iOS versus Android, what is the most secure platform?

According to a recent study published by the research and consulting company Forrester Research, 60 millions of tablet computers and 175 millions of smartphones will be used at work in 2015. Moreover, still according to Forrester, 50% of the smartphones and 70% of the I-pads currently in use at work have been bought by the employees. This exponential growth comes along with the regular discovery of new flaws and vulnerabilities as evidenced for instance by various demonstrations performed last summer at the BlackHat security conference. As a consequence, every company may legitimately question regarding the security policies and measures to implement in order to limit or even to suppress the security problems that can be encountered in a corporate environment.

That is why we were interested in the security comparative study realised by Symantec last June concerning the two major mobile platforms used on the market: iOS by Apple and Android by Google.

Presentation

Both mobile devices are based on traditional operating systems (Mac OS X for iOS and Linux for Android) hardened in term of security. However these platforms, which are regularly connected outside the enterprise to personal computers or on the Internet, are very exposed to threats and they become themselves threat sources for a company every time they reconnect to its corporate network.

In its study, Symantec compares the different security models used by iOS and Android, and analyses their efficiency against the most significant threats.

• Web-based and network-based attacks: they occur for example when an unsuspecting user browses to a malicious web page. After identifying the web browser software, the malicious page sends an appropriate attack that allows it to get access to confidential information ( passwords, credit card numbers, contacts,…) or even install a malware
• Malwares: worms, virus and Trojans
• Social engineering attacks: phishing emails, phone calls … The goal of these attacks is to obtain sensitive information directly from an end-user.
• Resource abuse: a compromised device could be used to send spam or to cause  denials of services
• Data loss, confidentiality: mobile theft (the smartphone may e.g. contain sensitive corporate emails), potentially sensitive enterprise data may leak on a non-secured personal computer via mobile synchronisation systems …
• Mobile data integrity threats: data corruption or modification performed by a hacker or a malicious program.

In order to address the threats mentioned above, the designers of iOS and Android based their security implementations, to varying degrees, upon five distinct pillars:

• Traditional Access Control: passwords, idle-time screen locking,
• Application validation and provenance control: for example, digitally signing an application guarantees the identity of its vendor,
• Encryption: prevents data to be read on the device in case of device loss or theft,
• Isolation: attempts to limit an application’s ability to access the sensitive data or systems on a device,
• Permissions-based access control: each application is granted a set of permissions. The system limits the application’s actions to the scope of these permissions, and blocks the actions that exceed these permissions.

Apple iOS security

Symantec globally considers that the security model of Apple iOS is well designed and that it has proven largely resistant to attacks.

• The iOS’ encryption system provides strong protection of emails and email attachments. Additionally the system enables the device to be wiped in case of theft. However an attacker with a physical access to the device is able to access most data without providing any password.
• Apple controls and validates the applications provenance before their release. This security measure has proven to be efficient since no malware targeting non-jailbroken systems has been seen until now. 
• IOS’ isolation model (each application is isolated from every other) efficiently prevents traditional worms and virus infections and limits most network-based attacks such as buffer overflows. However, it does not necessarily prevent all classes of attacks (data loss or data modification, resource abuse attacks …), because every application can freely access certain data such as the calendar or the contacts.
• IOS does not authorize to send the device’s location, to place phone calls or to send an SMS without the owner’s permission.
• However, iOS does not feature protection against spam, phishing, and other forms of social engineering attacks.

Google Android security

Even if the Android security model is better than the one implemented on a traditional operating system, it comes with two major drawbacks:

• As the Android certification model is less restrictive than the Apple iOS one (a digital certificate is required for a new application installation, but this certificate can be anonymous), software developers can create and propose their applications or even anonymously modify existing applications without any controls, which contributes to Android-specific malwares proliferation.
• Even if Android security settings are very powerful (a large number of permission types can be defined on a per-application basis), they are left to the discretion of the user. Unfortunately, because most of the users have no technical skills for this type of parameters settings, certain attacks may be facilitated.

Apart from the two points listed above:

• Android isolation policy separates applications from each other and from the kernel but with some exceptions (for instance applications can read data from the SD card).
• Starting from version 3, Android provides a data encryption feature.
• Like Apple iOS, Android does not provide protections against social engineering attacks.

Apple iOS versus Google Android: overview

Symantec insists on the fact that mobile devices, regardless of the platform in question, are not evolving in a closed world but in a continuously connected ecosystem, which represents an important security threat for a company. In fact, iOS and Android platforms permanently synchronize with private cloud services (the corporate Exchange service), public cloud services (Gmail, MobileMe …), and with users’ personal computers for emails, calendars, contacts … as these external environments are not basically secure and are potentially hostile, enterprise sensitive data may be easily exposed.

Then the Symantec’s study provides two interesting evaluation tables:

• First, a recapitulative table summarizing both platforms resistance to attacks,
• Secondly, a table that evaluates, for both platforms, the five security pillars mentioned above in the article.

We reproduce these two tables below.  

Mobile security solutions

In its paper, Symantec finally makes a list of the main technical solutions that can reinforce mobile platforms security, the evolution of these solutions often following threats evolution:

• Mobile antivirus

Mobile antivirus solutions are used for Android platform but they only detect known threats. Concerning iOS, the isolation model design does not allow the installation of an antivirus software.

• Secure browsers

For both platforms, third-party secure web browser can be installed in order to check visited URLs and to block malicious pages. However in such a case, the end-user can not use the familiar factory-installed web browser anymore and should always use the third-party secure browser.

• Mobile Device Management (MDM) tools

These tools allow remotely administering a pool of mobile platforms. In particular, they can help reducing the exposure to certain threats by configuring main security settings (password strength, VPN settings …), by deactivating some critical applications, by preventing new applications installation or by enabling the remote wipe of theft or lost devices.

• Enterprise Sandboxes

Sandbox solutions allow isolating and encrypting enterprise sensitive data in a secure environment that allows the user to securely connect to and access the enterprise resources with his own mobile. All data stored in the sandbox, and data transmitted to and from services accessible via the sandbox, is encrypted. The user can still make a non-professional use of its Smartphone, which will take place outside the sandbox area. 

• Data Loss Prevention (DLP) tools

Such data loss prevention tools can not really be used with iOS and Android. In fact, because of the isolation model implemented in the system, a DLP solution will not be able to monitor every installed application for potentially sensitive data disclosure.

Conclusion

This study, which makes iOS appear more secure than Android, should however be mitigated by the fact that jailbroken devices or those whose security features have been disabled, become as vulnerable as standard operating systems.

Symantec concludes the report by saying that even if both iOS and Android platforms are designed to offer more security compared to standard operating systems (application isolation, per-application permissions …), they are also designed for consumer and are thus based on a necessary compromise between security and usability. As a consequence, such devices, which feature on one hand real security improvements from a technical point of view, paradoxically represent on the other hand a threat for a company when the employees bring their own devices at work and access potentially sensitive data. Increasing this risk is the fact that users regularly connect these same platforms to external cloud services and to their personal computers, which are obviously out of the enterprise control.

Finally, we find unfortunate that the study did not include the BlackBerry platform in the comparison. In fact, there is no doubt that BlackBerry devices are particularly tailored to a corporate use and that they probably feature protection regarding data confidentiality (end-to-end encryption …), but it is more difficult to assess their  security level regarding application isolation, malware protection, application-based permission control etc.