Is this really what passes for journalism?
This isn't a specific attack on one site, but I've passed by something like 10 different articles on this topic already. An open plea to the web journalism community... don't write about things related to software development without a degree in computer science and a working knowledge of the platform you're discussing. You just sound like idiots.
Basically, the reports are that a 16 year old has developed a piece of software for Windows Phone that can send out your contact information along with other personal files. And people are calling this an exploit.
Now, no one seems to have all of the details, but most articles have mentioned that you do have to allow the app access to your contacts and local data beforehand, and knowing the Microsoft API and how hard many people have been working at circumventing a lot of stuff in the API, this actually makes sense.
But, if you need to grant the app access to these things... is it really a software exploit? No. It isn't. Yes it is still malware, but hey, ads in apps can be constituted as malware by a loose enough definition. This could at best be classified as a psychological exploit. You know most people, once they have decided to install an app, will blindly grant the application to everything it asks for.
I feel the same about this post as I do about the supposed "security flaw" whereby an Admin on your Windows 8 machine can access certain personal information. In that scenario, they are the computer admin... virtually by definition they should have access to your files, since they are the SYSTEM ADMINISTRATOR and your personal files on are on their SYSTEM. That was no more a security flaw than this is a software exploit.
But there is yet another SEVERE fault with these articles aside from the terminologies and implications. Windows Phone utilizes a closed ecosystem with a curated app store (much the same as Apple). Even IF the app were able to bypass the user permitting access to the personal data, the app would need to make it through the Marketplace certification to make it to your device. You COULD side-load the app... but then hey... if you consider side-loading a "legitimate" means of contracting a bug, then no platform is any better off. So basically, until you can confirm a case where an app leveraging such functionality to these malicious ends has made it through the app certification process the existence of such code is trivial.
And wait! There's more! Side-loading on Windows Phone? Go ahead and try it. There were some inroads into this on 1st gen devices and a handful of 2nd gen devices. But the bulk of the second gen devices remain un-cracked and same goes for the newest batch. Ultimately, at present, Windows Phone devices on the whole are the most difficult by a long shot to jail break. Which means that without a developer license this is a no show any way.
Not enough? Well, as with all curated app stores... once a malicious piece of software has been confirmed in the store... Microsoft can simply remove it. Voila... problem minimized.
Still not enough? This one falls into rumour mill, as I can't remember whether it was ever confirmed or not. But a while ago it was mentioned that Microsoft's OS could basically remotely wipe any app from a device. While others were speculating that this was just an evil move to enforce their closed eco-system, that is unlikely... the most likely reason... this sort of thing. Something made it past certification which REALLY shouldn't have. This would allow them to eliminate the threat from already infected devices.
Is it possible such software could land on your Windows Phone device? Sure. But to date I have seen nothing which would intimate that could be done in a way which circumvents all of the numerous safe guards Microsoft has in place on this platform. And if you want my opinion... Windows Phone is the safest mobile eco-system. Their certification process is on par with Apple's and their phones are harder to "jailbreak". Also, they have the smallest market share (at present) which makes them the least appealing target to attackers (for those not in the know, this is the ACTUAL reason why Apple computers virtually never get viruses). And while WP8 and Windows 8 share a core... the development stack is still actually different... so they don't inherit the viruses from their more dominant PC counter-part.
Basically, the reports are that a 16 year old has developed a piece of software for Windows Phone that can send out your contact information along with other personal files. And people are calling this an exploit.
Now, no one seems to have all of the details, but most articles have mentioned that you do have to allow the app access to your contacts and local data beforehand, and knowing the Microsoft API and how hard many people have been working at circumventing a lot of stuff in the API, this actually makes sense.
But, if you need to grant the app access to these things... is it really a software exploit? No. It isn't. Yes it is still malware, but hey, ads in apps can be constituted as malware by a loose enough definition. This could at best be classified as a psychological exploit. You know most people, once they have decided to install an app, will blindly grant the application to everything it asks for.
I feel the same about this post as I do about the supposed "security flaw" whereby an Admin on your Windows 8 machine can access certain personal information. In that scenario, they are the computer admin... virtually by definition they should have access to your files, since they are the SYSTEM ADMINISTRATOR and your personal files on are on their SYSTEM. That was no more a security flaw than this is a software exploit.
But there is yet another SEVERE fault with these articles aside from the terminologies and implications. Windows Phone utilizes a closed ecosystem with a curated app store (much the same as Apple). Even IF the app were able to bypass the user permitting access to the personal data, the app would need to make it through the Marketplace certification to make it to your device. You COULD side-load the app... but then hey... if you consider side-loading a "legitimate" means of contracting a bug, then no platform is any better off. So basically, until you can confirm a case where an app leveraging such functionality to these malicious ends has made it through the app certification process the existence of such code is trivial.
And wait! There's more! Side-loading on Windows Phone? Go ahead and try it. There were some inroads into this on 1st gen devices and a handful of 2nd gen devices. But the bulk of the second gen devices remain un-cracked and same goes for the newest batch. Ultimately, at present, Windows Phone devices on the whole are the most difficult by a long shot to jail break. Which means that without a developer license this is a no show any way.
Not enough? Well, as with all curated app stores... once a malicious piece of software has been confirmed in the store... Microsoft can simply remove it. Voila... problem minimized.
Still not enough? This one falls into rumour mill, as I can't remember whether it was ever confirmed or not. But a while ago it was mentioned that Microsoft's OS could basically remotely wipe any app from a device. While others were speculating that this was just an evil move to enforce their closed eco-system, that is unlikely... the most likely reason... this sort of thing. Something made it past certification which REALLY shouldn't have. This would allow them to eliminate the threat from already infected devices.
Is it possible such software could land on your Windows Phone device? Sure. But to date I have seen nothing which would intimate that could be done in a way which circumvents all of the numerous safe guards Microsoft has in place on this platform. And if you want my opinion... Windows Phone is the safest mobile eco-system. Their certification process is on par with Apple's and their phones are harder to "jailbreak". Also, they have the smallest market share (at present) which makes them the least appealing target to attackers (for those not in the know, this is the ACTUAL reason why Apple computers virtually never get viruses). And while WP8 and Windows 8 share a core... the development stack is still actually different... so they don't inherit the viruses from their more dominant PC counter-part.
Comments
Post a Comment