Why is it the more I read the EEVblog forum, my expectations of Apple keeps...

[Distelzombie]

bd139

Spot the number of penetration testers who own android phones as an example...

As for durability of iPhones my 6s takes a hell of a beating. I've dropped it onto concrete a few times. Has a cheap TPU case on it (cloned apple one). Plus it has been in a sink of water.

What? You know any who doesn't?

My HTC never had a case, because, if the phone is well constructed it doesn't need one. It just get's bulkier and looks stupid.

[Richard Crowley]

Why is it the more I read the EEVblog forum, my expectations of Apple keeps getting lower and lower. 

If you had watched any of Louis Rossman's repair videos, there wouldn't be a shred of doubt in your mind.
Apple blatantly and chronically treats their customers like fecal matter.  They don't even apologize anymore.

And if you don't believe Rossman, take a look at Linus' recent video:

https://youtu.be/9-NU7yOSElE

[Halcyon]

I wouldn't trust ANY android phone regardless of status. Spot the number of penetration testers who own android phones as an example...

To be fair, I know penetration and security experts across Australia (actual experts, not just someone who can load up Kali Linux and call themselves one) and the vast majority of them use non-Apple phones, mostly selected Android handsets. I say selected because not all Androids are built equal, some require little more than a PC and a few clicks to recover data, others are not possible (yet). If you think Apple keeps you any more secure, you're mistaken.

But you're right, I wouldn't trust any phone either to harbour secrets. What might be secure today, might not be tomorrow.

[bd139]

You're missing the point entirely.

The highest risk vector is the users. We’re defending from the users of the device. Loss, infection, drive by attacks, misuse etc. If we go against state level actors there is no chance and not our problem really as it’s either something we’d report to NCSC/GCHQ or have a warrant for.

Handing an android handset to an inexperienced user is like giving a monkey a gun.

Was it 2017 that there were 500-odd CVEs against android?

[Halcyon]

You're missing the point entirely.

The highest risk vector is the users. We’re defending from the users of the device. Loss, infection, drive by attacks, misuse etc. If we go against state level actors there is no chance and not our problem really as it’s either something we’d report to NCSC/GCHQ or have a warrant for.

Handing an android handset to an inexperienced user is like giving a monkey a gun.

Was it 2017 that there were 500-odd CVEs against android?

I don't think I have missed the point at all, but completely agree with your comments. For the most part, the user is the weakest point in the system. I was simply responding to your comment where you said:

Spot the number of penetration testers who own android phones as an example...

You were implying that experts in the cyber security and INFOSEC disciplines avoid Android handsets, when that is simply not true. Just like a Windows machine, if it's properly configured, certain Android handsets can be very secure.

[tooki]

Here's a completely non-technical opinion of Apple.  I've never owned an Apple product until about 6 months ago when I got the itch to buy
an iPad.  At $329 (US), it seemed reasonably priced, so I drifted over to my local Apple store at lunch-time. 

Being that it was my first ever visit to an Apple store, I was somewhat puzzled at the nine large tables with all of the Apple products - NONE
had a label next to them saying what it was and what the price was.  I've never been in a "retail" store where the descriptions and/or prices
were not prominently displayed.

I managed to identify the iPad I wanted.  It then took over 30 minutes before a "representative" would talk to me.  I kept asking and
they kept saying that I was third on the list.  And this includes the woman who was standing around doing nothing.  When I approached her,
she said "I'm a manager - all I do is make sure things are going smoothly."  Well, how about selling me one to make things "go smoothly."
Not a chance.

Bottom line:  I had to threaten in a very loud voice that I was about to walk out before someone reluctantly came over and took my money.

It was the worst retail experience I've ever had, and I will never go to an Apple store again.

Make sure to reach out to the store manager and let them know how your experience was. That's certainly not the way things are supposed to run!

[bd139]

You're missing the point entirely.

The highest risk vector is the users. We’re defending from the users of the device. Loss, infection, drive by attacks, misuse etc. If we go against state level actors there is no chance and not our problem really as it’s either something we’d report to NCSC/GCHQ or have a warrant for.

Handing an android handset to an inexperienced user is like giving a monkey a gun.

Was it 2017 that there were 500-odd CVEs against android?

I don't think I have missed the point at all, but completely agree with your comments. For the most part, the user is the weakest point in the system. I was simply responding to your comment where you said:

Spot the number of penetration testers who own android phones as an example...

You were implying that experts in the cyber security and INFOSEC disciplines avoid Android handsets, when that is simply not true. Just like a Windows machine, if it's properly configured, certain Android handsets can be very secure.

Yes they do avoid android. And advised us to get rid of it. Multiple companies. It’s almost universally the first thing people tell everyone.

Also compare NCSC EUD documentation on both platforms...

[Halcyon]

Yes they do avoid android. And advised us to get rid of it. Multiple companies. It’s almost universally the first thing people tell everyone.

Can you provide reasons why and perhaps source some references? Because my experience differs and as I said, these are industry and government experts. A generic throw-away comment might be fine for the ordinary user, but doesn't explain anything to those with advanced knowledge and so far, my knowledge and experience seems to conflict with your statement.

It's like asking a user to restart their machine to "fix" a problem, yet I want to know WHY a problem occurs and how to fix/avoid it.

Also, now that news has been made public, this is just one product capable of defeating IOS security (there are several others): https://blog.malwarebytes.com/security-world/2018/03/graykey-iphone-unlocker-poses-serious-security-concerns/

[helius]

The existence of Graykey and other PIN bypass tools isn't really related to malware. These are completely different subjects.

[Distelzombie]

You're missing the point entirely.

...

Was it 2017 that there were 500-odd CVEs against android?

I'm with Halcyon here. All the guys I know use android. (Some ppl from the CCC.)

And that down there is a red-herring argument. Just because they found 500 CVEs doesn't mean it is not safer than Apple. It could be extremely safe after that, at the same level or less. It says nothing. Unless you really go ask deeper questions.
Apple is safe for ppl with knowledge and commitment to lose convenience up to a certain point and then Android start to win it all. Pixel phones, mostly. The ones that have non-altered Android OSs.

[bd139]

Yes they do avoid android. And advised us to get rid of it. Multiple companies. It’s almost universally the first thing people tell everyone.

Can you provide reasons why and perhaps source some references? Because my experience differs and as I said, these are industry and government experts. A generic throw-away comment might be fine for the ordinary user, but doesn't explain anything to those with advanced knowledge and so far, my knowledge and experience seems to conflict with your statement.

It's like asking a user to restart their machine to "fix" a problem, yet I want to know WHY a problem occurs and how to fix/avoid it.

Also, now that news has been made public, this is just one product capable of defeating IOS security (there are several others): https://blog.malwarebytes.com/security-world/2018/03/graykey-iphone-unlocker-poses-serious-security-concerns/

Gray key is state level attack. Meh game over there.

This is one of the reports we were cited which was hilariously self damning https://onestore.nokia.com/asset/201621/Nokia_2017_Threat_Intelligence_Report_EN.pdf

The penetration testers we used, from four companies all universally suggested dumping android because of the malware infection risk and short cycle abandonment of android by the vendors. iOS was noted as preferred as there is one single control point and the MDM solution allows for sufficient hardening, a defined support lifecycle and a good history of response by vendor for new attacks.

The pen testers all explained that they use iOS for their handsets. The rationale behind this was they applied MDM policies on their own devices and had better control of data sharing. The phones were universally not used for any document handling of any sort. They left that to their MacBooks which were running Linux...

Honestly the answer we had was: if you use have mobile devices, make them iOS as you can cover the loss and infection vectors due to the Secure Enclave.

The pen testers we hire are well known and publish many CVEs themselves. We’re in the middle of London in the financial sector. We only hire the best guys on the market, some of whom we know from our not strictly white hat background.

