Symantec finds big differences in iOS, Android security

Apple iOS and Google Android have some big differences when it comes to mobile security, creating distinct potential vulnerabilities for enterprises embracing devices running these operating systems, according to analysis by Symantec.

In some ways, the analysis concludes, mobile security for both platforms is superior to that of traditional PCs, because both were designed from the outset with security in mind. At the same time, their security features often don't add up, yet, to the protection enterprises might need.

BACKGROUND: Smartphones and tablets create huge corporate security challenge

The report, "A Window into Mobile Device Security," was prepared by Carey Nachenberg, Symantec fellow and chief architect of Symantec's Security Technology and Response (STAR) division. An 18-year veteran of the vendor, Nachenberg oversees the technical strategy for all of the company's core security technologies and content.

"We set out to analyze the core security architecture of iOS and Android," he says. "To analyze how secure they are, their potential vulnerabilities, and [determine] what is the state of security for these devices."

Both platforms have what Nachenberg calls "traditional access control" via passwords, and both allow administrators to set password policies. Apple iOS has an edge here, because it offers more options for protecting data, such as automatically wiping a device of data after a specified number of password attempts.

One of the biggest differences between the two operating systems is their approach to what Nachenberg calls "application provenance" -- identifying, certifying and vetting an app before it's published in the appropriate online catalog.

Apple's approach currently is far more stringent than Google's, he says. Every iOS developer has to register, every submitted app is reviewed by Apple, "but how is not disclosed," Nachenberg says. Then it's published in the iTunes App Store, which acts as the certificate authority to "sign" the app, and is the only source for iOS applications (unless the iPhone or iPad has been "jailbroken," a process that lets the user then load iOS apps from any source). Apple provides an option for corporate users: a signing certificate that lets them internally distribute iOS apps to their users, without publishing them publicly in the App Store.

For Android, the approach is completely different. "In effect, Google lets you create your own [signing] certificate and public/private key pairs" says Nachenberg. "There is no vetting of apps posted on the Android Marketplace. And apps can be sideloaded from any other website."

"Apple gets the edge in this category," he says.

On-device data encryption is also different between the two platforms. Apple offers built-in hardware encryption for all on-device data. The key to unscramble the data is stored on the device, but currently it is not protected by the user's passcode. That means, Nachenberg says, that if an attacker gains physical control of the device and jailbreaks it, then "iOS is very happy to decrypt all that data for the attacker."

This makes the device "reasonably secure against the casual attacker overall," Nachenberg says.

Apple does make use of a not-well-understood secondary level of encryption, Nachenberg says. It applies to the email inbox, its contents and attachments. And unlike the hardware encryption it is only available if the user logs into the device. This is a "much more secure" encryption, he says.

By contrast, Android 2.2 and 2.3, which are currently the most commonly deployed versions, have "no encryption at all." In some recent tablets, running Android 3.0, an encryption option is available, but the user has to deliberately turn it on and it takes about an hour to run the first time, Nachenberg says.

Apple, Google tackle access control

Both platforms make use of isolation and permission-based access control. Application "sandboxing" makes use of both, for example: in effect, wrapping a policy-based security bubble around an application or some other feature.

Nachenberg says these bubbles have three parts: blocking certain actions in all cases, allowing others in all cases, and letting the user explicitly approve or disapprove of some actions. The two platforms draw the line between these in different ways.

In iOS, apps are always forbidden to read/write other apps or the OS. One app "can't even tell if other apps are running," says Nachenberg. Apps are limited in accessing the OS kernel and information on the SIM card. At the same time, all apps can perform a very wide range of actions without notifying the user at all: They can access the Internet, a range of device identifiers, the phone number, calendar events, media files, recent browser history, the microphone and video camera. All without any user prompts.

Some iOS actions do involve the user: apps wanting to send SMS or email messages or GPS location or to make a call trigger a prompt to the user who must explicitly approve the action by pressing an onscreen button.

In both iOS and Android, data associated with each application always remains private to that application.

Android has important differences. For example, an app can read the entire contents of a plug-in SD card, Nachenberg says, including any sensitive corporate data that might be on it.

By default, Android apps unlike iOS ones are blocked from accessing a battery of system services unless explicitly granted permission by the user. When the app installs, the user is given a list of permissions, for example, "will you let this app send silent SMS messages without your permission." But there's a catch, says Nachenberg. "It's all or nothing," he says. "You can't select what the app will do and not do."

So Android gives the user more control over deciding if actions are harmful or not, compared to iOS. This has to be done on a case-by-case basis.

Finally, when deployed in an enterprise, IT has to be aware of how corporate data might be able to flow from protected corporate servers and networks through the mobile device via synching to personally-owned PCs at home, with weak or non-existent security, or to relatively unprotected cloud services used by the employee. "These use cases are happening right now," Nachenberg says.

One recommendation he offers: Protect information, not devices. "What types of information can your user gain access to?" he asks. "If you limit this, it won't get onto the device in the first place."

John Cox covers wireless networking and mobile computing for Network World.



Blog RSS feed:

Read more about anti-malware in Network World's Anti-malware section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Networkingsecuritymobile securitywirelesssmartphonesWireless ManagementiOS securityApplesymantecconsumer electronicsGoogle

More about AppleGoogleSymantecTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Cox

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts