Worst of Both Worlds

In the recent article about zero day exploits brokers, I found something that surprised me a bit: iOS exploits are better paid than Android ones. iOS is a closed source operating system; although it is harder to learn about its inner workings, it is also harder to fix it quickly. On the other hand, Android is based on Linux, which is open source; hundreds of eyes are looking at potential security holes in code and new versions are "released early, released often". OS should be as fortress and exploits should be rare and expensive, but it is quite opposite.

Possible non-technical cause of this phenomenon lies in demographics of mobile users: rich and powerful people prefer iPhone and therefore potential targets are more lucrative. However, cyber criminals these days try to stay low-profile and attack many small targets instead of few big ones, making every platform interesting target.

How Android stands from technical point of view? Yes, OS is open source and it is possible to patch it quickly, but it is also notorious for slow or non-existent updates. It takes months for new versions to travel from Google to vendors, from vendors to communication service providers, and from providers to users. At the same time, cyber-criminals have plenty of time to find and use the exploits.

This is one of many areas where mobile operating systems are step back from what we have on desktops and servers for years. Vendors are convincing us that smartphones and tablets are appliances without complexity of full blown computers, closer to TVs and washing machines. Behind the scenes, they are more advanced than supercomputers couple of decades ago and, with internet connection, infinitely more vulnerable.

Until vendors gain will and know-how to patch them quickly, we will have OS with worst of both worlds: open for finding new exploits and closed for fixing them.

Photo credit: Jonathan McIntosh, 2003.