Security Showdown: Android Vs. iOS - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile
Commentary
7/5/2011
03:25 PM
Kurt Marko
Kurt Marko
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Security Showdown: Android Vs. iOS

Symantec compares the security architecture of mobile operating systems from Google and Apple, but OS improvements are only part of the story.

In light of Research In Motion's continuing poor financial performance, executive departures, and tepid tablet sales (subscription required), it's clear that the competition for smartphone and tablet pre-eminence is now a two-horse race: Android and iOS, via Google (and its stable of hardware licensees) and Apple. Estimates show these two now account for almost two-thirds of the smartphone market and are the two platforms gaining share at the expense of RIM, Microsoft, and Palm/HP.

Since your next phone or tablet will almost certainly be running one of these operating systems, what's a security-conscious buyer to do? Sure, most people are swayed by more subjective factors, such as Apple's sex appeal or Google's openness and product diversity, but if you're a paranoid, tech-savvy IT type, which platform is least likely to cause security headaches for you and your enterprise? To help answer that question, security researcher and Symantec chief security architect Carey Nachenberg has put both systems under a microscope, detailing his findings in a new white paper. For those who don't want to wade through the 22-page report, here are a few highlights.

The good news is that mobile operating systems, both of which are Unix variants (Android based on Linux and iOS on OS X, which has its roots in FreeBSD), are more secure than a Windows PC. This is probably not too surprising since they build on years of experience in OS security and are designed for more narrowly focused tasks, unlike a general-purpose, do-everything PC. Still, as the paper highlights, both embody most, if not all, of these five "security pillars":

-- Traditional access control: techniques such as passwords and idle-time screen locking to protect the device itself.
-- Application provenance: curation (testing, verifying, and tamper-proofing) of individual applications, and subsequent secure signing (with the author's identity) and hashing (using a digital signature).
-- Encryption: protecting data on the device in the event of loss or theft.
-- Isolation: limiting an application's ability to access sensitive data or system resources on a device.
-- Permissions-based access control: granting each application a set of permissions that limits its access to specified device data and systems.

Nachenberg uses two categories to evaluate each mobile operating system: first, how resistant it is to various modes of attack, and second, how well it implements the above-mentioned five security strategies. On both counts iOS wins, but neither OS makes the honor roll (see charts below). When it comes to attack resistance, iOS scores a C-plus (on a 4.0 scale) versus Android's D-plus. In fairness, neither does anything to mitigate social engineering attacks, so if we omit this category from grading, iOS gets a B while Android pulls a C-minus.

When it comes to implementing security features, iOS again comes out on top, meriting a B-minus on Nachenberg's 0-4 scale vs. a solid C for Android. While Android's Java-based runtime environment provides superior application isolation, its weaker access control policies, nonexistent (until the tablet-based Honeycomb release) data encryption, and ineffective application validation scheme render it far more vulnerable to malware exploits.

Yet OS improvements are only part of the security story, because by automatically synchronizing email, calendars, contacts, photos, and even document files (via services like Dropbox, Evernote, and Apple's forthcoming iCloud), tablets and smartphones are veritable magnets for sensitive personal and enterprise data. While OS features such as process isolation and data encryption greatly improve information security, they're not foolproof, particularly if a persistent, knowledgeable attacker actually gets possession of a device. As Nachenberg concludes, "This back door connectivity results in the loss of potentially sensitive enterprise data across third-party systems that are out of the enterprise's direct control and governance."

While it's valuable for IT to evaluate the merits of each platform's security architecture (and on this score, Apple is leading) before formally adopting a mobile device for enterprise use, it's more important to develop plans for controlling and managing mobile devices, regardless of platform. This means investigating add-on mobile security utilities such as antivirus and VPNs, central mobile device management systems, and data loss prevention software. As Nachenberg rightly points out, as consumer devices, smartphones and tablets typically trade off security for convenience and usability; however, through planning and judicious deployment practices, IT can tip the balance and reduce the risks of these increasingly popular information appliances.

How do you manage small projects that are not part of PMI methodologies?

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll