In all the heated debates between iOS and Android fanboys, privacy is not a war that Android often wins. Apple’s walled garden approach to apps has its problems, but Google Play has historically been flooded with unsafe apps. The open source nature of Android has given hackers leeway to find security loopholes, and there’s still has no default encrypted messaging app on the platform. Plus, less than 10% of Android users have updated to the latest version of the OS. In other words, nearly all its users run outdated software which almost certainly has bugs and security loopholes.
在 iOS和Android狂热者之间的激烈辩论中,隐私并不是Android经常赢得胜利的战争。 苹果使用围墙式花园处理应用程序存在问题,但是Google Play历来充斥着不安全的应用程序。 Android的开放源代码性质为黑客提供了寻找安全漏洞的空间,并且该平台上仍然没有默认的加密消息传递应用程序。 此外,不到10%的Android用户已更新到最新版本的操作系统。 换句话说,几乎所有用户都运行过时的软件,几乎可以肯定该软件存在错误和安全漏洞。
Apple, meanwhile, puts the spotlight on its privacy centric features at every opportunity it gets. Its well-enforced App Store guidelines have weeded out millions of unsafe apps and the company’s regular OS updates are quickly installed by most of its users. Apple’s encrypted messaging app, iMessage, and its famous blue bubbles are now a status symbol, and the company’s opposition to creating back-door access for law-enforcement agencies is headline-grabbing news that reinforces its image as the protector of your privacy.
同时,Apple 抓住每一个机会 , 将重点放在其以隐私为中心的功能上 。 它严格执行的App Store指南已淘汰了数百万个不安全的应用程序,并且大多数用户可以快速安装公司的常规OS更新。 Apple的加密消息传递应用程序iMessage及其著名的蓝色气泡现在已成为一种状态符号,该公司反对为执法机构创建后门访问权的消息是头条新闻,这强化了其作为您的隐私保护者的形象。
But things could be changing. By studying the market for iOS and Android zero-day exploits, we can get a decent idea of the security of each platform.
但是事情可能会改变。 通过研究iOS和Android零日漏洞的市场,我们可以对每个平台的安全性有个不错的了解。
零日交易市场 (The zero-day marketplace)
A zero-day (0-day) is a vulnerability in a software or hardware that has been discovered but not yet patched. These pose a severe threat because they can be exploited to spread malware, steal sensitive data, take control of the targeted device, or worse.
零天(0天)是已发现但尚未修补的软件或硬件中的漏洞。 这些构成了严重的威胁,因为它们可以被利用来传播恶意软件,窃取敏感数据,控制目标设备,甚至更糟。
It gets its name from the fact that the vendor had zero days to issue an update to fix the vulnerability. Antivirus, firewall, and other security features are ineffective against them, making them powerful weapons and lucrative commodities.
它的名称来自供应商有零天的时间来发布更新以修复漏洞。 防病毒,防火墙和其他安全功能对其无效,从而使它们成为强大的武器和有利可图的商品 。
“The zero-day market is based on supply and demand, a spike in supply of zero-day exploits for a specific product means that the security level of that product is decreasing and the price goes down as there are too many exploits available,” Chaouki Bekrar, founder of the well-known exploit acquisition platform Zerodium told the website SecurityWeek. “Obviously, we cannot draw a final conclusion about the overall security level of a system just based on its bug bounty price or the number of existing exploits, but these are very strong indicators that cannot be ignored.”
“零日市场是基于供求关系,特定产品的零日漏洞数量激增,这意味着该产品的安全级别正在下降,并且由于可用的漏洞太多,价格下降了,”著名漏洞利用收购平台Zerodium的创始人Chaouki Bekrar告诉网站SecurityWeek 。 “显然,我们不能仅根据系统的漏洞赏金或现有漏洞的数量得出系统总体安全级别的最终结论,但这是非常不可忽视的指标。”
iOS和Android零天价格的变化 (The changes in prices for iOS and Android zero-days)
Zerodium lists the maximum payouts for different types of exploits on its website. Historically, iOS exploits have been valued much higher because they are harder to find. In January 2019, for example, Zerodium offered up to $2 million for an exploit that can lead to iOS jailbreak with zero clicks (no interaction from the target user) and $1.5 million for an exploit that requires one click. Meanwhile, the maximum payout for an Android exploit was capped at $500,000.
