Mobile Security – Android vs. iOS

With the dominance of iOS and the rising popularity of Android devices in the mobile marketplace, the security of these devices is a growing concern and focus for smartphone users. This infographic examines the security features of Android and iOS, and also takes a look at their strengths and weaknesses.

ios-android

 

Both Android and iOS have:

  • Traditional access control: such as passwords and idle-time screen locking to protect the device itself
  • Isolation: Limiting a process’s ability to access sensitive data or system resources from another process
  • Permissions-based access control: Granting each application a set of permissions that limits its access to specified device data systems
  • Limited hardware access: Apps cannot directly access the underlying hardware. The hardware interactions are all controlled exclusively by a number of different layers of software which act as intermediaries between the application and the device itself.
  • Resistance to web-based attacks: both systems have some built in capabilities to resist web-based attacks.

 

Methods of application distribution

  • Android has more distribution channels. With Android there are more opportunities and methods to load applications. For example: Android devices support more than one app store as well as large-scale over-the-air app distribution
  • iOS apps can only be distributed through the Apple app store.
  • Data encryption available on both devices There are different levels of encryption, and some of them are device-specific. The OSes provide mechanisms for apps to store secrets in ciphertext on disk; but apps don’t always take advantage of these features. For example, data encrypted on your mobile device may be stores in plain text if you sync to a PC.
  • Application Security Testing The level of verification on app security isn’t the same between the various Android marketplaces and Apple’s App Store. Security and privacy are not thoroughly tested and unauthorized access to sensitive data has already occurred in both the App Store and the Android Marketplace.
  • Apple sometimes approves apps then disapproves them Apple has an approval process to place an application into the iTunes store. However, it’s not hard to find examples of apps being removed from the store “after” they’ve been found to behave badly.

 

Android vs iOS Security Features and Weaknesses

Android Security Features IOS Security Features
  • Permission-based access control: Android’s access control model is different than iOS’s inside the application manifest, there is a static list of permissions that the Android application requests up front. The user is presented with the list at application installation time.
  • Installing Applications: – the official Google marketplace allows remote installation of applications to your phone. It prompts the phone to accept the installation, therefore it is not possible to remotely install and RUN and auto erase or fine me type application.
  • Permission-based access control: When an applications requests the use of a protected feature in IOS (such as accessing the user’s current location) at runtime, the OS pops up a dialog box in the middle of the app and asks the user is he/she chooses to allow the application access to the resource. Many apps fail if the user chooses “no”.
  • Geolocation: Locates your phone when it’s lost. This feature is provided by Apple as a feature of its operating system and accompanying online service.
  • Auto Erase: If your phone is lost or stolen you can wipe sensitive data from your device. In the event that the phone is returned, you can restore the information from the backups on your desktop. When this feature is enabled, 10 failed passcode attempts will automatically erase data from the device.
Android Weakness Example iOS Weakness Example
  • Android Orphans: Millions of Android phones that are still under contract cannot be updated to the latest version of Android OS.
  • Wild West Application Marketplace: The application marketplace has limited (if any) security implementation. Instead Google chose to allow nearly any application presented to the market to be published for user consumption. Google does not check the security of applications prior to general availability.
  • Smartphone Manufacturers Can Modify the Phone UI*: Google Android is designed to be modified by the carrier releasing the device. Because of this Android devices suffer from additions to software and UI modifications that the smartphone owner doesn’t want or need.*User Interface
  • Every iOS device running an OS lower than version 4.3.5 is vulnerable to a flaw called SSL MITM which hackers can exploit easily.
  • Since Apple won’t allow certain device categories to be upgraded to this level it means that there are millions of permanently exploitable devices out there. Android has a similar problem.
  • If an iPhone owner chooses to jailbreak their phone he becomes more vulnerable to malware
  • iPhone jailbreaks expose security holes that may also be exploited by hackers. One example was located in the iPhone PDF parser which contained a flaw that allowed a document to execute code.

 

So You Got a Smartphone for Christmas?

Here are 10 ways to protect it from hackers.

  • Change the phone password and your voicemail password.
  • Use a password/pin that is difficult for others to guess.
  • Set the phone so that it is password protected after 5 minutes of inactivity.
  • Only enable the wireless networks/connections you use, e.g. if you don’t use a Bluetooth device then don’t turn Bluetooth on!
  • Only install applications from vendors you trust. Check out app reviews and app-sources before installing.
  • Use mobile security software – e.g. Lookout.
  • Use mobile device management software.
  • Back up your data.
  • Don’t view sensitive data information on public Wi-Fi.
  • Install OS updates as soon as they are available to ensure your Smartphone firmware is up to date.

Symantec (an Internet and device security company) concludes that – even though iOS and Android both have their weaknesses, the mobile platforms are still much more secure than their PC counterparts.

Veracode Security Guides
Data Security Resources
Veracode Security Solutions

iOS Security
Web Security
Mobile Phone Security
Internet Security Scan
Web Vulnerability Scanner
Facebook Security Tips
Injection Attack
Android Mobile Security
Security Vulnerability Assessment
What is SDLC?

Andy Steingruebl | January 4, 2012 8:13 pm

I think a future version of this would be improved if you added two more columns showing a typical Mac and PC. Where those platforms don’t explicitly try to control the 3rd party software distribution channel (yet), many of your comments about whether and how well these mobile platforms screen software for security and privacy holes will really stand out.

I think you (un?)intentionally imply that these platforms are somehow failing by not performing security and privacy checks for every application. Do you mean to do so? If so, is that because you believe that the mobile environment is fundamentally different than other platforms? In what way?

    Niru Raghavan | January 6, 2012 11:12 am

    Thank you for your suggestion on adding two more columns to show a typical MAC and PC. It’s a good one.

peanutsmonkey | January 5, 2012 3:07 pm

The infographic seems to be have used the word process’s incorrectly when it should read processes i.e. Limiting a processes ability….

אנדרואיד מול iOS: מי בטוח יותר? | Newsgeek | January 10, 2012 12:40 pm

[...] שברשותכם בטיחותי מספיק?סיבוב ראשוןחברת האבטחה Veracode שחררה אינפוגרפיקה המשווה בין תנאי האבטחה הקיימים במכשירי האנדרואיד לבין [...]

Scott | January 16, 2012 11:47 am

As information security practitioners, we use both Androids and iPhones. However, a while back we wrote an article about our concern over Geinimi and Android phones. (http://www.pivotpointsecurity.com/risky-business/android-insecurity-for-a-security-practitioner)

Since then we have been contacted by a variety of our customers with mobile security concerns. Mostly in the Healthcare space. With more Healthcare companies moving towards HITRUST and ISO 27001 certifications, it is only a matter of time before mobile security becomes a much larger concern.

Andy | January 17, 2013 12:22 pm

Thanks, author, for detailed comparisons.
I am currently using AVG’s free antivirus for android.

http://www.avg.com/eu-en/antivirus-for-android

Not bad so far. I will be happy to try any other apps with a superior performance.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

*

RSS feed for comments on this post