Android vs. iOS: A Security Comparison

It is an indisputable fact that smartphones today areso deeply ingrained in the public psyche that they have become indispensable. Many organizations and businesses are now leveraging this ubiquitous phenomenon in the form of ‘Bring Your Own Device’ or BYOD. From the perspective of an IT Manager, BYOD can result in multiple benefits; not only does it allow employees to be connected to their workspace without actually being physically in the office, it also cuts down on the operational costs involved in setting up a dedicated hardware interface for every employee. Employees also often proactively tend to configure their smartphones to keep a track of all their official communications, facilitating quicker responses and seamless functionality. Therefore, whether BYOD compliant or not, smartphones are proving to be a very viable resource for IT Managers to optimize theoperations and cost-effectiveness of their organizations.

However, with great power comes great responsibility.Just like computers, smartphonesare susceptible to virus and malware attacks,something which people generally do not know about  or tend to ignore . Moreover, given the smaller sizes of these devices,they are more likely to be vulnerable to theft and loss. In such cases, the confidential information stored in the mobile phone is then at risk ofbeing compromised andmisused leading to the following security risks:

• Access to email and social networking accounts set up on phones
• Access to personal and confidential files, documents, emails, etc.stored on the device
• Access to personal messages and phone book details
• Sending messages to or calling premium numbers
• Access to stored passwords

This becomes a prime concern for IT managers responsible for overseeing the management and security of IT resources, and stipulates a better understanding of the differences in the security aspects of various mobile platforms, particularly Android and iOS. As the most popular platforms today, both Android and iOS have their own security systems, and a comparative analysis can be drawn on the basis of various features like approval processes for application downloading.

Android users have a centralized location to download applications called ‘Android Market’ which maintains various versions and updates of applications. Any application can be uploaded to the Android Market by any developer. At its end, Google does not check if the application does more than it says, choosing instead to follow the principle of Capability-Based security model. In this case,the user is shown a list of all the permissions that the application needs access to before installation, putting the onus on users to decide if they wantto continue with the process. Once the installation is complete, the app cannot access features other than the ones that itis authorised to use. While there is no doubt that this feature is intended to provide a more secure user experience,this particular model requires an innate understanding of the app’s capabilities and required permissions, something which many users do not possess. This leaves them vulnerable to malicious codices packaged in the application installer.

Similarly, Apple has its own App Store that hosts all applications centrally for the entire iOS community. Compared to Android, Apple has a relatively strict approach in terms of selecting an application. The review process in Apple is not limited to tests for vulnerabilities such as software bugs, instability on the iOS platform and the use of unauthorized protocols, but also tries to protect privacy issues, safeguard children from exposure to inappropriate content, and avoid applications that degrade the core experience of the iOS. However, these stringent measures are only available for Apple’s consumer App Store; enterprise apps designed for closed/internal system usage are not subject to this review procedure. As such, an enterprise app infected by a malware could then spread the infection across the entire enterprise system. This minor loophole was recently exploited by a compiler malware codenamed XCodeGhost, when hackers duped genuine iOS developers into using a counterfeit version of Apple’s XCode Tools. As a result, all apps developed or modified by them got infected by the malicious code. While Apple has since removed the malware-affected apps from the AppStore, the breach raises serious questions about vulnerability of the system, particularly for enterprise users.

Another important feature on which the security of both platforms can be compared is the ‘Programming language’ used. This is one aspect that not only affects the performance of the application, but also the security and implementation methodology. Android generally uses Java programming language for its applications. As per OWASP applications written in interpretation languages like Java are immune to buffer overflow, which thus makes the Android platform somewhat resistant to buffer-overflow attacks. On the other hand, iOS applications are written in Objective-C programming language. As these applications are linked to the standard C-libraries, any fragility within their framework can cause vulnerabilities even in programs written in"safe" languages. The usage of common C string-handling routines like strcat, strcpy, getsetc are predominant in iOS applications, making these applications susceptible to buffer-overflow attacks.

There are many aspects – openness of source code, bug testing/rectification speed and in-built data protection measures like PIN lock – based on which the security levels of these two platforms can be compared. However, as both have their respective pros and cons, neither iOS nor Android manage to emerge clear winners from an enterprise’s perspective. In this case the best course of action for an IT manager is to bring third-party security advisory experts into the picture. This not only helps enterprises leverage the benefits offered by various smartphone platforms, but also minimises the security vulnerability of the overall network on either platform.

The author is the co-founder and CEO of Paladion Networks

jordan