Apple rigorously scrutinizes applications before publishing them on its AppStore site, often rejecting apps that violate the company’s security and usability policies. Given this practice, it’s easy to assume that iOS mobile devices (iPhones, iPads, iTouch) are more secure than their Android counterparts.
But there’s more to this story. Veracode, maker of application risk management software, published a useful infographic that contrasts iOS and Android security. The bottom line is both mobile operating systems have strengths and weaknesses when it comes to security that you should be aware of.
Common Security Features
To a great extent iOS and Android devices are more secure than PCs. For one thing, each application installed on either platform must be granted your permission to access data that resides on your smartphone.
Laptops on the other hand usually require only that you are logged in as a particular user that has been granted permission to install applications and access system wide data. Once granted this permission exists for the lifetime of that user account. Malware that assumes the identity of this privileged user can likewise access data on the laptop without asking for permission to do so.
Applications running on iOS and Android cannot access mobile device hardware directly. Normally malware attacks the operating system, but last year there was a report of next generation malware that attacks the code contained in PC firmware. The attack involved using diagnostic software for PC network cards to install custom code into the firmware that allows a hacker to run malicious code on the PC victim. This sort of breach is much more difficult to do on an iOS or Android device.
More on Android Security, Pro and Con
When installing an Android application, you are prompted to accept the installation. You must give permission to the marketplace you a downloading from to allow the installation. With this scheme, it is not possible to remotely install and run undesirable applications that would have done damage to the device, like auto-erase the files or geo-locate the phone, and you, without your knowledge.
On the minus side, it is well known that Google does not check the security of apps before publishing on the application marketplace, which greatly increases the chance of picking up malware on your Android phone. On several occasions Google has had to scramble to pull malicious apps off the marketplace. It’s safe to say there is a greater likelihood you could pick up a malware laden app from the marketplace.
You can mitigate this risk to a certain degree by checking the legitimacy of the Android app source.
More on iOS Security, Pro and Con
In addition to Apple’s security testing of apps prior to AppStore publication, the iOS has permission-based access control for protected features that is enforced at runtime. For example, when an app wants to track the location of your iPhone, iOS prompts you to allow or deny location tracking.
If one of your iOS devices is lost or stolen, you can find it from another iOS device with the free Find My Phone app. You just register your devices with Apple and then when one of them goes missing you can use Find My iPhone to find it on a map, remotely lock it, or completely erase all the data on the device.
But, it’s not all rosy for iOS, as Apple has had to withdraw malicious apps from the AppStore after allowing them to be published. Last year, security expert Charlie Miller published a proof-of-concept app that exploited a security flaw in the iOS Safari browser, enabling his app to download and run malicious code that could be used to steal data from victims. The scary thing is that Miller’s app passed Apple’s security screening process the first time around. Apple only pulled it from the AppStore AFTER realizing the potential security risks it posed for users.
Every iOS device running a version of the operating system lower than 4.3.5 is susceptible to SSL man-in-the-middle-attack, which is made possible by weak validation of certificates for SSL (secure sockets layer) network connections.
The problem may be all the more serious if you have a device that cannot be upgraded to the latest iOS. Apple simply won’t allow certain categories of devices to be upgraded. You can’t upgrade an older 3G iPhone to the full iOS 4.x, which means these phones are permanently saddled with all the vulnerabilities that came with pre-4.x iOS, including the SSL man-in-the-middle-attack.
In all fairness to iOS and Apple, there are many older Android phones that are orphaned, left behind because their hardware was not compatible with more modern versions of the Android operating system. Not everybody races to upgrade to the latest mobile phone hardware, so users who can’t or don’t want to upgrade their phones every couple of years will eventually be stuck with permanently vulnerable devices.
So What’s the Answer?
For my money, iOS has better security features than Android due to Apple’s pre-publication security testing and the platform’s overall resistance – but not immunity – to malware.
To cover the gaps in Android security, Trend Micro™ Mobile Security Personal Edition provides application scanning, call and texting security, and lost device protection. For iOS protection, you can use Trend Micro™ Smart Surfing for iPhone, which is a free mobile browser that blocks access to malicious websites and provides protection against phishing attacks.
Mobile smartphones are increasingly becoming targets for malware, but if you understand the extent to which your device is vulnerable, keep your mobile operating system up-to-date, and use the right anti-malware tools, you can travel safely on the mobile Internet.
I work for Trend Micro and opinions expressed here are my own.
