With the dominance of iOS and the rising popularity of Android devices in the mobile marketplace, the security of these devices is a growing concern and focus for smartphone users. This infographic examines the security features of Android and iOS, and also takes a look at their strengths and weaknesses.
Traditional access control: such as passwords and idle-time screen locking to protect the device itself
Isolation: Limiting a process’s ability to access sensitive data or system resources from another process
Permissions-based access control: Granting each application a set of permissions that limits its access to specified device data systems
Limited hardware access: Apps cannot directly access the underlying hardware. The hardware interactions are all controlled exclusively by a number of different layers of software which act as intermediaries between the application and the device itself.
Resistance to web-based attacks: both systems have some built in capabilities to resist web-based attacks.
Methods of application distribution
Android has more distribution channels. With Android there are more opportunities and methods to load applications. For example: Android devices support more than one app store as well as large-scale over-the-air app distribution
iOS apps can only be distributed through the Apple app store.
Data encryption available on both devices There are different levels of encryption, and some of them are device-specific. The OSes provide mechanisms for apps to store secrets in ciphertext on disk; but apps don’t always take advantage of these features. For example, data encrypted on your mobile device may be stores in plain text if you sync to a PC.
Application Security Testing The level of verification on app security isn’t the same between the various Android marketplaces and Apple’s App Store. Security and privacy are not thoroughly tested and unauthorized access to sensitive data has already occurred in both the App Store and the Android Marketplace.
Apple sometimes approves apps then disapproves them Apple has an approval process to place an application into the iTunes store. However, it’s not hard to find examples of apps being removed from the store “after” they’ve been found to behave badly.
Android vs iOS Security Features and Weaknesses
Android Security Features
IOS Security Features
Permission-based access control: Android’s access control model is different than iOS’s inside the application manifest, there is a static list of permissions that the Android application requests up front. The user is presented with the list at application installation time.
Installing Applications: - the official Google marketplace allows remote installation of applications to your phone. It prompts the phone to accept the installation, therefore it is not possible to remotely install and RUN and auto erase or fine me type application.
Permission-based access control: When an applications requests the use of a protected feature in IOS (such as accessing the user’s current location) at runtime, the OS pops up a dialog box in the middle of the app and asks the user is he/she chooses to allow the application access to the resource. Many apps fail if the user chooses “no”.
Geolocation: Locates your phone when it’s lost. This feature is provided by Apple as a feature of its operating system and accompanying online service.
Auto Erase: If your phone is lost or stolen you can wipe sensitive data from your device. In the event that the phone is returned, you can restore the information from the backups on your desktop. When this feature is enabled, 10 failed passcode attempts will automatically erase data from the device.
Android Weakness Example
iOS Weakness Example
Android Orphans: Millions of Android phones that are still under contract cannot be updated to the latest version of Android OS.
Wild West Application Marketplace: The application marketplace has limited (if any) security implementation. Instead Google chose to allow nearly any application presented to the market to be published for user consumption. Google does not check the security of applications prior to general availability.
Smartphone Manufacturers Can Modify the Phone UI*: Google Android is designed to be modified by the carrier releasing the device. Because of this Android devices suffer from additions to software and UI modifications that the smartphone owner doesn’t want or need.*User Interface
Every iOS device running an OS lower than version 4.3.5 is vulnerable to a flaw called SSL MITM which hackers can exploit easily.
Since Apple won’t allow certain device categories to be upgraded to this level it means that there are millions of permanently exploitable devices out there. Android has a similar problem.
If an iPhone owner chooses to jailbreak their phone he becomes more vulnerable to malware
iPhone jailbreaks expose security holes that may also be exploited by hackers. One example was located in the iPhone PDF parser which contained a flaw that allowed a document to execute code.
So You Got a Smartphone for Christmas?
Here are 10 ways to protect it from hackers.
Change the phone password and your voicemail password.
Use a password/pin that is difficult for others to guess.
Set the phone so that it is password protected after 5 minutes of inactivity.
Only enable the wireless networks/connections you use, e.g. if you don’t use a Bluetooth device then don’t turn Bluetooth on!
Only install applications from vendors you trust. Check out app reviews and app-sources before installing.
Use mobile security software – e.g. Lookout.
Use mobile device management software.
Back up your data.
Don’t view sensitive data information on public Wi-Fi.
Install OS updates as soon as they are available to ensure your Smartphone firmware is up to date.
Symantec (an Internet and device security company) concludes that – even though iOS and Android both have their weaknesses, the mobile platforms are still much more secure than their PC counterparts.
Niru Raghavan joined the Veracode team in late 2011 as an Acquisition Marketing Manager. In this role, Niru is responsible for demand generation and program management primarily for online marketing programs. Prior to joining Veracode, Niru held positions of increasing responsibility at Liberty Mutual and Staples, successfully planning and implementing sophisticated online and offline marketing initiatives. She has managed product development efforts, launch activities and online marketing programs geared toward mid to large sized businesses in select vertical markets. Her specialties include product marketing, marketing strategy, and market research/analysis. She is also a keen web analytics enthusiast and Occam’s Razor by Avinash Kaushik is her all time favorite blog.
Love to learn about Application Security?
Get all the latest news, tips and articles delivered right to your inbox.
Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.