[Halcyon]

I can certain understand that kind of advice from a pentest company providing feedback to another organisation.

But the point I made is, pentesters, DF experts and INFOSEC personnel themselves don't simply avoid Android for those same reasons.

[Ampera]

I can agree that iOS devices are more secure, but they are also more limited.

Apple keeps a tight, and in my opinion too tight for my taste control on their devices. You're not allowed to install your own applications, and up until recently, you didn't even have a visible file system. (For all I know that could still be the case). In order to get what I consider base functionality onto a device I would actually use, I would have to jailbreak it, and make it more insecure than regular Android, just to install something as radical as an emulator.

You can bury a 2-inch thick AR-550 safe in 10 meters of concrete, under a mile of sand in the Nevada desert, and have it be the most secure safe in the world, but it doesn't mean anything if you can't get back to your files.

For me, as a general, average Joe who does not have a single shred of important information on my portable devices that can't be immediately eradicated from a potential thief (all banking is NEVER on portable devices), Android provides a level of functionality that I need from my devices. iOS is too locked down, and too deeply embedded into Apple's bullshit to make it worthwhile to me. This is keeping in mind I would only really ever use this all as a tablet that will rarely leave my home.

Now if we want to talk about security, then your mates who bash Android should be wholeheartedly against the concept of laptops. Even OS/X doesn't have the level of sandboxed security as iOS, nevermind Windows. Even with an encrypted file system (which both iOS and Android have, I believe even as default), you still have the same security problems you mentioned on an Android device.

What might be a good idea for a penetration tester who eats sleeps and shits security, might not be a good idea for me. I take my personal security into serious consideration, but I also run the numbers. The likelihood that someone will not only manage to steal the one Android device I ever keep on me (my phone), the absolute best he will have is a token to a couple accounts I can, within a moment's notice, destroy the validity of those tokens, and reset all passwords.

[bd139]

Your threat model is wrong. If i lose my device I shrug. If I get mugged I hand it over without getting stabbed. No reasonable attack window exists after that event.

No one in our front office or POS uses laptops. They have iPads and desktops. Desktops are locked into desks, have encrypted disks and are in DMZ.

Average joe is better off with iOS. It’s harder to fuck up and there’s a longer support life. A fine example is the whole Facebook mess. People will just click through anything.

This all comes down to the design philosophy. Do you start with a sieve and put tape over the holes (Android)? No.

You can’t add security later. You have to build it in and you need a layered security model.

Also iOS does have a file system. It’s based on isolated and partitioned storage. The new file browser adds nothing but a UI for what is already there.

I get the feeling a lot of people don’t know or understand the platforms they like to moan about.

[Mr. Scram]

Your threat model is wrong. If i lose my device I shrug. If I get mugged I hand it over without getting stabbed. No reasonable attack window exists after that event.

No one in our front office or POS uses laptops. They have iPads and desktops. Desktops are locked into desks, have encrypted disks and are in DMZ.

Average joe is better off with iOS. It’s harder to fuck up and there’s a longer support life. A fine example is the whole Facebook mess. People will just click through anything.

This all comes down to the design philosophy. Do you start with a sieve and put tape over the holes (Android)? No.

You can’t add security later. You have to build it in and you need a layered security model.

Also iOS does have a file system. It’s based on isolated and partitioned storage. The new file browser adds nothing but a UI for what is already there.

I get the feeling a lot of people don’t know or understand the platforms they like to moan about.

The problem is that people are very adamant in their statements, as can be seen in this thread too. However, they rarely explain their reasons for these statements other than some fairly vague proxy statements.

[Halcyon]

The problem is that people are very adamant in their statements, as can be seen in this thread too. However, they rarely explain their reasons for these statements other than some fairly vague proxy statements.

Indeed they are. But that's to be expected on any internet forum. At least at the EEVblog, it's mostly civilised and I think the knowledge level is a few standards above the average. But yes, a lot of opinion is thrown around as fact.

Anyway getting back on-topic...

I've literally been doing DIY PC building for decades. I highly encourage it.

