Apple’s iOS and Google’s Android mobile operating systems may have been built with security in mind, but both companies’ efforts to appease consumer wants have also compromised business security needs, says a report recently released by Symantec Corp.
Today’s mobile devices are a “mixed bag,” according to Carey Nachenberg, vice president and chief architect of Security Technology Response division at Symantec Corp. “On one had, these platforms have been designed from ground up with security in mind… however they may be insufficient to protect the enterprise assets that regularly find their way onto these devices.”
Nachenberg’s report entitled A Window into Mobile Device Security looks into the strengths and weaknesses of the divergent security approaches used in Apple’s iOS and Google’s Android.
“Virtually all of today’s mobile devices operate in an ecosystem, much of it not controlled by the business – they connect and synchronize out-of-the-box with third party and cloud services and computers whose security posture are unknown and outside the enterprise control,” said the Symantec executive.
Related stories
iPad, Playbook or Android – What tablet OS has the best security?
5 Interesting tidbits about iOS 5 and iCloud
Google responds to Android attacks with mass remote kills
iOS vs. Android
iOS, which powers the iPod, iPhone and iPad devices, is a slimmed down version of Apple’s Mac OS X. OS X is Unix-based and traces its roots to NEXT Corp.’s Mach operating system and the FreeBSD variant of Unix, the Symantec report said.
The iOS’s security model, the report said, is based on: traditional access control, application provenance (vetting process for app publication), encryption and isolation.
Android is a coupling of the Linux operating system and a Java-based platform called Dalvik. “Essentially, software developers write their apps in the Java programming language and then use Google tools to convert their resulting Java programs to run on Dalvik on Android devices,” the report said.
Android’s security approach is based on: traditional access control, isolation and a permissions-based model.
While both systems use traditional access controls such as user passwords and administrator control over password policies, Apple has an edge over Google because of two key issues, according to Claudiu Popa, an independent security and privacy expert based in Toronto and principal of Informatica Corp a company that provides risk assessment, security management, compliance and corporate education programs.
“Apple has a much tighter application approval and publishing process and more data protection options,” Popa told ITBusiness.ca.
For example, Popa said, the iOS devices have remote data wiping and automatic data wiping after a specified number of password attempts have failed.
Developers of iOS apps need to register and submit their apps for review by Apple. When the app is approved it is published in the iTunes App Store, which is the only source for iOS applications (unless the iPhone, iPod or iPad device is jailbroken).
Corporate Apple device users also have the option of using a signing certificate that lets them internally distribute iOS apps among internal company users without publishing to the App Store.
“Google on the other hand appears to have more handling of security out-of-the-box, but stumbles on its application validation process,” Popa said.
There is no vetting of apps posted on the Android Marketplace and Android apps can be “sideloaded” from other Web sites. This approach, according to Popa, may be one of the reasons Android devices are popular but it also opens up the platform to a multitude of risks.
Device data encryption
Apple offers built-in hardware encryption for on-device data. The key to decrypt the data is stored on the device but not protected by a user passcode. Attackers that get hold of the device can easily unscramble the data inside, said Nachenberg of Symantec.
Apple, however, uses another form of encryption that applies to contents and attachments in the email inbox. This is only available if the user logs into the device.
Android 2.2 and 2.3, which is the most commonly deployed OS version, has no encryption. Android 3.0 which is used in some newer tablets, has an encryption option, but users need to turn it on, said Nachenberg.
Sandboxing
Sandbox tools serve as an isolation environment where users employing permission-based controls, users are able to access resources such as email, calendar, contacts, company Web sites.
Sandboxes can prevent certain actions in all cases, allow other actions in all cases, and enable users to approve or block some actions.
Nachenberg said in iOS, apps are not allowed to read or write other apps of the OS. Apps are limited in access to the OS kernel or data on the SIM card. However, apps can perform many actions without telling the user. For example, apps can access the device microphone, camera, the Internet or device identifiers such as phone numbers, calendar events, media files and browser history all without issuing user prompts.
iOS user permission is needed for when the apps want to send SMS or email or GPS location or to make a call.
For both iOS and Android, data associated with each application remains private to that application.
But with Android, an app can read the entire contents of an SD card including sensitive company data that may be in it, said Nachenberg.
By default, Android apps, unlike iOS ones, are blocked from accessing a battery of system services unless explicitly granted permission by the user. When the app installs, the user is given a list of permissions, for example, “will you let this app send silent SMS messages without your permission.” But there’s a catch, says Nachenberg. “It’s all or nothing,” he says. “You can’t select what the app will do and not do.”
So Android gives the user more control over deciding if actions are harmful or not, whereas with iOS this has to be done on a case-by-case basis.
Protect the data not the device
Ideally, Popa of Informatica said, the strengths inherent in both iOS and Android should be present in one operating system. “However, this is difficult to employ because manufacturers need to satisfy the wants of the customers they are targeting.”
Popa thinks a semblance of this can be found in the BlackBerry OS. “BlackBerry devices have a combination of a stringent application validation process and tight sandbox controls.”
These features were the big selling point s of BlackBerry devices to the business users that Research in Motion (RIM) targeted. Unfortunately, sticking to this formula also meant losing out on a growing consumer market now hungry for smartphone and tablet devices, Popa said.
Fortunately, some smartphone manufacturers are beginning to listen to IT administrators who have been demanding more device security, said Marc Fossi, manager of research and development at Symantec.
“When the iPhone first came to market it ha no enterprise features whatsoever. It was only with the 3G models that remote wiping, Exchange connectivity and VPN were added,” he said.
Fossi said, the Symantec report is not meant to highlight which mobile OS is weaker or stronger but rather is aimed at providing users and IT administrators a clearer picture of the OS features and associated risk. “With this, we hope they can decide which platform suits their business best and what precautions to take.”
In the end, he said, it’s not a matter of protecting the device, but rather protecting the data that resides or runs through it.
(With notes from John Cox- Network World (US)
Nestor Arellano is a Senior Writer at ITBusiness.ca. Follow him on Twitter, connect with him on LinkedIn, read his blogs on ITBusiness.ca Blogs, email nestor at [email protected] and join the ITBusiness.ca Facebook Page.