Zerodium 在其网站上列出了针对不同类型漏洞的最大收益。 从历史上看,iOS漏洞利用的价值更高,因为它们很难找到。 例如,在2019年1月,Zerodium出价200万美元用于可能导致iOS越狱且单击次数为零(目标用户无交互)的漏洞,并提供150万美元用于需要单击的漏洞。 同时,Android漏洞利用程序的最高支出上限为500,000美元。
But in September, Zerodium made a surprise announcement in which they increased the maximum payout for Android exploits to $2.5 million. For the first time, they were paying more for Android hacks than iOS hacks. They also decreased the payout for some iOS exploits.
但是在9月份,Zerodium意外宣布将Android漏洞利用的最高赔付提高到250万美元。 他们第一次为Android骇客支付了比iOS骇客更多的钱。 他们还降低了某些iOS漏洞的收益。
This could either mean that Android is getting more secure and vulnerabilities are harder to find, or that a disproportionate attention to iOS exploits over the years has increased its supply and depressed its prices.
这可能意味着Android变得越来越安全,更加难以发现漏洞,或者多年来对iOS漏洞的过度关注增加了其供应并压低了其价格。
In a message to Wired, Bekrar confirmed that it is a bit of both. “Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time-consuming to develop full chains of exploits for Android and it’s even harder to develop zero-click exploits not requiring any user interaction.” But on the other hand, he writes, “During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we’ve recently started refusing some of them.”
在发送给Wired的消息中 ,Bekrar确认两者兼有。 “由于有了Google和三星的安全团队,Android的每个新发行版的Android安全性都在提高,因此开发针对Android的完整漏洞利用链变得非常困难且耗时,而开发零点击漏洞而不是开发零点击漏洞变得更加困难需要任何用户交互。” 但另一方面,他写道:“在过去的几个月中,我们发现,来自世界各地的研究人员正在开发和出售iOS漏洞,其中大多数是Safari和iMessage链。 零日市场被iOS漏洞淹没,以至于我们最近开始拒绝其中的一些漏洞。”
Maor Shwartz, an independent vulnerability researcher who also spoke to Wired, agreed. He says that the majority of the targets are Android users, but the number of vulnerabilities is lower because a lot of those vulnerabilities have been patched. “Every researcher I’ve talked to, I’ve told them, if you want to make money, go focus on Android,” said Shwartz.
独立漏洞研究人员Maor Shwartz并与Wired进行了交谈,对此表示同意。 他说,大多数目标是Android用户,但漏洞的数量较少,因为其中许多漏洞已得到修补。 Shwartz说:“我与之交谈的每位研究员都告诉过他们,如果您想赚钱,请专注于Android。”
Shwartz also says that the reason Android vulnerabilities are more valued is because it’s harder to find a browser vulnerability in Chrome than Safari. That, combined with the difficulty of finding something called a “local privilege escalation exploit, makes Android a difficult target. Previously, this exploit was only hard to find in iOS, but recent security improvements have made it rare in Android as well.
Shwartz还表示,更重视Android漏洞的原因是,与Safari相比,在Chrome中更难找到浏览器漏洞。 加上难以找到所谓的“ 本地特权升级漏洞利用程序”,使得Android成为困难的目标。 以前,仅在iOS上很难找到此漏洞,但最近的安全性改进也使其在Android中很少见。
Over the years, Google has also been silently strengthening Android by adding new file-based encryptions, modifying what resources an app can access and how, and adding mitigations to make hacking harder even with zero-day exploits. If you’re interested in learning more about this, watch Android’s principal software engineer, Narayan Kamath, go over the privacy features of the upcoming Android 11 in this video. Ironically, Shwartz credits these improvements to Android’s open source approach. For many years, the better security in Apple devices was attributed to its closed nature.
多年来,Google还通过添加新的基于文件的加密,修改应用程序可以访问的资源以及访问方式,以及添加缓解措施来使Android默默地增强Android的安全性,即使使用零时差漏洞也是如此。 如果您有兴趣了解更多有关此方面的信息,请观看Android的首席软件工程师Narayan Kamath, 在此视频中详细介绍即将推出的Android 11的隐私功能。 具有讽刺意味的是,Shwartz将这些改进归功于Android的开源方法。 多年来,苹果设备的更好安全性归因于其封闭性。
The glut of iOS exploits was once again exposed this year when Zerodium announced in May that it was temporarily stopping purchases of certain iOS exploits and reducing the prices it would pay on many other iOS exploits due to a high number of submissions. After the announcement, Zerodium CEO Bekrar followed up with a blunt tweet: “iOS security is fucked . . . Let’s hope iOS 14 will be better.”
今年零零零零零零零零零零零零零零零零时计宣布,由于大量提交,它将暂时停止购买某些iOS漏洞并降低将为许多其他iOS漏洞支付的价格,再次暴露了iOS漏洞的过多。 宣布之后,Zerodium首席执行官Bekrar直截了当地发布了一条推文 :“ iOS安全性很差。 。 。 希望iOS 14会更好。”
However, Ryan Naraine, directory of security strategy at Intel, dismissed the announcement as “pure PR/marketing shenanigans,” reminding us that Zerodium’s claims need to be taken with a grain of salt. A lot about the company is still unknown, including the list of buyers it sells to and the exact prices it paid to acquire zero-days in the past.
然而,瑞安纳拉因,在英特尔的安全策略的目录, 驳回宣布为“纯粹的公关/市场营销诡计”,提醒我们Zerodium的主张需要用一粒盐服用。 关于该公司的很多信息仍然未知,包括它出售给的买家列表以及过去为获得零日差所支付的确切价格。
Nevertheless, there are other sources that corroborate Zerodium’s observations.
尽管如此,还有其他来源证实了Zerodium的观察。
In an interview with SecurityWeek, Zuk Avraham, founder of mobile security firm Zimperium, also confirms the decrease in prices of iOS exploits. He adds: “Large portions of iOS code were not touched for years, it is a known secret that many of the vulnerabilities aren’t patched properly, and in general, there are many vulnerabilities in iOS — much more than what most people think or are aware of.”
在与SecurityWeek采访 ,ZUK亚伯拉罕,移动安全公司Zimperium的创始人,也印证了在IOS漏洞的价格下降。 他补充说:“ iOS代码的大部分未使用多年,这是一个众所周知的秘密,许多漏洞没有得到正确的修补,并且总的来说,iOS中存在许多漏洞–远远超过大多数人的想法或意识到。”
Many of these vulnerabilities were exposed by researchers working for Google’s Project Zero in August 2019. They found five severe exploit chains that affected iPhones running nearly every version of iOS from iOS 10 to iOS 12, the latest at the time.
这些漏洞中的许多漏洞是由研究人员在2019年8月为谷歌零号项目工作的研究人员发现的。他们发现了五个严重的漏洞利用链 ,这些漏洞影响了运行从iOS 10到iOS 12的最新版本的几乎所有版本的iPhone。
Another researcher who goes by the name axi0mX discovered an unfixable zero-day vulnerability in the iPhone bootrom. This zero-day resulted in an exploit dubbed “checkm8” that allows jailbreaking of iPhones from the 4S to the X.
另一个名为axi0mX的研究人员在iPhone bootrom中发现了一个不可修复的零日漏洞 。 零日漏洞导致了一个名为“ checkm8”的漏洞,该漏洞使iPhone从4S到X 越狱 。
The developers of the popular jailbreaking tool UnC0ver took this even further and released a new jailbreaking tool that works on iPhones running iOS 13.5, the latest version until the first week of June when Apple released an update with a patch. This jailbreak exploits a zero-day bug in the kernel.
