XPost: misc.phone.mobile.iphone   
   From: ithinkiam@gmail.com   
      
   Marian  wrote:   
   > Tyrone said:   
   >>> e. You and I use completely different definitions of phone "security"   
   >>> etc.   
   >>   
   >> Yes.  I use multiple sites (some that YOU provided in your attempt to show   
   >> that Android is more secure) that ALL show that the vast majority of   
   security   
   >> issues/malware happen on Android.  You use a single site that says iOS had 3   
   >> more zero-day patches than Android last year.  Even with that, iOS is STILL   
   >> way less likely to be infected. Thus, iOS is way more secure than Android.   
   >>   
   >> So obviously, you are going to continue your absurd, undocumented claims.    
   No   
   >> one is shocked. As you stated, ignoring facts is not what adults do.   
   >   
   > No serious security expert claims "iOS is way more secure".   
   > There isn't one in the entire world, in fact, that you can find.   
      
   Except the Isreali army.   
      
   > It's obvious why.   
   > There isn't a professional security researcher on the planet who says that.   
      
   Only Isreali army intelligence. Who know a thing or two.   
      
   > It's only Apple marketing that implies that.   
   > Not serious researchers.   
   >   
   > You are apparently attempting to reduce a very complex subject to a single   
   > metric (malware prevalence), and that is not how security professionals   
   > evaluate operating system security. Malware rates are not the definition of   
   > security. They are one symptom of a much larger system.   
   >   
   > Here are some of the much more complicated facts that matter:   
   >   
   > CISA KEV data does not show iOS as "way more secure." When you query the   
   > CISA Known Exploited Vulnerabilities database, iOS and Android have roughly   
   > similar numbers of actively exploited CVEs over time. That is the only U.S.   
   > government maintained list of real-world, in-the-wild exploited   
   > vulnerabilities. It does not show iOS as dramatically safer.   
      
   As we've discussed before the KEV cannot be used to make any extrapolation   
   or implication. It is an extremely narrow view of the landscape ignoring   
   96% of known vulnerabilities.   
      
   > Zero-day exploitation rates do not show iOS as "way more secure." Google   
   > Project Zero's annual reports show that Apple repeatedly ships code that   
   > has never been fuzzed or tested with modern techniques.   
      
   Cite required.   
      
   > Project Zero has   
   > publicly stated that Apple's code quality and testing coverage lag behind   
   > industry best practices. Again, this is not my opinion; it is documented   
   > research.   
      
   Cite required.   
      
   > iOS's monolithic update model slows down patch deployment.   
      
   Cite required.   
      
   Before Rapid   
   > Security Responses existed, any fix to any system component required a full   
   > OS rebuild and full QA cycle. That is why iOS historically took longer to   
   > patch certain classes of bugs. Android's modular architecture (APEX,   
   > Mainline, Play Services) allows many components to be patched   
   > independently. Update speed is a major part of security.   
   >   
   > Malware statistics do not prove OS-level security.   
   > Malware prevalence is heavily influenced by:   
   > a. market share   
   > b. sideloading behavior   
   > c. user behavior   
   > d. distribution channels   
   > e. regional differences   
   >   
   > Furthermore, mere economic incentives for attackers Malware rates do not   
   > measure kernel security, sandboxing, exploit mitigations, patch velocity,   
   > or code quality. They measure user exposure, not OS architecture.   
   >   
   > No serious security expert claims "iOS is way more secure."   
   >   
   > Security researchers consistently say the opposite: both platforms have   
   > strengths and weaknesses. iOS has a strong sandbox and strong hardware   
   > security, but slow patch cycles and opaque code quality. Android has a   
   > larger attack surface and more malware, but faster patching for many   
   > components and better transparency. Security is not a scoreboard. It is a   
   > system.   
   >   
   > The only meaningful way to compare security is by looking at real-world   
   > exploited vulnerabilities, patch timelines, exploit mitigations, and code   
   > quality. When you look at those metrics, the picture is mixed, not   
   > one-sided.   
   >   
   > So yes, you and I use different definitions of "security." You are using   
   > malware statistics. I am using CISA KEV data, Project Zero research, patch   
   > velocity, exploit mitigations, and code quality. Those are the metrics used   
   > by actual security professionals.   
      
   Cite required.   
      
   As an anecdote, and given you hold project zero in such high regard, it was   
   interesting to note that the latest google chrome high severity (and   
   exploted in the wild) vulnerability was found by Apple security researchers   
   (together with the google team).   
   https://www.securityweek.com/apple-patches-two-zero-days-tied-to   
   mysterious-exploited-chrome-flaw/   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)