Mobile Device Security: iOS vs Android

Nowadays, it is not uncommon to observe most people around have a mobile device such as smartphone and tablet computer. These devices allow us to stay connected 24/7. The ability for the users to install applications has expanded their usability and thus increased their popularity. However, only a few users are aware of the security aspects of this technology. In this survey, I will compare security features of the two most popular mobile platforms: Apple’s iOS and Google’s Android.

Both iOS and Android have built in security features that were implemented based on four pillars: Application provenance, encryption, isolation, and permission-based access control.

Application Provenance
Application provenance is the technique used to ensure application authors and distributors have an identity that tides to the application.

Apple takes a tight provenance approach to ensure the authenticity of the iOS applications. Every application must be signed by an Apple-issued digital certificate. Apple will verify the identity of the developer and company before issuing such a certificate. Moreover, with the exception of the applications developed under Apple’s iOS Developer Enterprise program, all iOS applications must be published through Apple’s App Store and are subject to vetting by Apple. With a few exceptions, Apple’s approach has been proven to be quite effective.

On the other hand, Google took a relatively loose provenance approach. Although every Android application also must be digitally signed by a certificate, it does not have to be a Google-issued certificate. You can even self-sign the application with an anonymous certificate. To make the matter worse, applications may be posted on the Android Market without vetting by Google, and publishing applications through other channels such as the developer’s website is also allowed. As a result, an attacker can potentially attach malicious codes to a legitimate application, self-signed it and publish it on a website and those non-tech savvy users probably will not notice the differences. As a result, Android is more prone to attacks through polymorphic malware and trojanized legitimate applications.

Encryption
Encryption is the technique used to prevent data loss through unauthorized access. Without the decryption key, the data will look like garbage.

On the latest iOS devices, all data stored in the internal flash memory are encrypted using hardware-accelerated AES-256 encryption. iOS will automatically decrypt the data when it was read. Other data such as email and attachments can be secondarily encrypted by a user passcode. However, such an encryption scheme only provides little protection. A simple jailbreak will allow the attacker to read most of the data including the passwords stored because iOS stores a copy of the decryption key around to decrypt data for the applications running in the background.

Until the recent Android 3.0 release, there was no built-in encryption support on Android devices. Which means most of the Android devices on the market solely relies on the application to conceal sensitive data using the Java encryption API. Otherwise, all data are stored unencrypted on the device. So Android isn’t any better in terms of data loss protection.

Isolation (Sandboxing)
Sandboxing is the technique used to limit access to data and systems. Applications are therefore isolated from each other and the OS.

Applications running on the iOS can only access to a limited set of data such as contacts, calendar and the device ID. But they are blocked from accessing the emails and SMS inbox. User inputs is required if they want to do more, such as initiating phone calls and sending SMS messages. Also, applications are limited to user-mode ones and are blocked from accessing other applications’ data or enumerating other applications and the OS. This isolation model is effective on keeping the applications from causing too much mischief but at the same time also limits the ability to create iOS security applications.

Android on the other hand relies on its Dalvik virtual machine to enforce the isolation. Just like other Java-based platforms, applications on Android are run within its own virtual machine, which is isolated in its own process. Applications are also limited to user-mode ones and are blocked from accessing most system services by default. Although Android limits application’s access to other application’s private data, it allows applications to enumerate and examine other application’s codes. Also, data stored on the external SD card can be read by all applications by default. With the exception of the SD card, Android has an even stricter default isolation model than the iOS and the ability to access other application’s codes make it easier to create security applications.

Permission-based Access Control
Permission-based access control is the technique used to limit access to the data and systems to the ones granted by the policy.

Apple hardwires the access policy into iOS. The only exceptions are the permissions to access to the GPS location data, receive alert notifications, initiation phone calls, and send out emails and SMS messages, which the application can prompt the user and request for permission. So iOS applications do not really have any control over most of their permissions

Unlike iOS, Andriod applications may request granular permission to almost every subsystem. Developers explicitly state the set of permission at compile time and the user can either accept or reject all permissions at install time. While this approach provides greater flexibility to the application developers, it also relies on the user to decide whether it is safe to grant the requested permissions. With over a hundred of different permissions an application can request for, it is difficult for an average user to make such a security decision. This leaves a giant security hole in Andriod.

After reviewing both features of two mobile operating systems, it is obvious that they are different system. Although both platforms are designed with security in mind, users cannot solely rely on these security features to protect their data as there are weakness in both platforms which could open up to attacks. While it is convenient to use these mobile devices to stay connected, users should also be aware of the security implications, and be more educated about mobile security so that they can better safeguard their data.

References:
1.    Android Developers. (2011). The Developer’s Guide. Retrieved from http://developer.android.com/guide /index.html
2.    iOS Developer Library. (2010). iOS Development Workflow Guide. Retrieved from https://developer.apple.com/library/ios/#documentation/Xcode/Conceptual/ios_development_workflow/000-Introduction/introduction.html%23//apple_ref/doc/uid/TP40007959
3.    iOS Developer Library. (2010). Security Overview. Retrieved from https://developer.apple.com/library/ios/#documentation/Security/Conceptual/Security_Overview/Concepts/Concepts.html%23//apple_ref/doc/uid/TP30000976-CH203-TPXREF106
4.    Nachenbery, C. (2011). A Window Into Mobile Device Security. Retrieved from http://www.symantec.com/content/en/us/enterprise/white_papers/b-mobile-device-security_WP.en-us.pdf