流行的越狱工具UnC0ver的开发人员对此进行了进一步开发,并发布了一个新的越狱工具 ,该工具可在运行iOS 13.5的iPhone上使用,该最新版本一直到6月第一周才发布,其中包括Apple的补丁程序。 这次越狱利用了内核中的零日漏洞。
Adding to this list is an often overlooked aspect of iOS privacy: the lack of end-to-end encryption on iCloud. That means that while Apple can refuse to help law-enforcement agencies in unlocking a phone because it does not have the means to decrypt it without creating a back door, it cannot say the same when the FBI asks for a person’s iCloud backup. Apple is required to turn over data from iCloud if law enforcement requests it because Apple has the ability to decrypt the data. Meanwhile, the latest Android devices support fully encrypted backups, making it all the more harder for anyone to access your data.
添加到此列表是iOS隐私中经常被忽略的方面: iCloud上缺乏端到端加密 。 这意味着尽管苹果公司可以拒绝帮助执法机构解锁手机,因为它没有在不创建后门的情况下对其进行解密的手段,但当联邦调查局要求某人提供iCloud备份时,苹果公司却不能说同样的话 。 如果执法部门要求,Apple必须从iCloud移交数据,因为Apple可以解密数据。 同时,最新的Android设备支持完全加密的备份 ,这使任何人访问您的数据变得更加困难。
iOS数据提取服务的进步 (Advancements in iOS data extraction services)
Atlanta-based Grayshift and Israel-based Cellebrite sell tools to law-enforcement agencies around the world that the agencies can use to unlock and extract data from password-protected phones.
总部位于亚特兰大的Grayshift和总部位于以色列的Cellebrite向世界各地的执法机构出售工具,这些机构可以使用这些工具来解锁和提取受密码保护的电话中的数据。
These companies exploit zero-days to bypass the limitations on the number of password attempts, allowing them to try different passcode combinations without getting locked out of the device. They also have exploits that allow the extraction of data from these phones.
这些公司利用零日来绕过密码尝试次数的限制 ,使他们能够尝试不同的密码组合而不会被锁定在设备之外。 他们还拥有一些漏洞利用功能,可以从这些手机中提取数据。
The FBI recently used a Grayshift product to unlock an iPhone 11 Pro Max, Apple’s most advanced iPhone. The agency frequently works with Cellebrite too, and is speculated to have used its services in 2016 to unlock the iPhone of the San Bernardino shooter, the incident that led to the famous court battle between Apple and the FBI over encryption. However, the Washington Post reports that the FBI unlocked the device by paying a professional hacker for another iOS zero-day instead.
FBI 最近使用Grayshift产品解锁了苹果最先进的iPhone 11 Pro Max。 该机构也经常与Cellebrite合作,并被认为在2016年使用了其服务来解锁San Bernardino射手的iPhone,此事件导致苹果公司和FBI之间就加密问题展开了著名的诉讼 。 但是,《 华盛顿邮报》报道说,FBI通过向专业黑客支付另一个iOS零日费用来解锁设备。
In a series of tests, the National Institute of Standards and Technology (NIST) compares the services offered by these companies. According to Vice, the tests found that Cellebrite’s UFED tool is capable of fully extracting a vast trove of information from an iPhone X, including GPS data, call logs, contacts, and messages. It was also successful at extracting data from apps like Instagram, Snapchat, and Twitter, among many others.
在一系列测试中 ,美国国家标准技术研究院(NIST)比较了这些公司提供的服务。 根据Vice的说法 ,测试发现Cellebrite的UFED工具能够从iPhone X完全提取大量信息,包括GPS数据,通话记录,联系人和消息。 它还成功地从Instagram,Snapchat和Twitter等应用程序中提取了数据。
But NIST found that the same capabilities did not extend to the latest Android devices. On devices like the Google Pixel 2 and Samsung Galaxy S9, the tools could not extract GPS, browsing history, and social media data. It also wasn’t able to extract any data from the Huawei P20 Pro.
