It seems like a technological version of Top Trumps, with the two biggest mobile operating systems going head to head, battling each other on a topic which is of the utmost important in this day and age when we all consume and handle so much sensitive data – security! When new Apple CEO Tim Cook took the stage in October of last year for iPhone 4S keynote, he took the opportunity to slip in a few statistics relating to the worldwide adoption of iOS devices.
He revealed that the Cupertino based company had sold more than 250 million iOS devices since the launch of the original iPhone in 2007. As iOS is the operating system which powers Apple’s portable units, we can only assume that the quarter of a billion figure covers iPhones, iPads, iPod touches and the second generation Apple TV. On the other side of the fence sits Android, the operating system supplied to the masses by Google. Their Chief Executive Officer, Larry Page, also announced that they had flicked the switch on just over 190 million Android activations, with Google preferring to call it that as opposed to sales. In most cases, and certainly in this instance, the statistics don’t lie, but then they don’t always paint a fair comparison either considering iOS had a full sixteen months head start on Android. The other important factor to look at when comparing the numbers, is that Apple only includes iOS on a small number of devices whereas Android is used to power literally hundreds of different gadgets so I think it is fair to say that in terms of worldwide adoption, iOS is still dominant, at least for now.
But just how do the two operating systems compare against each from a security point of view? Security research firm Veracode have produced an very interesting infographic which highlights some of the more important and interesting comparisons.
First of all let’s start at the similarities with both platforms, and the security features which they both share. Android and iOS both have what is known as traditional access control, basically the method in which users get access to the device and put the device to sleep or lock it. They both also have access control settings to add or remove permissions for applications, meaning users can limit an applications ability to access certain services or data. Something which was surprising to me, was the limited access to the hardware which the two operating systems have. Both platforms contain a number of layers of intermediary software which acts as a go between for the OS and the underlying hardware. Finally, both iOS and Android have built in contingencies to resist web based attacks, should they occur.
One area of public debate is the methods of distribution for applications. Android users often slate Apple for the draconian rule it has over developers and the method in which applications are submitted. All developers must submit a binary package to Apple for their team of engineers to inspect and approve for App Store distribution. This can result in longer wait times before publication, and in some instances can result in rejection and the failure to reach the App Store. Android on the other hand has many more avenues available to developers with the platform being able to support more than one application market and the mass distribution of over the air applications being an option. However, it isn’t uncommon for Apple to approve an application for sale, only to then decide it breaks one of their rules and subsequently remove it without warning.
So now we move onto the strengths and weaknesses of both of the OSes. Both devices operate with permission based access control systems in place, as mentioned earlier on. However, the two models approach this from a different angle. As an example, if a user is using an application that requires the use of their location, the app is required to provide an on screen alert requesting permission to access the users current location. If that user denies the request, and the application is dependent on actually receiving the green light, then the app can fail and be rendered totally useless. On the other side is Android’s model which presents the user with a list of the applications permission requirements at the point of downloading. The user must then decided to proceed with the download and ‘grant’ permission.
Two quite important security features within iOS are the Geo-location and auto erase abilities. If you are struggling to imagine these in a real world scenario, just think of the Find My iPhone application provided free of charge by Apple. The app allows users to locate a lost device should the need arise, and then remotely wipe all of the data on that device. If that isn’t possible, the data will automatically be wiped if the device has slipped into the wrong hands and that person enters the passcode pin code wrong ten times.
And what about weaknesses? Well both platforms have plenty, but then doesn’t most software? An example cited in the infographic is the vulnerability of Apple devices running a version of iOS lower than 4.3.5 to a SSL MITM, or man in the middle attack which hackers can exploit with little effort. This is particularly important due to the fact that certain Apple devices are not actually permitted to upgrade to a higher firmware due to their age and therefore will always remain susceptible. The same update issue is relevant to Android devices, as millions of devices that are still under contract cannot be updated to the latest version of the OS. Android also suffers from a marketplace which is the equivalent of a warzone. The Android Market has a minuscule amount of security in place, and Google allows pretty much any application to be submitted to the market for sale or download. Unlike Apple, Google does not check the security or validity of any applications prior to them going up for sale.
The infographic contains other very interesting bits of information so make sure to thoroughly check it out, and read the smartphone tips included to protect you and your device. On a more positive note, leading security company Symantec concede that although both devices have their security vulnerabilities they both offer a substantial higher level of security than their PC counterparts.
For higher resolution, check out the Infographic on Veracode Application Security site here.