Mobile Device Security Approaches of iOS and Android

9 09 2011

The current generation of mobile devices have been designed with security in mind, but the way the two leading mobile OSes approach security is different. Symantec Corporation  released a report on June 28,2011 highlighting what they see as four main pillars of mobile security. Interestingly enough, Jon Oberheide produced a paper about demystifying the challenges of mobile security a year earlier.

Symantec’s device security model revolves around Access Control, Application Provenance, Encryption and Isolation. Mr. Oberheide has found that iOS and Android share common security attributes in the realm of Application Delivery, Trust Levels and System Isolation.

But why is this really important?

It’s important because smart phone and mobile app usage is on the rise. Gartner  Inc. estimates that “smartphone sales will reach 468 million units in 2011, a 57.7 percent increase from 2010.” [1] And during this period of explosive sales growth, the Android OS will be the market leader, with Apple’s iOS in second place. By 2015, Gartner projects sales of mobile devices to hit 1 billion units.[2] Besides sales of mobile devices, mobile apps downloaded from app stores are projected to hit 17.7 billion by the end of 2011, and while approximately 8.2 billion apps were downloaded in 2010.[3] Mobile apps are what provide smartphones users the greatest value.

So what are the more interesting findings from Symantec and Mr. Oberheide?

Apple’s strategy of vetting each mobile app produced for the public for its iOS platform is a sound practice and works well to ensure non-malicious apps make it on to non-jailbroken devices. Mr. Oberheide ranks iOS with a “high” rating for Application Delivery. This is due to the fact that Apple is the only one permitted to deliver apps to the public.  Additionally, Symantec give Apple high marks in Application Provenance. Again, this is because Apple checks all the apps before they are deployed to the public, and two, because each app is digitally signed by the developer, so the consumer and Apple know who produced what app.

On the other hand, Android, takes a different approach with respect to mobile apps. Android Application Delivery as described by Mr. Oberhiede is rank “medium” because the default app store for apps is the Android Market.  I disagree with his assertion. Android’s App Delivery rating should be considered “low” because it is easy to change which source an app is downloaded from, and Android apps can be downloaded from different app stores or even straight from a web page.  Interestingly, Symantec and Mr. Oberheide both agree that Android’s permission based control is great  compared to iOSes lack of granular control.

In the end, while  newer mobile OSes are more security conscious in their design, there are differences in how an open operating system incorporates security in their design as compared to a closed, proprietary system. iOS and Android devices dominate the smartphone market, and with the spread of these mobile OSes into other form factors, the way the OSes approach security will need to adapt as they begin to operate more than just telephony devices.

[1] Gartner Says Android to Command Nearly Half of Worldwide Smartphone Operating System Market by Year-End 2012.” Technology Research | Gartner Inc.. (accessed July 8, 2011).

[2] Ibid.

[3] Gartner Says Worldwide Mobile Application Store Revenue Forecast to Surpass $15 Billion in 2011. (2011, January 26). Technology Research | Gartner Inc.. Retrieved August 17, 2011, from