There is no evidence that it is happening, with plenty of security researchers and interested amateurs keeping their eyes open for it. There's nothing special about iOS that prevents you from discovering this sort of app behaviour that isn't present on Android.
The threat is not theoretical. Several iPhone apps have been pulled from the App Store after being found to be harvesting user data, intentionally or unintentionally. A game called Aurora Feint was uploading all the user contacts to the developer's server, and salespeople from Swiss road traffic information app MogoRoad were calling customers who downloaded the app. Game app Storm8 was sued last fall for allegedly harvesting customer phone numbers without permission, but it later stopped that practice. And users also complained that Pinch Media, an analytics framework used by developers, was collecting data about customer phones.
It's being noticed in the biggest similar ecosystem, too, so by that logic it should be noticed in both if it is present in both
Sorry, but how does discovering one instance of malware in the android market imply that any instance in the iOS Store will be discovered at the same time? Is there some sort of quantum-link that I'm missing?
The Apple review process is present in iOS.
I was told the Apple review process does not involve a full code analysis. And even if it did, malware authors are known to be quite creative in hiding their payloads.
Apps you have installed might or might not already contain shell-code embedded into seemingly innocent images or assets, with very little chance of detection.
I'm not a security researcher or blackhat. But under the premise that you can (afaik) not root a phone without the user noticing, my strategy for pulling off an attack would be a sleeper-strategy. I'd first seed my payload silently, and then pull the trigger all at once, at some point in the future.
Moreover, considering there has been a one-click safari jailbreak[1], you may not even need to embed actual malware in an app. It may be enough to be able to remotely instruct the app to load a specific URL at your command - now how's that for an attack vector.
So, technically there is no difference between doing either on android or doing it on iOS.
If you still want to claim otherwise then you should come up with a better argument than "but apple has a review process!".
> Sorry, but how does discovering one instance of malware in the android market imply that all instances in the iOS Store will be discovered at the same time?
Twofold: this is not the only incidence of malicious software on Android, and I never made the claim that all instances should necessarily be immediately found - just that, if it's as easy to slip in as the OP claimed, that SOMETHING should've been found by now.
Well, I'm working about as hard as PG. No, actually I work much harder.
I SHOULD have found the one startup-idea by now that takes off and makes me as wealthy as him!
Notice the flaw in your reasoning? There is no correlation.
Finding a great startup idea and detecting malicious software are vastly different things.
If inserting malware into iOS is simple, it would be done, and done widely. If done widely, the chances are very good that someone would've detected it in at least one such application.
This is one thing I've been wondering about, how is it that they don't know every single API call the executable is linked to?
I know that Objective C and messaging is different from function linking in some fashion, but certainly there must be a way of determining if disallowed APIs are ever called, at all, without just using the app and hoping you trap them.
I think at the very least they should be able to examine the executable for object types used, and function signatures used, as well as determining what signatures are passed to which objects.
> This is one thing I've been wondering about, how is it that they don't know every single API call the executable is linked to?
They do. I used an old example from the Internet, and that API was now private; Apple rejected the app and included the name of the API that I wasn't supposed to use.
I think you're both right in different ways. The positions "if it can happen it has or will" versus "yes but there is no evidence so it probably hasn't or won't" both have merit and are not explicitly in conflict. But I'm reminded of that quote:
"In theory there is no difference between theory and practice. In practice there almost always is!"
It gives users a false sense of security. The average user is far more willing to trust an arbitrary iPhone application than an arbitrary Windows application, do you not agree?
No, I don't really. I don't think those with a high level of technical intelligence will be affected by wall or wall-less, while those with less than moderate TI probably don't even realize that one marketplace has or doesn't have an approval process. So it's equally dangerous, but I don't think moreso.
A walled garden is unquestionably better. It isn't fool proof but it's the same situation as security: you can't make your system completely secure but you can make it more secure than the next guy. The Android store is the next guy.
Apple does not examine full source code, but they do watch network traffic and examine API calls. At least they do something.