Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
lysace 3 days ago

Not exactly brand new tech, but now on a mobile device without the long-term security baggage that often comes from using Android.

bigyabai 3 days ago | parent [-]

I think NSO Group has pretty thoroughly demonstrated that iOS users aren't exonerated from security concerns.

lysace 3 days ago | parent [-]

Yes, state actors will be able to breach into your iOS device if you're deemed important enough.

Edit: Meanwhile your average Android device has multiple publicly known remote execution issues.

Aerbil313 3 days ago | parent | next [-]

With iPhone 17 line the security situation has improved dramatically. I'm not a cybersecurity researcher, but Apple says even nation-state actors will struggle to breach a single device with the newly introduced Memory Integrity Enforcement mechanism. Their research appears legit:

https://security.apple.com/blog/memory-integrity-enforcement...

bigyabai 3 days ago | parent [-]

> Apple says even nation-state actors will struggle to breach a single device

Oh, I remember when they said this about Blastdoor too!

rogerrogerr 2 days ago | parent [-]

This is very clearly an entirely different class of effort than Blastdoor was/is. They decided that they needed a hardware solution to kill a category of exploits; Apple has a very good track record in this kind of thing.

bigyabai 3 days ago | parent | prev [-]

Yup. Pretty similar to the modern threat profile of Android, all things considered.

> your average Android device has multiple publicly known remote execution issues.

Help me distinguish between "publicly known" RCE vulns and private ones. Do the privately owned exploits like FORCEDENTRY count as "publicly known", or only the Greykey/Cellebrite exploits used by governments?

lysace 3 days ago | parent | next [-]

Apple’s primary motivation is to sell hardware. Their brand is hurt if their direct customers suffer damages through malware.

Google’s primary motivation is to sell ads. Their brand is not hurt if phone brand FlirpleFoo ships millions of Android devices and then hurts those customers by not keeping those devices secure.

JumpCrisscross 3 days ago | parent | prev [-]

> Pretty similar to the modern threat profile of Android, all things considered

I don’t think this is accurate. Not even every nation-state would be expected to have access to iPhone zero days, particularly with the new memory protection rolling out.

bigyabai 3 days ago | parent [-]

I don't think that's accurate, either. NSO Group sold their exploits to several other nation-states, seemingly without much (any...?) vetting concerning the ethics of their government.

JumpCrisscross 3 days ago | parent [-]

> seemingly without much (any...?) vetting concerning the ethics of their government

I’m not trusting in ethics. I’m trusting in commerce.

MIE should drastically reduce both the production rate and lifetime of zero days. That, in turn, means a focus on maximising profit per vulnerability versus process line.