Symantec researchers compared and analyzed the security decisions that went into Apple's iOS and Google's Android mobile platforms.
though both Apple's iOS and Google's Android smartphone operating systems are
pretty secure, they are still susceptible to multiple types of attacks,
and iOS were designed with mobile security in mind and are superior to traditional
desktop operating systems, Symantec researchers wrote in a whitepaper released
June 28. However, the security features aren't sufficient to meet enterprises'
requirements, the paper concluded.
23-page whitepaper, "A Window Into Mobile Device Security," examined
Web-based and network cyber-attacks, social engineering, data integrity and
malware on both mobile operating systems.
had better access control, application provenance and encryption in iOS, while
Google was better at application isolation, Khoi Nguyen, group product manager
in the enterprise mobility group at Symantec, told eWEEK.
project wasn't about determining which platform was better," Nguyen said.
Symantec was more interested in examining the core security architecture to
analyze strengths and potential vulnerabilities, Nguyen said.
bets are off for users with jailbroken devices regardless of the company, said
Nguyen. They are every bit as vulnerable as traditional computers and an
platforms enforce access control policies via passwords, Symantec found,
although the iOS offers more options for protecting data, such as an automatic
data wipe after a specified number of failed password attempts.
certification and rigid control over what applications can be posted on the App
Store protect users, Nguyen said. The iTunes App Store acts as a certificate
authority to sign the app and is the only source for non-jailbroken iOS
devices. Google's "less rigorous" system helps trigger the increase
in Android malware because it is easier to get malicious apps onto the Android
Market, Symantec found. Luckily for Google, most Android malware to date hasn't
had a significant impact on users yet.
though Apple offers built-in hardware encryption for all on-device data, the
way it handles decryption is a potential vulnerability, according to Nguyen.
The encryption key is stored on the device but not protected by the user's
master passcode. If an attacker gains physical control of the device and jailbreaks
it, the data is fully accessible to the thief without knowing the passcode,
the other hand, Android 2.2 and 2.3 don't have any built-in encryption
capabilities, Symantec found. The tablet version, Android 3.0, offers an
encryption option, but it's turned off by default. Both platforms use some form
of sandboxing to isolate applications and require apps to request permissions
to access device capabilities.
iOS apps are forbidden to read or write to other apps or the operating system
and have limited access to the SIM card or the kernel, they can perform a wide
range of actions such as accessing the Internet, getting the phone number,
looking at the calendar and controlling the video camera without requesting
permission from the user. This can raise potential privacy flags.
apps are blocked from accessing most system services unless the user explicitly
grants permission. When the user tries to install an app, it is shown a list of
permissions the app needs, so the user knows up front exactly what the app will
do on the device, such as sending SMS messages or accessing the Internet.
Android gives the user control over what to allow on a case-by-case basis, it
also runs the risk of overwhelming non-technically savvy users by asking them
to make security decisions, Nguyen said.
mobile devices are designed to be more secure, the way they are used makes them
more insecure than laptops and desktops within the enterprise. Regularly
synchronizing devices with cloud services and home desktop computers so that
all the information is always accessible means sensitive corporate data on
those devices are being exposed to systems the IT department has no control
over, Symantec said. The devices are more vulnerable because they travel more
than laptops, are easier to steal and conceal and easier to break into once
stolen, according to Symantec.