Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Why zero day Android exploits cost far more than zero day iOS exploits (because iOS is far easier to hack)

35 views
Skip to first unread message

Arlen Holder

unread,
Dec 23, 2019, 11:43:00 AM12/23/19
to
*Why are Android zero-day exploits far more valuable than iOS exploits?*

I found this looking up why Android exploits are harder than iOS:
o Why 'Zero Day' Android Hacking Now Costs More Than iOS Attacks
<https://www.wired.com/story/android-zero-day-more-than-ios-zerodium/>

"During the last few months, we have observed an increase in the number
of iOS exploits, mostly Safari and iMessage chains, being developed and
sold by researchers from all around the world. The zero-day market is so
flooded by iOS exploits that we've recently started refusing some them,"

"It's long been tougher to find a way into a target device through a
phone's browser on Android than iOS, Shwartz argues, due to the relative
security of Chrome versus Safari."

"But the real source of the changes that have made Android exploits more
expensive, he says, is the difficulty of finding a so-called "local
privilege escalation" exploit for Android, which allows an attacker to gain
deeper control of a phone after they've already gotten a foothold. Thanks
largely to increased security measures in Android phones, LPE exploits are
now roughly as difficult to find for Android as they are for iOS, Shwartz
says."

"Combined with the difficulty of finding a hackable browser vulnerability
to start the chain of exploitation, that makes Android a harder¡Xand more
expensive¡Xtarget overall."

--
Apple Marketing only (brilliantly) markets the very few chain links where
they're strong; Apple marketing (completely) ignores iOS isn't even tested.

Arlen Holder

unread,
Dec 23, 2019, 5:53:17 PM12/23/19
to
On Mon, 23 Dec 2019 16:43:00 -0000 (UTC), Arlen Holder wrote:

> *Why are Android zero-day exploits far more valuable than iOS exploits?*

On Mon, 23 Dec 2019 20:39:27 +0100, J.O. Aho wrote:

> Nah, the Android market (82% world wide) is a lot larger than iOS and
> those a 0-day exploit affects far more devices than and exploit for iOS.

The article said that there are so many existing iOS exploits that the
increased supply of iOS exploits lowered the demand (see cite):
o Why 'Zero Day' Android Hacking Now Costs More Than iOS Attacks
<https://www.wired.com/story/android-zero-day-more-than-ios-zerodium/>

"*The zero-day market is so flooded by iOS exploits* that we've recently
started refusing some them, Zerodium's founder Chaouki Bekrar wrote in a
message to WIRED."

"*We have observed an increase in the number of iOS exploits*, mostly
Safari and iMessage chains, being developed and sold by researchers from
all around the world."

"*The sheer volume of [known iOS] attacks was highlighted*... when Google
revealed that a hacking campaign had used five distinct full iOS exploit
chains, embedding those attacks in websites to infect the phones of
thousands of victims... Security researcher Natalie Silvanovich
*unearthed no fewer than six zero-click attacks for iOS."

>> but what about Windows & Linux zero day exploits?
> MS-Windows 0-day exploits can be as much as 1 million USD, while a Linux
> 0-day will just be 500000 USD, this much reflects the change get hold of
> peoples bank account details, you get paid more for the OS that is
> easier than for the one that runs on more devices.

This is good information to have, where I'm sure the market dynamics of
Linux are completely different than Windows given the home user is on
Windows while the commercial user is on Linux.

But it would still be nice to have a reference to be sure of the dynamic.

--
Usenet is a public potluck where adults share items of common value.

Arlen Holder

unread,
Feb 29, 2020, 9:53:33 AM2/29/20
to
UPDATE:

Tom's Guide independently re-affirmed that Android exploits cost "three
times as much" as iOS exploits, according to security researches today.

o Mobile device security researches discuss frank ractual results on hacking iOS & Android devices (i.e., definitely not marketing bullshit here)
<https://groups.google.com/forum/#!topic/comp.mobile.android/w3aEX2L4x8U>

== == == == == == == == == ==
Dateline a few hours ago...

Tom's Guide gave a synopses of security researcher's frank comments.
<https://www.tomsguide.com/news/mobile-auth-app-hack-rsa20>

"Security researcher says to 'stop buying' Samsung phones"
'[German phone hacker] Karsten Nohl showed that Samsung was faking
device updates last year' Turner said. 'Stop buying their stuff.'"

"The only form of two-factor authentication without security problems
right now, Turner said, is a hardware security key such as a Yubikey
or Google Titan key"

"Fingerprint readers are biometric toys."

"Asked about biometric authentication such as fingerprint readers and
facial recognition, Weidman said that it's 'better than nothing when
used in addition to passwords.'"

"'"You don't want the risk associated with 32-bit iOS,' said Turner,
adding that you should use only iPhones that can run iOS 13."

"And don't think iOS devices are safer than Android ones - they're not.
There are just as many known exploits for either one"

"'We charge three times as much for an Android pentest than we charge
for an iOS one' Turner said, referring to an exercise in which hackers
are paid by a company to try to penetrate the company's security.
'Fully patched Android is more difficult to go after'"

"The iPhone's Secure Enclave offers some additional security, but the
authenticator apps aren't using those elements, said Weidman.
iOS is still good, but Android's [security-enhanced] SELinux is
the bane of [the] existence [of] someone who's building exploits."

"The problem is that if an attacker or a piece of mobile malware
can get into the kernel of iOS or Android, then it can do anything
it wants, including presenting fake authenticator-app screens."

"Apps like Google Authenticator are only as safe as the devices
they run on"

"'What could possibly go wrong when installing a user-mode application
with sensitive cryptographic key materials on a platform with kernel
vulnerabilities?' Turner asked rhetorically."
--
Those who believe iOS is more secure than Android prove MARKETING works!

