Nope, you're not wrong at all in wishing that.

I was one of the folks in charge of defining and building the Windows Phone 7 application platform. I pushed extremely hard to ensure that when WP7 shipped the app sandbox was tight, tight, tight. So much so that I pissed enumerable people off because we refused to open it up to anything but managed code. I always argued that the product would be better off in the long term with a real reputation for being solid & secure.

It was hard to do, but we were able to do it because WP7 was basically a v1 product and we had no backwards compatibility requirements (or existing customers <g>).

For Big Windows, it's a lot harder. A LOT HARDER. But I have read that Win8 will have a sandbox for new apps. That should help a lot, but it really is just a start. AV software will still be a necessity for most users.

Note that I find it highly ironic that Android failed to keep their sandbox tight early on and as a result that platform is suffering significant malware problems. Timely: http://techcrunch.com/2011/11/20/mcafee-nearly-all-new-mobil...

Thanks for the reply. Definitely interesting to hear what it is like on the "other side" of the drawing board.

Android is actually an interesting case. Android applications are sandboxed. It's just that applications can request some very dubious permissions ("read all your SMS messages") and users don't know any better and don't read the fine print. The flexibility does allow for some excellent customizations (e.g. Swype keyboard replacement), but the risk of shenanigans is also there.

TechCrunch says:

    One of the most popular forms of trickery in Q3 was
    SMS-sending Trojans that collect personal information
    and steal money. Another new method of stealing user
    information is malware that records phone conversations
    and forwards them to the attacker.

These are not classic viruses in the purest sense. These are not, say, buffer overrun exploits. These originate from apps the user downloaded that do other, sneaky things.

How do you protect the user from the user? The other flip side is iOS where almost everything is heavily locked down, except perhaps for the AddressBook API. The user is not very trusted, and essentially has no way of opting-in to anything really dangerous. This does severely limit the interesting cross-app interaction cases. But I can sleep safely knowing that my iPhone-holding non-techie family members can't download anything that would cause harm.

Since educating users across the board is likely impossible, does this mean the tough Apple approach is the way of the future (loosely speaking)?

The WP7 API surface area is very much locked down. For example, in v1 we did not provide any access to the address book (other than a chooser). There is no way to do cross app IPC. There was no background processing. No sockets. Etc...

As I went around the world "selling" the WP7 story to developers I got very good at saying "I'm sorry, but in this version of the platform the app you want to build is not possible."

I found that once this sunk in, developers were actually really glad we were so clear and unambiguous. They weren't necessarily happy, but it felt good (to me) knowing we'd been principled and consistent.

I personally believe this is the only way to build a modern client platform. Start with very tight controls and open it up only when

* There is a well understood use case. * You have the time/resources to do it right.

I do not mean to be overly pejorative about what Google has done with Android (because, in the large it's truly awesome), but I firmly believe that when it comes to building platforms once the cat is out of the bag it can't be stuffed back in. I'm specifically referring to BOTH the tightness of the sandbox and fragmentation BTW.

<pedant>"Enumerable" means almost exactly the opposite of "innumerable", which I think is what you meant: (Enumerable: able to be counted. Innumerable: not able to be counted.)</pedant>

Uh, in this context I would wager he has a pretty good idea how many people he said no to.

Thanks. You are correct. At least I didn't use it's wrong. :-)

The notion Android has a malware problem is odd to me. I've been using an Android phone for more than a year and never experienced anything suspicious. I am yet to see someone who had a virus/malware problem with it.

But then I ran Windows boxes for decades without a single non-intentional infection. I'm not the average person.

Dear downvoters: how serious really is this "Android malware problem"? I understand you can put a malicious app on the store and some clueless idiots will install it, but, then, we have windows on buildings and every once and then some clueless idiot falls through one. We don't call it "the window problem".

That's not really an apt comparison, as the windows are not disguising themselves as, say, bathroom doors, a place many people are likely to visit. It doesn't have to be massive to be a problem or even to be significant, it just has to be out of the ordinary. The reason this is a problem is because many people trust their phones, don't expect malware to infect them there, and they have no way of knowing what is a malware app and what is not.

The reason this is a problem is because it is happening, and it is picking up speed. If your engine is leaking oil, you take steps to get it fixed _before_ your pistons seize. That's what this article is trying to highlight.

