Symantec, the anti-virus software giant behind the Norton family of AV software, has found Apple’s iOS to be far ahead of Google’s Android mobile operating system in terms of security. According to Carey Nachenberg of Symantec,
“We set out to analyze the core security architecture of iOS and Android,” he says. “To analyse how secure they are, their potential vulnerabilities, and [determine] what is the state of security for these devices.”
He said that iOS has an advantage in security, for a few reasons, such as:
Even though both OSes uses “traditional access control” via passwords, iOS comes with a feature that allows the owner to remotely locate, lock and/or wipe their devices, something that Android users have to implement themselves with 3rd party applications.
One of the biggest differences between the two operating systems is their approach to what Nachenberg calls “application provenance”, identifying and certifying an app for the App Store is a much more stringent process for apps on iOS. Each and every app is reviewed before it is approved into the iTunes App Store, which serves as the only source for iPhone apps, unless the device is jailbroken, which essentially means allowing code that isn’t signed by Apple to run on the device.
For Android, the approach is completely different. “In effect, Google lets you create your own [signing] certificate and public/private key pairs” says Nachenberg. “There is no vetting of apps posted on the Android Marketplace. And apps can be sideloaded from any other website.”
On-device data encryption is also different between the two platforms. Apple offers built-in hardware encryption for all on-device data since the iPhone 3G[S]. The key to decrypt the data is stored on the device, but currently it is not protected by the user’s passcode. That means, Nachenberg says, that if an attacker gains physical control of the device and jailbreaks it, giving the attacker root access, then “iOS is very happy to decrypt all that data for the attacker.”
Android’s most widely installed operating systems, 2.1 and 2.2, offer no encryption however. Their tablet operating system, 3.0, does offer an option to encrypt data, but the user has to turn it on themselves, and encryption takes around an hour the first time it is turned on.
There are also large differences in the way apps are run on the operating system. On iOS, apps are not allowed read/write access to other apps or the OS. Each app can’t even tell if another is running. On Android however, apps are allowed read/write access, but only if the user approves it. Whilst this means Android apps can do more more easily, it does mean that a rogue app could potentially access all data on the phone’s internal and external storage.
iOS does have many flaws though, Symantec found 200 vulnerabilities that date back to 2007, the date of the iPhone’s release, which could allow an attacker to access nearly all files on the device.
You can see evidence for Symantec’s findings in practicality too. Android has been plagued by malware, whilst iOS has had very few viruses, and those were only effective on jailbroken phones that hadn’t had their root passwords changed, something that is strongly recommended in the jailbreaking community.
