No, it's the user who is getting exploited. And that's the point: the average end user (and in the case of more advanced malware, the average technical user, or in fact anyone who hasn't been able to audit the application source code) is vulnerable to this sort of malware.

Using an app store plus code-signing enables a trusted third party to audit the code, and sign it as approved to run on the device. In the case of appliances like phones, tablets, etc., expecting your typical non-technical user to audit source code for every app they install is unrealistic.

In the case of loading an app onto an android device from a third party, it's a crap shoot. You are basically guessing that the particular installer you are running is not a trojan. You may be basing that on app reputation, etc. but have no real clue whether or not it has been time-bombed, for example. You're guessing, flying blind.

It's pure luck and lack of true malicious developers on the platform that the android malware situation right now is not a LOT worse. And it's nothing to do with exploiting the JVM, kernel or whatever - it's purely due to the end users of consumer devices not being interested in becoming security experts. They are (rightly so) not interested in it.

Signed-code only, whilst being restrictive in what you can run takes that burden off the user. If the user truly wants to run something that the vendor will not sign, in the case of iOS it is simple enough to get a developer subscription and compile it from source yourself.

Don't forget to include iPads and iPods in your market share calculations, because that is the true potential iOS malware install base.

Also: i don't post AC.

Did you really just ask why there is more malware now than there was in years past? Really?

Yes.

Answer: times change; explosion in mobile device popularity; explosion in internet commerce popularity; mobile platforms have only recently been considered a serious target for criminal activity.

That's your inference, that is not backed up by any real world data. The iOS market is large and was previously larger than the android market. In terms of web usage stats, iOS leaves android for dead. So one would think that the platform most actually used would likely pose a significant target. Yet in the past 12 months there were ZERO incidents of malware reported for iOS. Zero.

Yes, the real answer is due to the "Walled garden" (which is easy enough to work around if you get your own developer cert to sign the code you want to run).

The android approach of allowing the user to just turn off all security by enabling "run code from anywhere" has been proven for the past 3-4 decades to not work. The amount of malware available for android out there is continuing to prove that to be the case.

Also, we're not just talking about smartphones - tablets also, along with ipods. The total of all those devices (i.e., the potential malware install base) would be far larger than the install base of RIM or Symbian.

And by lowering yourself to petty name calling, you've just lost any sort of credibility you may have had.

It's $100 for a number of support incidents and a developer certificate which enables you to use the free development tools to upload your code to a real device.

You clearly missed the sarcasm in the first lines of my post.

You completely missed my point. The entire point is that relying on the end user, who has no access to to the source code to verify the operation of the app they are about to install, and no way to verify whether or not the code that was published has been altered, to verify whether or not they want to run it is inherently flawed.

Its easy enough to run anything you want on iOS - get your own cert, and compile/sign it yourself. Doing that DOESN'T open you up to any and all possibly dodgy code running on your device.

Linux needs to provide a stable ABI. Other platforms can do it, Linux refusing to do so is just a cop out, and laziness. "We want to be able to change" = write a fucking shim like everyone else.

Exactly. OS X pulls in a few things from FreeBSD, but it is not "based on" FreeBSD any more than Linux is based on BSD.

Valve would tend to disagree. Working intel GPU driver > shitty unreliable GPU driver or software rendering for awesome hardware.

The intel HD3000 onwards are not horrible, especially if you are comparing on performance per watt, which is the way the market is headed. The traditional desktop is dying - admittedly a long and protracted death.

Then explain the lack of similar quantities of malware for iOS between 2007 and 2012?

Isn't the entire selling point of android that you can install software from wherever you like though? This study simply validates apples decision to more strictly control what software is allowed on their devices. For those users who do need to install anything they like, they can still do it without compromising the security of their device by getting a developer certificate.

Also. You are arguing that trojans are NOT malware? Seriously? Of course they're fucking trojans. That's the point. The end user is in no way qualified to determine that software is NOT a trojan, and this is why them having root on a device with full ability to run any shitware trojan they like is never going to work. WE've had 30 years hammering this point home time and time again. It's not going to change.

So, have you ever heard of a root kit? Linux has plenty of malware, and I have personally rebuilt compromised hosts. "Oh but that bug was in sendmail" or whatever you say. Cop out.

No. Android security is currently just that bad. For several reasons, not least of which is likely due to the massive number of handsets that are abandoned software-update wise upon release.