"I think the model is generic enough to predict when people will move from attacking PCs to attacking handsets," says Adam O'Donnell, the author of the paper and the chief architect of the cloud technology group at Sourcefire. "The problem is that there is going to be different values in attacking each, and actually determining the value of compromising each will determine when attackers move to primarily attacking handsets."
Recognition, but not kudos, for AppleYet Apple does not necessarily deserve the credit for creating the amalgam of software design and process decisions that ultimately results in its secure iOS platform. The security features in iOS were adopted by necessity, not by design. When it initially arrived in 2007, the iPhone immediately became a target of security researchers, who found vulnerabilities quite quickly.
Moreover, the choice to have strict control over the App Store was driven more by profit considerations than by security foresight, he says. "They did not set out to create a supersecure device," Accuvant's Miller says. "They just wanted total control over the apps because they are control freaks, not because they wanted to prevent malware."
Apple's closed platform can also work against its security. Companies that want to develop stronger security for the device have been mostly prevented by Apple's iron-fisted control over iOS. When Trend Micro wanted to release a browser plug-in to identify malicious sites, for example, Apple refused to allow the add-on. After months of negotiations, the security company finally was allowed to release its own stand-alone browser into the App Store.
That's the key: If you can convince Apple of the benefits of the change, the company can be swayed, says Trend Micro CTO Genes. On iOS 4, for example, Trend Micro's Smart Surfing app can intercept the URLs and run them through a list of bad sites, he says. Still, the process for getting there was painful and could slow the adoption of innovative security technologies, he warns.
"We can do things on [other platforms] to protect them that we can't do with the iOS," Genes says, "so their control over the platform has its good and bad points."