tracking databases.

              • stevedidwhat_infosec@infosec.pub
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago

                Right but that’s a contributing factor to iOS’ strength

                Their risk surface isn’t massive…

                Their App Store is on a tighter leash too so less risk there and less opportunities for persistence/c2 activity which encourages and enables further vuln discovery and valuable data mining on devices

                I’m confused what you’re arguing here

            • vinyl@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              9 months ago

              Just recently it was discovered that apples m1 silicon has a security vulnerability that exposes encryption keys under certain conditions and it’s a hardware vulnerability which is unpatchable without buying the newer models.

              • stevedidwhat_infosec@infosec.pub
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                9 months ago

                I’m not saying that apple is invincible…

                I think you may be misunderstanding if you thought my view was really that shallow…

            • 0xD@infosec.pub
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              9 months ago

              You can’t compare those two. First of all, Apple’s walled garden makes it significantly harder to perform security research. Second, Android has a way larger ecosystem and is not a monolith, so of course there’s gonna be more.

              Apple = Apple, but Android ≠ Android.

              • stevedidwhat_infosec@infosec.pub
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago

                So fine, do you wanna look at specific numbers for the pixel, Samsung, huwaeii, etc against iOS? Bc we can!

                • an ex android guy who switched to iOS after researching the stats

                Also, I hope you see the irony in you saying we can’t compare apple(s) to oranges (android as a whole ecosystem).

                You definitely can, and I did so fairly.

                • 0xD@infosec.pub
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  9 months ago

                  If you had any idea about how it works, you would not compare them. If you had any idea about how hard Apple makes security research, especially without a Mac, you would not compare them.

                  But you don’t know what it’s about. Being a consumer does not make you an expert.

                  • stevedidwhat_infosec@infosec.pub
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    edit-2
                    9 months ago

                    When have I claimed to be an expert?

                    Second off, I am fully aware of how difficult apple makes testing their product, given that they’re proprietary software and not using something easily reversed or cracked (encryption, not license keys of course) which is part of their defense for using a walled garden for security (security by obscurity isnt security though, and it’s only a matter of time before the public builds up enough of a knowledge base to not need docs from the manufacturer.

                    Private companies exist (plenty of em too) who’s sole purpose is to find exploits for “cops and police” to access perpetrators data.

                    I work in cybersec, I’m fully aware but thanks for making a random assumption about me, someone you don’t know, kinda hypocritical don’t you think?

                    Idk why I feel the need but here we are - I’m tired of people in this thread trying to switch gears and move goal posts. We’re talking about major consumer use of OS which means mainstream OS’s - apple has historically lower vuln rates. Partly due to obscurity, which will evaporate more as time goes on unless apple continues to change things behind the scenes which could get costly.

                    Google has their perverbial ass hanging out so that people can analyze it more easily for vulns (you’ll notice I said more easily, because people can and do test iOS for vulns all the fucking time) and will constantly have shit to patch. Which means more vulns are known more consistently whereas apple has phases where people are still figuring shit out. Which gives apple time to patch fairly quickly id say if you’d like to look at those specific metrics.

                    I’m not interested in words, I want you to point out numbers and metrics if you have them. Fact is that apple is, on average, more secure than a typical end-user android OS.

    • underisk@lemmy.ml
      link
      fedilink
      English
      arrow-up
      28
      arrow-down
      8
      ·
      9 months ago

      There certainly is a history of attacking Apple over their use of encryption. I wonder if they’re still mad they didn’t get that iPhone backdoor they wanted.

      • theneverfox
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        9 months ago

        Oh, they got it. Just not from Apple… If you have physical device access, we have basically zero methods to stop nation state level access

        I believe there was an Israeli provided crack on that issue

      • stevedidwhat_infosec@infosec.pub
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        10
        ·
        edit-2
        9 months ago

        Unfounded paranoia, google on the other hand has a history of this. Not to mention the audio recording from chrome browsers.

        • umbrella@lemmy.ml
          link
          fedilink
          English
          arrow-up
          9
          arrow-down
          1
          ·
          9 months ago

          thats a bit naive

          apple was already collaborating in the snowden days

            • umbrella@lemmy.ml
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              9 months ago

              i mean they are part of the PRISM program like google, microsoft and others, as revealed by snowden back when he leaked it. they are doing some questionable mass image hash scanning in the name of “protecting the children” now too. i’m sure you can find more bullshit by simply reading their TOS.

              honestly its very safe to assume every single stock firmware, on every device is compromised unless its FOSS. this includes cars, tvs and everything in between.

              the single major advantage of android in this respect is that you can change the OS that comea with it. i think its the only real way to use phones semi privately now.

              • stevedidwhat_infosec@infosec.pub
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                2
                ·
                9 months ago

                Okay well now we’re talking about leaked government documents…

                Which comes with a whole different set of rules including mechanisms like false info. Specifically, tactics like misdirection (to sway public opinion against good-guys, perhaps like apple, while still not lying about any bad guys involved, a proverbial shit bomb which makes everyone appear guilty)

                Not sure why Apple would be so public in fighting against the cia/fbi regarding giving them a way into your phone if they were already letting them in lmao.

                What sense does that make?

                I do, however think that hardware should be open-sourced and heavily subsidized from a career standpoint for pen testers so that we can have standardized and vetted hardware which can run Apples flavor or androids, etc. This is however pretty far out from my realm of knowledge so I can’t speak to likelihood or anything like that.

                Just know we agree on your very last point

                • umbrella@lemmy.ml
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  9 months ago

                  i dont care what their PR department is saying, or making it look. in fact its the very last thing i care, their actions speak louder.

                  if you want to think apple devices are not spying on you because of reasons you are free to do so, im not gonna argue that.

                  • stevedidwhat_infosec@infosec.pub
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    arrow-down
                    1
                    ·
                    9 months ago

                    You didn’t answer my question

                    Why would apple openly fight the govt on this?

                    If we can’t trust anything you see or hear how do you plan to cope with reality? Nothings believable? Seriously? Good luck dude.