iOS speeds patches
Patching is another area where Apple has done as well as desktop operating systems and better than its smartphone rivals. Software developers are fairly speedy in patching vulnerabilities in the operating system and popular desktop software. Yet, in rival smartphone OSes, multiple companies must sign off on a patch to the devices. A patch for an Android phone, for example, is created by the developers responsible for the software component -- in many cases, the product of an open source project -- included in an Android build by Google, integrated into Android by the phone manufacturer, and distributed by the carrier.
In a recent paper, two researchers from the Technische Universität Berlin found that vulnerabilities in "feature phones," a step down from smartphones, were rarely fixed. Five-year-old bugs still affected devices that were just a few months old, according to the researchers. Their conclusion: Carriers have the ability to do an over-the-air update for the phones, but they are rarely implemented.
"I have not seen a single case where a phone was updated because of a security bug rather than because a new Android version was available," says Nico Golde, one of the Technische Universität researchers.
On the other hand, Apple has a patch process for iOS that offers updates on a regular basis. Security-conscious iPhone and iPad users will have the latest patches on their devices. Yet, for the average user, Android's over-the-air update mechanism may be a better solution -- but only if the carriers and manufacturers can speed up fixes to their smartphones and tablets, says Accuvant's Miller.
"If you don't plug in your iPhone [into iTunes] all the time, you won't get the patches," he says. "I would almost have someone do it remotely, rather than count on the user to update."
Is anyone really looking to attack iOS?
Windows users have to constantly be on the lookout for malware. Increasingly, so do Mac users. But smartphone users still don't have to face the same dangers, and that continues to be a major security benefit.
Although iOS has a lot of security going on underneath the hood, its safety could be due in large part to the fact that attackers have not focused on compromising the devices because there is no economic incentive to attack them, says Lookout's Mahaffey.
"Mobile devices are in the startup phase of the business of malware," he says. "Attackers are experimenting with business models, but we are not yet at the elbow in the curve." The psychology of the attackers will likely change, but figuring out when serious attacks will start targeting mobile devices, including the iPhone and iPad, is difficult.
The best example of a model of attacker's psychology may be a paper published in 2008, which used game theory to predict that attackers would start targeting Mac OS X when the devices reached a market share of approximately 16 percent.
Although predicting when attackers will take an increased interest in mobile devices would be interesting, it is more difficult than predicting the movement of malware from Windows to Mac OS X. The theory uses variables for market share and effectiveness of defenses, but assumes that each platform -- the PC and the Mac -- are of equal value to the attacker. That's not necessarily true for mobile devices.