Smartphone Security Smackdown: iPhone Vs. Android - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile

Smartphone Security Smackdown: iPhone Vs. Android

How do Apple iOS and Google Android stack up on security? Both could take one lesson from RIM, says Symantec security expert.

Lookout Mobile Security Protects Android Smartphones
Slideshow: Lookout Mobile Security Protects Android Smartphones
(click image for larger view and for slideshow)
In the smartphone platform wars, which side can claim the better security?

Both Apple iOS and Google's Android were designed to offer strong security out of the box, in Apple's case by improving on Apple's OS X operating system, and for Android, building on Linux. "They each employ far more elaborate security models than are designed into their core implementations," according to a new report from Symantec. "The ostensible goals of their creators: to make the platforms inherently secure rather than to force users to rely upon third-party security software."

But according to the report, which assesses each platform's relative strengths and weaknesses, the end result is still "a mixed bag." For example, Apple iOS offers full protection against malware attacks, fully vets application provenance, offers good encryption and access-control capabilities, but is only moderately good at isolating applications, enforcing permission-based access control, and preventing resource abuse.

Meanwhile, Google Android offers little protection against malware or data integrity attacks, and doesn't have much in the way of application provenance checks or encryption. But unlike iOS, Android runs applications in full isolation, which restricts their ability to inappropriately interact with sensitive systems, as well as other applications.

Both platforms, however, make security tradeoffs. "On the one hand, these platforms have been designed from the ground up to be more secure--they raise the bar by leveraging techniques such as application isolation, provenance, encryption, and permission-based access control," according to the report. "On the other hand, these devices were designed for consumers, and as such, they have traded off their security to ensure usability to varying degrees. These tradeoffs have contributed to the massive popularity of these platforms, but they also increase the risk of using these devices in the enterprise."

In other words, when it comes to smartphone security, it's unclear if one platform could reasonably be declared the winner. Asked that question directly, report author Carey Nachenberg, a VP and fellow at Symantec, said, "I want to stay away from saying one is better than the other."

But he did say that beyond addressing the strengths and weaknesses of each one, as called out in the report, there's another way they could both make a large security improvement. "The one thing that most devices could probably use is the ability to segment enterprise data from consumer data, so devices could be used in an enterprise, and have a certain set of data locked down and inaccessible to any part of the device that's consumer-owned," said Nachenberg.

So, as an example, a smartphone's locally stored enterprise address book or calendar appointments could be saved in the enterprise section, featuring full encryption, remote wiping, and fronted by a mandatory password. Meanwhile, personal information could be saved to a section that allowed the user to set whichever level of security protection they wanted.

"RIM, with the BlackBerry Balance, has a system like this that they're trying to roll out," said Nachenberg. "The idea is that they segment enterprise and consumer-owned content." Notably, BlackBerry Balance silos enterprise data, preventing it from interacting with any personal data stored on the device.

Baking enterprise security capabilities into smartphones offers one strategy for addressing what appears to be widespread resistance to adding third-party security tools to smartphones. Notably, only 15% of smartphone users had added mobile antivirus tools to their smartphones, according to a SANS study conducted last year. IT managers display a similar aversion to add-on smartphone security, according to a McAfee-sponsored study released by Carnegie Mellon University's CyLab in May. That research found an "apparent unwillingness of the majority of administrators to pay for mobile security products or services."

Virtual Event: Business Mobility Unleashed. Zero in on the top mobile technologies and techniques to ensure your organization thrives in the wireless world. Learn about strategies and products that offer remote user applications support, Wi-Fi management, security features, and device management. Our virtual event happens Thursday, July 14. Register now.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
IT Spending Forecast: Unfortunately, It's Going to Hurt
Jessica Davis, Senior Editor, Enterprise Apps,  5/15/2020
Commentary
Helping Developers and Enterprises Answer the Skills Dilemma
Joao-Pierre S. Ruth, Senior Writer,  5/19/2020
Slideshows
Top 10 Programming Languages in Demand Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  4/28/2020
White Papers
Register for InformationWeek Newsletters
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Slideshows
Flash Poll