但是NIST发现相同的功能并未扩展到最新的Android设备。 在诸如Google Pixel 2和Samsung Galaxy S9之类的设备上,这些工具无法提取GPS,浏览历史记录和社交媒体数据。 它还无法从Huawei P20 Pro提取任何数据。
“Right now, we’re getting into iPhones. A year ago we couldn’t get into iPhones, but we could get into all the Androids. Now we can’t get into a lot of the Androids,” Detective Rex Kiser told Vice. Kiser is in-charge of digital forensic examinations at the Fort Worth Police Department.
“目前,我们正在进入iPhone。 一年前,我们无法涉足iPhone,但我们可以涉足所有Android。 现在,我们不能使用很多Android设备。” Rex Kiser侦探对Vice说道 。 凯瑟(Kiser)负责沃思堡警察局的数字取证检查。
But since these tests were conducted, Cellebrite has updated the capabilities of its tools and it appears to be better at extracting data from the latest Android devices. There are companies and federal agencies that can find a way to crack iOS and Android devices; it’s only a matter of how hard it is. Cellebrite is getting better at getting into Android, but it’s still a harder target, meaning that it’s now easier to find zero-days to exploit on iOS devices than Androids.
但是自从进行了这些测试以来,Cellebrite已经更新了其工具的功能,并且似乎更擅长从最新的Android设备提取数据。 有一些公司和联邦机构可以找到破解iOS和Android设备的方法。 这只是有多难的问题。 Cellebrite在进入Android方面越来越擅长,但它仍然是一个艰巨的目标,这意味着与Android相比,现在更容易找到在iOS设备上利用的零日漏洞。
Grayshift, on the other hand, currently only works on iOS devices, but the company is planning to make a tool for Android as well. Another sign of an increased demand for Android exploits.
另一方面,Grayshift目前仅可在iOS设备上使用,但该公司计划也为Android开发一种工具 。 对Android漏洞的需求增加的另一个迹象。
注意事项 (A word of caution)
While it might look like Android is becoming safer than iOS, most of the new security features are only present in the latest Android versions and smartphones, and most Android users don’t have the latest versions of the software or the hardware.
尽管看起来Android比iOS更安全,但是大多数新安全功能仅在最新的Android版本和智能手机中提供,并且大多数Android用户没有最新版本的软件或硬件。
While nearly 70% of all iPhone users run the latest version of iOS, less than 10% of Android users can claim the same.
尽管将近70%的iPhone用户运行的是最新版本的iOS,但只有不到10%的Android用户可以声明相同的版本。
Moreover, when a zero-day is discovered and a patch is issued, users must update their phone to apply the patch. Apple can easily send updates to iOS devices because Apple doesn’t have to deal with multiple hardware manufacturers (Samsung, OnePlus, Huawei, etc) like Google does. The updating process is relatively automated as well. Although Google is also working to deliver security updates in a similar fashion, it still has some way to go before many of its users catch up to the latest version of Android.
此外,当发现零时差并发布了补丁程序时,用户必须更新手机以应用补丁程序。 苹果可以轻松地将更新发送到iOS设备,因为苹果不必像Google那样与多家硬件制造商(三星,OnePlus,华为等)打交道。 更新过程也是相对自动化的。 尽管Google也在努力以类似的方式提供安全更新,但在许多用户赶上最新版本的Android之前,它还有一段路要走。
Until then, Android’s superior security, if it exists at all, will only be available to a meager percentage of its users.
在此之前,只有极少数用户可以使用Android的卓越安全性(如果存在的话)。
翻译自: https://onezero.medium.com/is-android-getting-safer-than-ios-4a2ca6f359d3
2038
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
