Trading places: Exploits valued as commodities

Next story
Editor

What does the recent value swap of iOS and Android exploits communicate about the market-driven nature of our cybersecurity future(s)?

Ars Technica reported in September, “the top price for unpublished Android (OS) exploits reached $2.5 million, a 25% premium over iOS”, an event that has upset the status quo of how mobile users view the security of the two most popular mobile platforms. The recent inversion in the monetary value of (code) exploits for mobile operating systems is a strong reminder that the cybersecurity landscape is a very unpredictable beast. It was surprising, but maybe not unforeseen, that iOS’ image of invincibility would one day falter.

I’ve binge-watched movies and TV shows since the 1980s, and this situation reminded me of the classic Eddie Murphy and Dan Aykroyd comedy Trading Places, in which street hustler Billy Ray Valentine (Murphy) is transformed into a Wall Street commodities trader (as part of a bet by wealthy owners of a brokerage). The film plays off the role reversal of its two lead characters and the perennial truth that circumstance plays a predominant role in outcomes.

Data is the new oil
Among energy commodities, crude oil is the most actively traded, even falling into its own light, sweet and heavy classifications. Data – and I mean both the legally and illegally gathered kinds – has become another valuable commodity too.

Whether we are discussing regulations like GDPR and CCPA that work to govern the “how” of businesses legally collecting, accessing and storing data via services and websites, or the ways that tech directly impacts privacy through the access apps may have to processes on your smartphone, data is highly monetized.

The same utility that makes smartphones so handy also reflects their key role in producing, accessing and monetizing data – yours included. And while some hardware builders have delved into blockchain hardened devices to secure your data and privacy, the masses have settled for Android and iOS.

Battle of the operating systems – a convergence
Even a year ago, the notion of iOS’ invincibility still seemed to reign. iOS’ built-in security was largely a product of its architecture, which was designed with inherently stricter sandboxing that imposed a higher degree of separation between apps. This means that when malware encountered iOS, the task of maneuvering between the OS and any app’s data was limited. This has significant impact on a malware’s ability to spread infections via iOS apps and devices.

On the other hand, Android’s more open environment allowed and even encouraged app developers to innovate and make interconnections with various functionalities within the operating system – think a free market economy vs. Apple’s centrally planned economy, something commodity traders would obviously hate. This “open architecture,” however, did have security costs.

Regardless of the differing approaches, iOS could boast the luster of better security … along with the slick design and, for many, a better graphic user interface (GUI). A further strike against Android’s security deficits are that because of the ability of a wide variety of carriers or device manufacturers that distribute different versions of the Android OS, when critical security patches are released, it is these device manufacturers and not Google who decide when to distribute the updates for the operating system. In contrast, it is Apple rather than the carriers that manages security patches and when device owners should update their iOS software.

Free market strikes back
They say time heals all. With the iPhone and iOS debut in 2007/2008, Apple’s approach to its OS proved a durable if closed system. However, the constant battering Android has taken in regard to security incidents since it became the bestselling OS in 2011 and its open architecture have yielded a much broader variety of apps, including security apps, and a deeper cadre of developers and researchers looking into its security. Now, eight years later, Android OS has reached a new peak in its climb to security supremacy.

While saying officially that Android is safer or that its users’ awareness of security threats is higher than iOS users’ may be a step too far, we can assume that more experienced users have become familiar with the many reports of malicious apps, hacks and other threats facing their preferred system. Let’s let the parable end there … but, watch this space or WeLiveSecurity for updates on threats to mobile operating systems and see how Apple deals with its turn in the security spotlight.

And the fate of Billy Ray Valentine, the happenchance hero of Trading Places? Once he and the other protagonist discover the ruse against them, they lay a trap – or honeypot, in cybersecurity talk – which ultimately bankrupts the brokerage owners.