Arlen Holder

unread,
May 16, 2020, 12:24:47 AM5/16/20
to
UPDATE:
o FACTS: "New Apple Security Blow: If You Have An iPhone, Look Away Now"
[citing new 0-day exploits that work with all Iphones & iPads"]
[images too]
<https://groups.google.com/forum/#!topic/misc.phone.mobile.iphone/exp1iYDs3j0>

*FACTS*:

Specifically:
o *New Apple Security Blow: If You Have An iPhone, Look Away Now*
<https://www.forbes.com/sites/zakdoffman/2020/05/15/new-apple-security-blow-if-you-have-an-iphone-look-away-now/>

/Dateline: May 15, 2020,01:32pm EDT/

"Renowned vulnerability shop, Zerodium, has publicly announced
'we will not be acquiring any new Apple iOS LPE [local privilege
escalation], Safari RCE [remote code execution], or sandbox escapes
for the next two to three months due to a high number of submissions
related to these vectors.' The firm also warned that there would
likely be price drops for other iOS exploits in the 'near future.'

"The implication for those hundreds of millions of iOS users is that
those exploits being hawked have successfully found ways to breach
Apple's defences."

"As now, the firm blamed over-supply for the issue, there were simply
too many iOS exploits knocking around. The latest news suggests that
has gotten worse."

"After a dreadful April, here we are in May with yet another security
blow for the hundreds of millions of iOS users around the world.
And this time, it's more than just an overblown exploit that can be
*downplayed*, this time it's confirmation that a glut of new security
exploits are targeting iOS users."

o *The article referenced just a half-dozen of the recent flaws:
(1) "After some torrid security disclosures last year"
<https://www.forbes.com/sites/zakdoffman/2019/08/30/google-shocks-1-billion-iphone-users-with-malicious-hack-warning/>
(2) Only _days_ after this big iPhone vulnerability
<https://www.forbes.com/sites/zakdoffman/2019/08/26/apple-just-gave-1-billion-iphone-users-a-reason-to-stay/>
(3) Google proved iOS couldn't have been tested sufficiently.
<https://www.forbes.com/sites/zakdoffman/2019/08/30/google-shocks-1-billion-iphone-users-with-malicious-hack-warning/>
(4) "ZecOps [found] a zero-day vulnerability with Apple's native mail application"
<https://www.forbes.com/sites/zakdoffman/2020/04/22/serious-iphone-hack-just-exposed-new-report-says-victims-wont-notice-anything/>
(5) "Then, just a couple of days later, we had reports of a new text bomb
<https://www.forbes.com/sites/zakdoffman/2020/04/24/apple-users-beware-this-malicious-new-iphone-text-bomb-crashes-ios-13-heres-what-you-do/>
(6) Then, five days later Project Zero reported "numerous new vulnerabilities"
with Apple's handling of obscure image formats.
<https://www.forbes.com/sites/zakdoffman/2020/04/29/google-surprises-apple-users-with-numerous-new-security-issues/>
(7) Zerodium, has publicly announced "we will not be acquiring any new Apple iOS LPE
[local privilege escalation], Safari RCE [remote code execution],
or sandbox escapes for the next two to three months due to a
high number of submissions related to these vectors."
<https://twitter.com/Zerodium/status/1260541578747064326>

Note how _little_ Apple spends in R&D (e.g., testing is part of R&D):
o *Does it surprise you Apple spends less in R&D (proportionate to revenue) than similar tech companies?*
<https://groups.google.com/forum/#!topic/misc.phone.mobile.iphone/STrAkx09VYk>

Perhaps the result of Apple's dearth of R&D spending is visible here:
o *What is the factual truth about PRIVACY differences or similarities*
*between the Android & iOS mobile phone ecosystems?*
<https://groups.google.com/d/msg/comp.mobile.android/FCKRA_3i9CY/Bm40liKdEQAJ>
--
The problem with MARKETING is that many people only believe what MARKETING
feeds them to believe instead of using factual rational reasoned logic.

Arlen Holder

unread,
Dec 5, 2020, 10:37:48 PM12/5/20
to
By now I'm sure you all heard about new flaws in iOS where Google asked:
o "Is it really that easy to fully & completely compromise iOS?

The answer was "yes", where it seems there's a ton of untested code from
1985 in "core iOS", where, it seems, a LENGTH call was _never checked_.

What?
o A buffer overflow?

Really?
o On something as _obvious_ as a LENGTH check no less?

Can you believe it was _that_ easy?
o One bug. And the entire iPhone is yours.

It's zero click.
o And wormable.

All because of a single bug in iOS
o Which Google clearly said, tons more almost certainly must exist.

All that is covered in gory detail in this thread already:
o Yet again (it never ends) hackers exploit iOS insecurities with zero-day remote access to the entire device over Wi-Fi, with no user interaction required at all
<https://groups.google.com/g/misc.phone.mobile.iphone/c/7Mc1sX9XISA>

Where the point of this post is to impart this separate reference
o Which applies to both Android and to iOS security with respect to hackers

o Inside the secretive industry that helps government hackers get around encryption
<https://www.vice.com/en/article/8xdayg/iphone-zero-days-inside-azimuth-security>
--
Apple users just want to "feel" secure - which MARKETING gladly feeds them.
(That's why Apple's iOS has _never_ even once been sufficiently tested.)
(Project Zero proved that many times, and Apple engineers confirmed it.)

Alan Baker

unread,
Dec 5, 2020, 11:12:18 PM12/5/20
to
On 2020-12-05 7:37 p.m., Arlen Holder wrote:
> By now I'm sure you all heard about new flaws in iOS where Google asked:
> o "Is it really that easy to fully & completely compromise iOS?
>
> The answer was "yes",

Nope. That's a lie.

>
0 new messages