Mobile Device Security: Android vs. iOS

27 02 2012

Introduction

Mobile devices are becoming more and more prevalent in our daily lives.  They are replacing many of the operations that in the past were done primarily on PCs, such as surfing the internet and checking email.  Another reason they are so popular is because of the large number of applications that can be downloaded and used on the devices.  But how secure are these devices and what are the risks to personal data when using a mobile device?  The two most popular operating systems that run on these devices in the market today are Google’s Android and Apple’s iOS.  I will discuss some of the security features associated with each OS and also some of the security flaws.

Security Traits common to both Android and iOS

Both operating systems have based their systems off of the following five security principles [1]:

  1. Access Control – Traditional password protection and ability to lock the device
  2. Encryption – Data Encryption on the device
  3. Isolation – Limit the applications ability to access resources and data on the device
  4. Application Provenance – Use of digital signatures to authenticate application authors
  5. Permission based access control – Users have control over what data an application can access.

Although each OS has used these 5 security principles the implementation of the security features are different for each OS as discussed below.

Apple iOS Security Highlights

Apple only allows its users to get apps from the Apple App Store, and Apple is able to screen apps using a rigorous process.  Included in this process is the application provenance referenced above.  Only the apps that Apple deems as safe are allowed to be sold in the App Store, and users are ensured the authenticity of the developer.  Although this process does eliminate many of the malicious applications, it is not perfect and Apple has had to remove applications from their market after they were offered to users.

Apple iOS incorporates a number access control features into their devices.  A user can enable password protection on their device as well as choose the length of the password and the number of incorrect attempts before the device will wipe itself clean.  In addition, iOS also employs a locating feature that allows you to pin point the location of the device from your PC.  The user can also protect the data of a lost or stolen device by remotely wipe the data the device.

Flaws

iOS takes advantage of the permissions based access control mentioned above; however, the user is not asked if he would like to allow the app access until after the app is downloaded and installed, and many of the applications will stop working if the user selects “no” when asked to give access to the data[2].

Apple was in the news last year for an SSL Man-in-the-Middle attack flaw, but has fixed the flaw with an update to the iOS software.  However, many iOS devices cannot be updated to the newer version and are left vulnerable to this type of attack [3].

Google Android Security Highlights

Google’s approach to Permissions based access control is different from Apple’s in that permissions are granted at the time of application installation rather than at run time.  A user can decide before the app is ever downloaded how much control the app should have.  If the app requires more access than the user prefers to give, then the user can choose not to install the app.  In addition, users must accept an installation of an application before the app will actually install to the device, so it is impossible to install and run an auto erase or location type application from Android [2].  This can be a good thing in that the user will know what is being run on the device but bad in the event that the device is lost or stolen.

Flaws

Unlike Apple iOS’s App Store approach, Google has many market places for Android Applications.  These market places do not have the same rigorous processes for application selection like the App Store does.  Because there are fewer controls over which apps can be sold in these market places there is a greater risk for malicious applications.

Android is designed so that the service provider can modify the UI [2].  This means that the service provider can install additional software that the user doesn’t want or need and could create security holes that Google didn’t anticipate, leading to a less secure user interface.

Flaws Common to Both iOS and Android

Cloud computing is becoming more and more popular.  Mobile devices are being used to access email, calendars, and documents on the go.  Many of these applications require that you connect with a third party vendor which may not have a secure application or connection to protect your data [1].

Both Android and Apple devices can be modified to override the operating system and allow access to system settings that wouldn’t be allowed under normal circumstances.  This is known as rooting or jailbreaking.  Manipulating the device in this manner can void the support for the device and make software and firmware updates inaccessible.  Also, an attacker can hack the system in the same manner that the user did and gain access to information on the device.

How to Keep Your Device Secure

Here are some things you can do to protect yourself from mobile device security risks [2]:

  1. Change the phone and voicemail password
  2. Use a password/pin that is difficult for someone else to guess
  3. Set the device to be password protected after 5 minutes of inactivity
  4. Only enable the wireless connections that you actually use
  5. Only install applications from vendors that you trust
  6. Use mobile security software
  7. Use mobile device management software
  8. Back up your data
  9. Don’t view private data on public WiFi
  10. Install OS and firmware updates as soon as they made available.

______________

[1] “A Window into Device Security: Examining the Security Approaches of Apple’s iOS and Google’s Android”, Carey Nachenberg.  Retrieved Feb. 24, 2012 from: http://www.symantec.com/content/en/us/about/media/pdfs/symc_mobile_device_security_june2011.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Jun_worldwide_mobilesecuritywp

[2] Android vs. iOS Infographic. Retrieved Feb. 24, 2012 from: http://www.veracode.com/resources/android-ios-security

[3] Android Security vs. iOS Security, Alvin Ybanez.  Retrieved Feb. 24, 2012 from: http://www.androidauthority.com/android-security-vs-ios-security-46385/

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: