Skip Links

Symantec finds big differences in iOS, Android security

Apple, Google mobile software built from ground up for security, but still might fall short for enterprises

By , Network World
June 28, 2011 10:39 AM ET

Network World - Apple iOS and Google Android have some big differences when it comes to mobile security, creating distinct potential vulnerabilities for enterprises embracing devices running these operating systems, according to analysis by Symantec.

In some ways, the analysis concludes, mobile security for both platforms is superior to that of traditional PCs, because both were designed from the outset with security in mind. At the same time, their security features often don't add up, yet, to the protection enterprises might need.

BACKGROUND: Smartphones and tablets create huge corporate security challenge

The report, "A Window into Mobile Device Security," was prepared by Carey Nachenberg, Symantec fellow and chief architect of Symantec's Security Technology and Response (STAR) division. An 18-year veteran of the vendor, Nachenberg oversees the technical strategy for all of the company's core security technologies and content.

"We set out to analyze the core security architecture of iOS and Android," he says. "To analyze how secure they are, their potential vulnerabilities, and [determine] what is the state of security for these devices."

Both platforms have what Nachenberg calls "traditional access control" via passwords, and both allow administrators to set password policies. Apple iOS has an edge here, because it offers more options for protecting data, such as automatically wiping a device of data after a specified number of password attempts.

One of the biggest differences between the two operating systems is their approach to what Nachenberg calls "application provenance" -- identifying, certifying and vetting an app before it's published in the appropriate online catalog.

Apple's approach currently is far more stringent than Google's, he says. Every iOS developer has to register, every submitted app is reviewed by Apple, "but how is not disclosed," Nachenberg says. Then it's published in the iTunes App Store, which acts as the certificate authority to "sign" the app, and is the only source for iOS applications (unless the iPhone or iPad has been "jailbroken," a process that lets the user then load iOS apps from any source). Apple provides an option for corporate users: a signing certificate that lets them internally distribute iOS apps to their users, without publishing them publicly in the App Store.

For Android, the approach is completely different. "In effect, Google lets you create your own [signing] certificate and public/private key pairs" says Nachenberg. "There is no vetting of apps posted on the Android Marketplace. And apps can be sideloaded from any other website."

"Apple gets the edge in this category," he says.

On-device data encryption is also different between the two platforms. Apple offers built-in hardware encryption for all on-device data. The key to unscramble the data is stored on the device, but currently it is not protected by the user's passcode. That means, Nachenberg says, that if an attacker gains physical control of the device and jailbreaks it, then "iOS is very happy to decrypt all that data for the attacker."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News