Symantec compares iOS and Android security

Apple's iOS wins in most categories, but neither offer protection against phishing

Apple's iOS and Google's Android smartphone platforms are more secure than traditional desktop-based operating systems, but are still susceptible to many existing categories of attacks, according toa 23-page report from security software vendor Symantec.

The good news is that Apple and Google designed their respective operating systems with security in mind. But keeping up with a constantly changing threat landscape is difficult. In the report, "A window into mobile device security," Symantec evaluated the two operating systems for how they stood up to Web-based and network-based attacks, social engineering attacks, attacks on the integrity of the device's data, and malware.

Users of both Android and iOS smartphones and tablets regularly synchronize their devices with cloud services and with their home desktop computers. This can potentially expose sensitive enterprise data to systems outside the control of the enterprise, according to Symantec.

When it comes to protecting against traditional malware, Apple's certification of applications and developers protects users, according to Symantec. On the other hand, Google's less rigorous certification mode has arguably led to today's increasing volume of Android-specific malware, the company said. Earlier this month Google had to remove yet more malware-infected apps offered in its Android Market.

Google's more open approach has been one of the reasons for its success, according to Ben Wood, director of research at CCS Insight. It has helped Google to quickly increase the number of available applications. So far, the offending apps haven't had a major affect on users, but user sentiment could change quickly if they are hit by more severe attacks, Wood said.

As has been pointed out by security experts in the past, Android's reliance upon the user to grant a set of permissions is a weak link. A majority of users are simply not technically equipped to make these security decisions. In contrast, Apple's iOS platform simply denies access, under all circumstances, to many of the device's more sensitive subsystems, according to Symantec. On Android, a malicious app simply requests the set of permissions it needs to operate, and in most cases, users happily grant these permissions.

On the plus side, Google does require that developers pay a fee and register with the company to be able to distribute their apps via the official Android App Marketplace, Symantec said.

Possible weaknesses in iOS include its encryption, according to Symantec. The majority of the data is encrypted in such a manner that it can be decrypted without the need for the user to input the device's master passcode. This means that an attacker with physical access to an iOS device can potentially read most of the device's data without knowing the passcode, Symantec said. In February, researchers in Germany showed how they could do this in six minutes on an iPhone running iOS 4.2.1, Symantec warned.

Also, attacks against specific applications like the iOS Web browser, while being self-contained and blocked from impacting other apps, can still cause significant harm to a device.

Android recently began offering built-in encryption in Android 3.0. However, earlier versions of Android, which are running on virtually all mobile phones in the field, contain no encryption capability.

So far, security researchers have uncovered about 200 different vulnerabilities in various versions of iOS. But the vast majority of these vulnerabilities have been of a lower severity. To date, all but four of the 18 vulnerabilities on Android have been patched by Google. One has been fixed in version 2.3, but it has not been fixed for prior versions of the operating system. For example, the recent Android.Rootcager, also known as Android.DroidDream, and Android.Bgserv threats both leveraged this vulnerability to obtain administrator-level control, according to Symantec.

Symantec also has a word of warning for users with jailbroken smartphones. They are an attractive target for attackers since they are every bit as vulnerable as traditional PCs, it said.

Symantec concluded that iOS offers better access control, application provenance and encryption. Google's Android offers better application isolation, and the permission-based access control category is a tie, according to Symantec. Apple also offers better protection against malware attacks, service attacks, data loss and data integrity attacks. Both offer full protection against Web attacks, and no protection technologies to address social engineering attacks such as phishing or spam.

Security on smartphones is a growing challenge that vendors need to address, according to Wood. Large-scale attacks can end up having a detrimental effect on smartphone popularity, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleconsumer electronicssymantecGooglesecuritysmartphonesiPhoneAndroidSmartphone applications

More about AppleCCSetworkGoogleSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mikael Ricknäs

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts