Symantec Compares Apple iOS, Google Android Security Features

Symantec researchers compared and analyzed the security decisions that went into Apple's iOS and Google's Android mobile platforms.

Even though both Apple's iOS and Google's Android smartphone operating systems are pretty secure, they are still susceptible to multiple types of attacks, Symantec said.

Android and iOS were designed with mobile security in mind and are superior to traditional desktop operating systems, Symantec researchers wrote in a whitepaper released June 28. However, the security features aren't sufficient to meet enterprises' requirements, the paper concluded.

The 23-page whitepaper, "A Window Into Mobile Device Security," examined Web-based and network cyber-attacks, social engineering, data integrity and malware on both mobile operating systems.

Apple had better access control, application provenance and encryption in iOS, while Google was better at application isolation, Khoi Nguyen, group product manager in the enterprise mobility group at Symantec, told eWEEK.

"The project wasn't about determining which platform was better," Nguyen said. Symantec was more interested in examining the core security architecture to analyze strengths and potential vulnerabilities, Nguyen said.

All bets are off for users with jailbroken devices regardless of the company, said Nguyen. They are every bit as vulnerable as traditional computers and an attractive target.

Both platforms enforce access control policies via passwords, Symantec found, although the iOS offers more options for protecting data, such as an automatic data wipe after a specified number of failed password attempts.

Apple's certification and rigid control over what applications can be posted on the App Store protect users, Nguyen said. The iTunes App Store acts as a certificate authority to sign the app and is the only source for non-jailbroken iOS devices. Google's "less rigorous" system helps trigger the increase in Android malware because it is easier to get malicious apps onto the Android Market, Symantec found. Luckily for Google, most Android malware to date hasn't had a significant impact on users yet.

Even though Apple offers built-in hardware encryption for all on-device data, the way it handles decryption is a potential vulnerability, according to Nguyen. The encryption key is stored on the device but not protected by the user's master passcode. If an attacker gains physical control of the device and jailbreaks it, the data is fully accessible to the thief without knowing the passcode, Symantec found.

On the other hand, Android 2.2 and 2.3 don't have any built-in encryption capabilities, Symantec found. The tablet version, Android 3.0, offers an encryption option, but it's turned off by default. Both platforms use some form of sandboxing to isolate applications and require apps to request permissions to access device capabilities.

While iOS apps are forbidden to read or write to other apps or the operating system and have limited access to the SIM card or the kernel, they can perform a wide range of actions such as accessing the Internet, getting the phone number, looking at the calendar and controlling the video camera without requesting permission from the user. This can raise potential privacy flags.

Android apps are blocked from accessing most system services unless the user explicitly grants permission. When the user tries to install an app, it is shown a list of permissions the app needs, so the user knows up front exactly what the app will do on the device, such as sending SMS messages or accessing the Internet.

While Android gives the user control over what to allow on a case-by-case basis, it also runs the risk of overwhelming non-technically savvy users by asking them to make security decisions, Nguyen said.

While mobile devices are designed to be more secure, the way they are used makes them more insecure than laptops and desktops within the enterprise. Regularly synchronizing devices with cloud services and home desktop computers so that all the information is always accessible means sensitive corporate data on those devices are being exposed to systems the IT department has no control over, Symantec said. The devices are more vulnerable because they travel more than laptops, are easier to steal and conceal and easier to break into once stolen, according to Symantec.