I second that! Stick with industry standard parts in industry standard form factors. Want to replace or upgrade something? Do it yourself. The key is to make sure you do your homework properly (many fail miserably at this). That means research what components work best with your motherboard and remember the rule: Cheap, Fast, Reliable; Pick two.

[rfspezi]

I owned and serviced almost all generations of iPads, iPhones and iPad minis.
It's a fact that Apple slows down the devices with each iOS update.
As a lacy and sadly accepted excuse, they of course argue with new performance demanding features.
WHAT A BULLSHIT!

What Apple is really good at is making you beleave that your device got so slow because of 100 new emojis - even though you never open the messaging app!!

Apple philosophy somehow reminds me on VW exhaust management philosophy - everybody knows that manipulations are made but nobody wants to beleave it.
Sounds like a religion??? 

[rsjsouza]

Latest from Louis "da man" Rossmann:

https://youtu.be/oNl2q6YZXlA

[Distelzombie]

The penetration testers we used, from four companies all universally suggested dumping android because of the malware infection risk and short cycle abandonment of android by the vendors. iOS was noted as preferred as there is one single control point and the MDM solution allows for sufficient hardening, a defined support lifecycle and a good history of response by vendor for new attacks.

The pen testers all explained that they use iOS for their handsets. The rationale behind this was they applied MDM policies on their own devices and had better control of data sharing. The phones were universally not used for any document handling of any sort. They left that to their MacBooks which were running Linux...

Honestly the answer we had was: if you use have mobile devices, make them iOS as you can cover the loss and infection vectors due to the Secure Enclave.

The pen testers we hire are well known and publish many CVEs themselves. We’re in the middle of London in the financial sector. We only hire the best guys on the market, some of whom we know from our not strictly white hat background.

Of course they were talking about manufacturer provided Android distributions. Put a custom ROM on it and you can harden that thing to any degree. As I said before, they were talking to you as the average user who doesn't want to give up comfort. In that case Apple is better. But after apple comes custom ROM android.
They probably told you they also use what they suggested you, just so they don't have to explain why they suggested you something they themselves don't trust. Common behavior when talking to people who wouldn't understand anyway.

[BrianHG]

I owned and serviced almost all generations of iPads, iPhones and iPad minis.
It's a fact that Apple slows down the devices with each iOS update.
As a lacy and sadly accepted excuse, they of course argue with new performance demanding features.
WHAT A BULLSHIT!

What Apple is really good at is making you beleave that your device got so slow because of 100 new emojis - even though you never open the messaging app!!

Apple philosophy somehow reminds me on VW exhaust management philosophy - everybody knows that manipulations are made but nobody wants to beleave it.
Sounds like a religion??? 

If I'm starting a new business, where my work PC always run the same editors/utilities, I cannot have my workflow slow down because of forced updates which may force me to upgrade to newer hardware when the original was originally fast enough.  This costs me money on 2 fronts, the slowdown costs me in salary & sales plus having to throw out old hardware, purchase and setup new hardware when Apple dictates so.  This isn't right.

[Harb]

Its all hype......30 macs here none have "slowed down"..........

[Electro Detective]

Its all hype......30 macs here none have "slowed down"..........

Same here, Mountain Lion rocks 


 

[Mr. Scram]

Its all hype......30 macs here none have "slowed down"..........

Are you sure?

https://www.theverge.com/2018/1/30/16951328/apple-iphone-battery-slow-down-software-update-department-of-justice-sec-investigation-probe

[Zero999]

Its all hype......30 macs here none have "slowed down"..........

Are you sure?

https://www.theverge.com/2018/1/30/16951328/apple-iphone-battery-slow-down-software-update-department-of-justice-sec-investigation-probe

That's the iphone. I believe Harb is talking about Mac desktop PCs, not the phones.

[Distelzombie]

I thought a Mac is not a PC. Louis got even almost sued because he made a PC out of Macs by repairing them with jumper wires, as he says. Ridiculous.