For the second time in two years, mobile-security firm Bluebox Security announced a serious vulnerability in the Android operating system that could allow a malicious application to gain higher privileges and take control of devices.
It’s the latest serious flaw in the Android operating system, which is, by far, the operating system most targeted by attackers. Yet comparing the security of Google’s and Apple’s mobile operating systems is not straightforward, according to experts.
The open nature of Android software tends to attract attackers, who have an easier time developing malicious programs for the platform than for Apple’s relatively closed iOS. But both platforms have similar track records, in terms of vulnerabilities, and Google quickly updates its Play store and the Android core operating system to stop attacks, Jeff Forristal, chief technology officer of Bluebox, told eWEEK.
“When people say that Android is insecure and Apple is doing a great job, think about the monumental task of what Google is trying to do here,” he said. With thousands of different devices running the Android OS, “the fact that it has any modicum of security is amazing,” he said.
In terms of vulnerabilities, the five-year track records of the two platforms are similar. Researchers have discovered 325 vulnerabilities in the Android operating system since 2010 and 185 in iOS, according to data from the National Vulnerability Database. Serious vulnerabilities have been found in both mobile operating systems. In 2012, for example, researchers hacked an Android device using the wireless Near-Field Communication (NFC) protocol, while hackers at a similar competition showed in 2013 a way to steal passwords from an iOS device.
The latest flaw in Android, dubbed the “Fake ID” vulnerability by Bluebox, allows developers to create applications that appear to come from a different, trusted developer. Because some programs on Android devices have hard-coded and higher-level access to the system, masquerading as applications from the same developer can give attackers complete access to the device.
The rough similarity in vulnerability data has not translated to similar chances of attack. Almost all criminal attacks of opportunity focus on Android, according to mobile-security firm Lacoon. Yet targeted attacks, which focus on stealing intellectual property and data, do impact Apple’s mobile operating system, according to Lacoon’s CEO Michael Shaulov.
By mining traffic collected by a large network provider, the company found that about 3 percent of devices show signs of malware infection. Among those devices infected with more advanced data-stealing and remote-access Trojans, 43 percent of the consumer devices ran Apple’s iOS, while 10 percent of infected corporate devices ran Apple’s mobile operating system.
“This shows that, first of all, you still have an exposure with iOS in the corporate environment,” Shaulov said. “But the fact that you have additional defenses in the enterprise helps reduce the exposure.”