So who’s right? Research says there aren’t any known ones out there, but is it technically possible for, say, a Web-based one to get into a tablet device, and then download itself into a computer next time it’s hooked up to one? Or vice versa, even? (This isn’t talking about phishing or anything like that, of course.)
The only one I know of that’ll take out a non-jailbroken iOS device is something someone programmed into a fake USB charger. Obviously you’re not going to make a 1,000,000 iPhone botnet out of something like that. The only through-the-web compromises have happened on jailbroken devices.
It’s definitely happened that a Windows virus has spread through software downloaded from iTunes onto a iPad and then compromised the Windows PC.
I would say the second guy is right on an absolute level and the first guy is only “mostly right.”
Yes, it’s technically possible. A lot of things would have to go wrong, though.
The existence of jailbroken devices tells us the sandboxing isn’t perfect (and can’t be – certain processes will always need to be able to break the sandboxes, or the whole iPad can’t work.) Jailbroken iOS devices have gotten malware; heck, a few malware apps have (briefly) made it past Apple’s own App Store checks. Given the existence of “visit this site to jailbreak” sites (none of which work with the current version of iOS), it’s been possible in the past to completely re-write the iPad to support anything you want, at which point viruses are as possible as any other app.
More specifically (and ignoring the jailbreak case), an app can be both client and server for a network, which is all that’s really necessary to gather and re-propagate a virus. But an attacker would either have to provide the app themselves (and get it through Apple’s store defenses, which is tougher than it sounds), or find an exploitable store-and-forward mechanism in an existing app (even harder). And in either case, the app installation would be killed as soon as Apple figured out what was going on.
In practice, of course, it doesn’t happen, because there are a lot of safegards (full device encryption, lack of downgradeability of the OS, sandboxing, app store guidelines, app store tech reviews, and automatic API checks on submitted apps, to name a few) to prevent it.
Yes, I should’ve added the “no jailbreak” thing; I understand from my reading that anything can happen then.
But one of the quotes I had came from a thread where someone thought (s)he picked something up directly from just visiting a website, and I was wondering if that was even possible.
This is the same basic argument that the Apple fanboys in general are fond of. They think that Macs are completely immune to viruses and they aren’t. Linux computers have pretty much the same level of immunity, but linux users don’t seem to delude themselves into thinking their computers are completely invulnerable the way Mac fanboys do.
Macs, iPads, linux computers, and linux based tablets, and pretty much anything else that isn’t Windows based (smart phones, wi-fi boxes, routers, etc) all have a huge security benefit simply from not being Windows based. Windows has by far the lion’s share of the computer market, and Microsoft tends to attract hackers just for being Microsoft (it doesn’t help that Microsoft actually does act the part of being the Evil Empire sometimes either). I run Linux at home and I really don’t worry about viruses because almost all of the viruses and malware out there are targeted towards Windows. They key word there though is “almost”. It’s still possible to get some sort of malware through other operating systems. Most of the time though, Guy who says they can’t is right. The structure of the iPad operating system is such that it makes a malware infection of some sort difficult, and there is very little (if any) malware targeted towards iPads out there. The chances of you catching some kind of malware through an iPad are very, very small. But not zero. Those who say it is actually zero are deluding themselves.
One danger of this though is that users of Apple stuff (Macs, iPads, iPhones, etc) tend to think that they are completely immune to any kind of malware, which makes them completely unprepared when the unlikely bit of malware does strike them. Mac malware in particular is on the rise, partly because Macs are becoming more popular (which makes them a more viable target) and partly because Mac users tend to be completely snobby and clueless about security. As portable devices become more popular, they may become targets for malware as well.
I don’t know a single Apple user who thinks Apple products are completely immune to viruses.
Just as an observation, most Apple users will stop listening to you the moment you hit the “fanboy” label. It poisons the well, regardless of your other arguments.
I know several.
I don’t think either of out statements/experiences is actual evidence either way though.
I have known people who say they don’t exist or just ‘they can’t get viruses’.
