Apple's iOS more secure than Google's Android, says Symantec
Symantec this week published "A Window Into Mobile Device Security," a 23-page document that details the security approaches employed by Apple and Google in their respective mobile operating systems. It also offers a closer look at past and possible future security holes found in the iOS and Android platforms.
In a head-to-head comparison, Symantec found that Apple's iOS is more secure than Google's Android. Specifically, iOS was characterized as having "full protection" against malware attacks, while Android was deemed to have "little protection."
iOS also has more protection than Android against resource abuse and service attacks, data loss, and data integrity attacks. Apple's platform was also found to have greater security feature implementation in the categories of access control, application provenance, and encryption.
In fact, Google's Android platform only topped iOS in one security category: isolation. There, Android received the highest marks, while iOS was said to offer "moderate protection."
In specifically discussing iOS, Symantec's report concluded that Apple's "provenance approach" acts as a strong security barrier, as every app that is to be released on the App Store goes through vetting procedures. This, according to the paper, has âproved a deterrent against malware attacks, data loss attacks, data integrity attacks, and denial of service attacks."
The report characterized iOS as "well designed and thus far...has proven largely resistant to attack."
However, Symantec did find vulnerabilities within iOS, namely 200 different security holes dating back to 2007. While any vulnerability is a weakness, the bulk of issues were found to be of lower severity, which, according to the report, would allow the assailant to "take control of a single process but not permit the attacker to take administrator-level control of the device."
The study did discover security concerns that could allow entry to administrator-level control, and were therefore of the highest severity. If an attacker had administrator-level control, it would reward them with access to "virtually all data and services on the device," Symantec wrote in the report.
Synamtec's report highlights what is likely the most public example of an iOS security breach, the iPhoneOS.Ikee worm released in November 2009. But that worm only affected devices that users have willingly "jailbroken," a term used to describe a warranty-voiding process that allows users to install unauthorized software on their iPhone, and something that Apple explicitly tells its customers is a major security concern.
Also highlighted in the report is iOSâs isolation model. While iOS "totally prevents traditional types of computer viruses and worms, and limits the data that spyware can access," Symantec said it does not "prevent all classes of data loss attacks, resource abuse attacks, or data integrity attacks."
Lastly, iOSâs permission model can safeguard access to the devices location as well as the SMS and Phone applications. This stops the attacker from knowing where you are, being able to send SMS messages, and phoning numbers without your consent.
As for Android, Symantec found that although Google's mobile operating system is a considerable improvement over traditional desktop operating systems, it has two extreme weaknesses.
First, the provenance system in place "enables attackers to anonymously create and distribute malware," they found. In addition, its permission system "relies upon the user to make the important security decisions," and considering most of Android users are not of high technical capability, this causes problems.
During February this year, Sophos security researchers encouraged Google to cancel its over-the-air installation of apps. They urged Google because they expected it would allow the swift and quiet installation of malware to unsuspecting Android users.
Sophos warned that as soon as the "install" button was pressed on the website, the application would be installed on the device in the background, without any input from the user.
The review concluded that "mobile devices are a mixed bag when it comes to security." While they may have been built to be secure, they are made for the consumer market, which has has led to less security for more usability.