Malware: a Matter of Definition

Kurt Wismer has just put up a blog asking is the iphone really malware free? (Don’t be put off by the trademark absence of capitalization). Wismer is not illiterate and very far from stupid, asks some very pertinent questions, and his commentary is always worth reading. In fact, if keeping the security industry honest was a one-man job, he’d probably be headhunted for it.

The question arose from a conversation – well, an exchange of tweets – with Mikko Hypponen and Sean Sullivan, both of F-Secure. Here’s the way I see it (and yes, I’m asking questions too, not posing as the voice of the anti-malware industry), with the additional benefit of an exchange of subsequent comments to the same article.
Do jailbroken iGadgets count? Apple clearly don’t think so, though there are those even in the AV industry who dislike Apple’s continuing attempts to maintain iron control as the only route to security. As Vess commented:
"Basically, the Apple model is much more restrictive – which makes it somewhat safer. This is not necessarily a good thing – I'd take malevolent freedom over benevolent dictatorship any time – but it does provide for better security."
Wismer’s observation that “what people really mean when they say no malware for the iphone is that there's no malware in the app store” is right on the button. Leaving aside (for the moment) the question of whether that absence of malware is correct, the difference between the App Store and the Android Market, in security terms, is that even while Android is taking tentative steps into validating code within its own domain, it doesn’t have a problem with our going elsewhere to download what we like, whereas Apple doesn’t want us to go anywhere but the app market. The resemblance is that if we exercise our options of choice (to jailbreak or not to jailbreak, to stay within the Android Market or venture further afield) we do so at our own risk. But is the choice between safety and risk? Well, Apple’s rule of iron feels safer.
But what is this stuff called malware? Well, it isn’t, apparently, what F-Secure calls riskware. Or what other vendors call Possibly Unwanted Programs, or Possibly Unsafe Programs, or Possibly Unwanted Software (love that last acronym...) – this is an industry-wide problem, not F-Secure's. And these are murky waters: there’s the stuff that the security industry thinks is spammy, but customers might want it anyway; there’s the stuff we tend to see in dangerous contexts, but isn’t malicious in its own right; there’s the stuff the research community might think reeks to high heaven, but is justifiably nervous of classifying as malicious because of the certainty of stirring up a hornets’ nest of unpleasant legal and other harassment. Wismer suggests that:
“...if ALL (or a not insignificant proportion) of the vendors classified something bad as malware then the two-bit spyware vendors can't realistically do anything about it. So long as you're all united you have a defense - it's only when you swim alone that you're at risk.”
I agree that co-operation between vendors to fight a legal threat seems reasonable, and maybe even the Right Thing To Do, especially in the Windows market, where there’s no arguing with the presence of a deluge of badware. That doesn’t mean I think it’s going to happen any time soon.  And I think it’s even less likely to happen where a platform (OS, social medium, hardware, whatever) is owned by companies who are in a state of semi-denial about the existence of anything worse than adware. And that describes a lot of platforms in today’s online world.

What’s Hot on Infosecurity Magazine?