updated 09:50 pm EST, Tue January 11, 2011
Trend Micro warns Android inherently vulnerable
Trend Micro chairman Steve Chang warned in an interview published today that Android was significantly more open to attack than iOS. Google's decision to allow some open-sourcing and to have only a light approval touch let malicious coders get more information about how to stage viruses and other malware. Apple's decision to close off much of the iPhone OS, sandbox code and to vet apps more closely may have antagonized some, Chang told Bloomberg, but has also led to a more secure platform.
"We have to give credit to Apple, because they are very careful about it," he said.
It was virtually "impossible" for some kinds of rogue code to work on an iOS device, he explained. Viruses that deliberately 'decompose' to avoid being recognized by antivirus scanners and then reassemble afterwards can work on Android but won't succeed on iOS. He didn't explain what made this possible, though Android apps are allowed to extend or modify parts of the main OS where these are usually fenced off on iOS.
iOS was still vulnerable, Chang emphasized, but mostly to social attacks where customers were tricked into voluntarily compromising the security of a device. Most significant security issues in iOS have come from visiting specially crafted websites that take advantage of an unpatched exploit.
Android has often been embraced for the greater amount of flexibility that comes from its more open structure. Advocates of open-source, both on Android and elsewhere, have noted that the same ease of exploiting vulnerabilities often helps speed up patching or of finding exploits ahead of hostile users. Google itself also dismissed the risk by noting that every app by its nature involved a certain amount of faith in its creator's honesty. Android always gives users a list of permissions the app needs to run, which Google hoped would be enough.
"On all computing devices, users necessarily entrust at least some of their information to the developer of the application they're using," it said.
Apple has been criticized for limiting the potential of its platform by restricting what apps are allowed to do and preventing the installation of non-Store titles. As a consequence, however, stories of substantial malware have been almost non-existent and usually reserved for jailbroken phones whose defenses have been left open.
Regardless of OS, Trend Micro's Chang had a vested interest in discussing vulnerabilities, as he had both a full antivirus app for Android and a less extensive security app for iOS users.