> it is happening, and it is picking up speed

Again, I refuse to believe I live in a magical land unaffected by the daily problems that cost countless sorrows to the rest of mankind. I never experienced an Android malware and never heard of someone who did. It's entirely possible someone somewhere installed a malicious application or jumped out of a window, but the fact I know nobody who did it gives me pause when people say the sky is falling.

It's not.

>It doesn't have to be massive to be a problem or even to be significant, it just has to be out of the ordinary.

The fact that it exists, regardless of if anyone installed it or was damaged by it, is the problem. It's time to start thinking of solutions for that problem _before_ you or anyone you know is affected.

If we look at it this way, we should address the problem of sandbox escape on WP7 because it can happen we don't know exactly how.

One way to check for malicious software on Androids would be to automatically run it on virtual hardware and flag malicious behavior for review by human beings.

It's probably the same process Apple uses.

I agree. The best way to protect from malware is to stop it before it happens. What better place to be able to do this than on embedded software, where everything can be controlled centrally? It'd be hard to fully protect sideloading apps on Android, but at the very least the marketplaces should be fully protected.

Every app on every marketplace should be tested for malware, and the device should be able to scan for apps acting outside of the limitations imposed in the API. I have a WP7 device, and it's kind of like the new Mac where thanks to its marketshare it's not a huge target. But I'd be willing to bet there's some exploits out there that could be targeted, and that scares me as a netsec employee.

It's easy to make a secure platform no one uses... Just sayin'

That's right. It's also easy to make an insecure platform.

The hard thing to do is to balance these two things.

This reminds me of two of my favorite quotes:

     “Fools ignore complexity. Pragmatists suffer it. 
      Some can avoid it. Geniuses remove it.” – Alan Perlis

     “Making the simple complicated is commonplace; 
      making the complicated simple, awesomely simple,
      that’s creativity.” – Charles Mingus

     I wrong in wishing for Microsoft to take a step 
     toward sandboxing/code signing

IMHO, these are tools to keep a tight control of your platform and it won't keep the mallware/viruses out, even if mallware authors will have to be more creative. It creates a false sense of security (i.e. security theater). If you don't believe me, see http://www.jailbreakme.com/ ... a hack that can jailbreak your iPhone just by visiting a webpage and clicking on a link. If you have a recently upgraded iPhone, it probably won't work, but the author of this has already upgraded it to use a new unpatched exploit at least once. And I'm pretty sure that Microsoft cannot do a better job securing Windows than Apple did with iOS, mostly because iOS is a seriously restricted platform.

You could also argue that the area of attack becomes smaller and that in general this is a good thing. However, personally I'm not concerned with script kiddies that are just trying to have fun on other people's expense, as based on my own usage patterns I could never be infected, because such people do not have the capability of distributing such mallware to me (as I'm only getting software from reliable sources). The threats I'm worried about come from the people with in-house expertise and that are earning money from this activity, as they do have the means for mass distribution and the potential for real damage to your bank account and online identity.

Maybe its a PR move for Microsoft more than anything. "Windows 8 has a built-in anti-virus and is more secure than ever!"

I feel like Windows gets targeted the most because there are just so many computers running it. If 80% of computers out there ran OSX I wonder if anyone would give a shit about the next vulnerability in Windows.

Ideally no operating system should dominate the market as Windows does. A monoculture is a problem by itself: http://en.wikipedia.org/wiki/Monoculture

However, speaking about Windows, historically has been pretty insecure by default. Microsoft started giving a shit only recently, after the failure that was Windows Vista and the bad press associated with it.

Huh? Security was a focus of Vista, not a reaction to Vista. (It was a reaction to Blaster and other widespread infections from the early XP era)

Pff, if that annoying and totally ineffective UAC dialog is the best they could do in more than 5 years of development, I shudder to think what happens when increased security is not the goal of a release.

And btw, I don't know what you mean by the early XP era, but you're probably referring to a timespan of at least 20 years.

Yeah, I was being sloppy. There was and is malware on Windows for a long time but it only became a widely recognized "epidemic" in the late 90s - early 2000s.

as for Vista ... http://en.wikipedia.org/wiki/Security_and_safety_features_ne...

but the real point is that it's just nonsensical to say that Microsoft has been more focused on security as a reaction to bad press of Vista - whether you like or hate Microsoft or Windows or Vista, there's just no interpretation of the timeline under which that makes any sense.

I believe the Metro-style apps do run in a sandbox. It's conceivable that Microsoft could make a version of Windows 8 that did not support old style apps, so in that case all apps would be sandboxed.

Yes, Metro apps will be sandboxed and downloadable "only" from app store.