But as I have seen one, or rather, the effects of one, I know they do.
The guy was complaining about really slow internet. I ultimately ended up looking at his DNS and found they had been changed to 85.something (Russia), at which point the guy admitted to surfing a lot of Russian porn. Did some research and found that yes, there is a virus out there that does this. This was about 4 years ago.
Small reference pool? Apple even made a commercial touting their virus free Macs a few years ago.
Indeed.
The relevant thing to keep in mind here is that computer viruses, unlike the biological kind, are the product of intelligent design. Someone creates them, usually to take advantage of a specific security flaw in a particular system. When creating a virus, therefore, the programmer wants to target a popularly-used system, so that the virus will spread farther, and ideally one with some known security holes that they can exploit.
Basically, both of the OP’s quotes are basically correct - anything that executes code can theoretically be made to run malicious code. On the other hand, the relatively locked-down nature of iOS, and the limited hardware (compared to the general purpose hardware of a computer) means that it’s going to be much harder to write a virus that can exploit and spread between phones.
So, most people writing viruses will go for the easy targets - usually Windows PCs, which are both ubiquitous and often have unpatched security holes.
Maybe I just hang out with much smarter computer users. I don’t think any computer device that executes external code is truly malware proof.
Say you have a warehouse full of valuables. You want to protect the valuables from fire. So you install a high-tech state-of-the-art fire detection and fire suppression system. Sounds like a great idea. You can’t be too careful.
But what if the fire suppression system has a short circuit and starts a fire? Ironic, huh?
It’s the same with high tech security software. Sure it may protect against certain known exploits. But it also introduces the possibility of new flaws that can be exploited.
So about my question in post 4…? The post in question was on Yahoo Answers (UK), so obviously it’s a cesspool, but it really did get me wondering if there was anything out there that could jump from Web to unjailbroken mobile devices. I assume no, given the answers so far and the fact that research can’t seem to find any? But it does seem that there’s no technical barrier to it that we know of…? Or am I misunderstanding?
I remember an amusing thread last year, where several Apple users were arguing that in spite of the common demonstrations of Apple vulnerabilities at events like pwn2own, that they were immune to passively picking up viruses “in the wild.”
Of course, while we were arguing about this, a botnet of 600,000 Macs infected in exactly the same way they were arguing was impossible was quietly growing.
True, some Apple users will say their computers are immune, but they have at least a shred of justification. Compare them to all the posters here who run Windows, leave their computer on 24/7 but still say they don’t need AV as they don’t cruise porn sites. :rolleyes:
Autostart. http://www.macintouch.com/hkvirus.html
…that wasn’t detected by any antivirus then available on the Mac, and then turned off by an Apple update, without most of those users ever needing to take any action or be aware of it at all. All the while, billions of Windows boxes around the world are bought and sold by botnet criminals.
I know that non-Mac users hate to admit this. Heck, I work for a large Redmond software company, and I hate to admit this. But for whatever reasons, as a practical matter, Macs are essentially immune to many forms of malware (not all – phishing, for example, works just fine on them) in the wild, which is all most people care very much about.
Since websites that jailbreak iPads exist, can’t those websites then install a virus? The virus wouldn’t be contagious, though. Does that still count as a virus?
Misdirection.
yeah, right. I’m about as careful as can be and even I have been hit with malware once recently. Why? A Java vulnerability. One that Macs could have been compromised by too had the writers included a payload that ran on OS X.
I’m not “immune” from influenza just because I haven’t been exposed to it. I may be “safe” but that only lasts until a sick person coughs in my face.
there’s nothing for non-Mac users to “admit.” Nobody disputes that Mac malware is barely a blip on the radar compared to Windows. It’s the smug naïveté of Mac users who seem to think OS X can’t be infected by anything that bristles.
yes. The simple fact that “jailbreaking” is possible shows iOS can be trivially compromised. handheld devices would be poor malware vectors, though; for one, their network connections are too transient, and being turned into a bot would be immediately obvious by the battery life tanking. But why do you say it wouldn’t be “contagious?”