Symantec smartphone security comparison offers mixed results

Big Yellow’s new smartphone security comparison paper says iOS and Android devices can be secured, but dual consumer-business use presents risks.

A new white paper from one of the industry’s biggest security vendors -- offering a smartphone security comparison of Apple’s iOS platform and Google’s Android platform -- concludes enterprises can secure these devices, but growing dual consumer-business use presents ongoing risks.

At first glance, Android’s permission system seems to be extremely robust, enabling software vendors to limit an application to the minimal set of device resources required for operation.

Symantec Report

The paper, written by Symantec Research Fellow Carey Nachenberg, one of the security giant’s chief technology gurus, reviews the security of the two operating systems, assessing their relative security functions. It concludes that, “these platforms have been designed from the ground up to be more secure—they raise the bar by leveraging techniques such as application isolation, provenance, encryption and permission-based access control.”

In other words, both iOS and Android (which trace their lineage respectively from Unix and Linux) contain a lot of built-in security that, in the Windows PC world, has to be bolted on afterwards.

Nachenberg concludes that both iOS and Android can be used fairly securely in corporations, and the emerging tools to help manage them will also increase their acceptability on the corporate network.

Apple’s tight control of application approval is seen as a major boon for iOS security, but Nachenberg contends that Android counters with finer-grained levels of security, if managed and configured properly. That may come as a surprise to many CISOs who have hitherto regarded Android as being too dangerous to support.

However, since they are both intended to be easy to use for the consumer, they open up new vulnerabilities as they begin to double as a work tool as well as a personal communicator.

And, as the report says, mobile devices form part of a broader ecosystem, and are usually synchronised with at least one public cloud-based service, such as Mobile Me or DropBox, that is outside of the corporate network administrator’s control, as well as synchronising with a home computer.  “In both scenarios, key enterprise assets may be stored in any number of insecure locations outside the direct governance of the enterprise,” it says.

The mobile device renaissance
The UK launch of the Apple iPad in April 2010 marked a turning point for security professionals. Before the launch, they could  contain the ambitions of their mobile users to Windows-based laptops and BlackBerry devices.

But the last year saw a drastic change. Suddenly users began demanding access to corporate systems from not only their iPads, but also a rapidly growing range of other mobile devices, and security professionals are now being asked to mitigate any potential security risks posed by this new multi-platform mobile world.

While Windows Mobile and Symbian are still significant operating systems for mobile devices, it is Apple’s iOS and Google’s Android that now dominate new device sales in the consumer market. According to data released last month by IDC, Android-based devices now dominate the worldwide market with a 39% share, and will continue to lead with nearly 44% of the market in 2015, while iOS currently has about 18% of the global market.

Perhaps in acknowledgement of that expected growth, the paper does envisage a fast-growing market for security tools to manage both mobile platforms, including:

  • Mobile data management tools that enable enterprises to enforce policies on devices, such as strong password policies.
  • Enterprise sandboxing where employees can securely access enterprise resources such as email, calendar, contacts, corporate websites and sensitive documents.  The advantage of this is any data sent to the device is encrypted and is effectively separate from the users’ personal data. The disadvantage is it forces the user to use different apps to access company data.
  • Secure browsers, which check against a blacklist of known infected sites and block access to infected pages.
  • Mobile antivirus – only currently available for Android, because the strict application isolation in iOS makes it impossible to implement.
  • Data loss prevention – this would have limited scope in both platforms, because of the way they isolate applications from each other.

Nachenberg’s smartphone security comparison ranked both operating systems against four main security criteria: access control, application provenance, encryption and sandboxing of applications.

Access control
iOS provides traditional access control security options, including password configuration options as well as account lockout options, putting it on a par with a Windows PC.

Android password-policy system is good enough to protect devices against casual attacks, but there is one current gap in the defences. Since current versions of Android do not encrypt data stored on its removable SD memory card, an attacker could remove the card and read its contents on another device.

Application provenance
Apple’s tight control over its App Store provides users with a high level of assurance, provided the device has not been jailbroken or deliberately rigged to enable administrator-level privileges. Developers must register with Apple to prevent the introduction of malware that will break the application’s digital signature and prevent it from working.

Android’s open approach to app development allows malware writers to work without being vetted. As the paper points out, this has already opened up Android to attack; malicious hackers, for example, can take a legitimate application, strip out its legitimate signature, inject malware and then resign it using an uncertified digital signature. The infected app can then be distributed via either the Android marketplace or third-party websites.

Apple uses hardware-accelerated encryption for all data stored in the flash memory of the device, and adds another layer of encryption for specific data items such as email.

This allows a rapid remote wipe to take place if a device is stolen, since the destruction of the encryption key will make the data unreadable.  The paper does, however, explain how an attacker with a jailbreaking tool could get access to data held on the device without knowing the passcode.

Android 3.0 offers built-in encryption, but earlier versions, which are currently powering most current Android devices, don’t offer encryption, which means an SD memory card can be stolen and read.

Application sandboxing
The design of iOS provides a high level of separation between apps and the operating system. Apps cannot view or change each other’s data or logic or gain root-level access to install their own drivers. Apps are also prevented from sending SMS messages or initiating or answering phone calls without the user’s participation.

However, apps do have access to some shared resources, such as calendar, address book, camera and microphone. They can also access the wireless Internet.

With Android, each app runs within its own virtual machine and each virtual machine is isolated in its own Linux process.  This model ensures no process can access the resources of any another process.

Android apps can do little without explicitly requesting permission from the user to do so. For example, if an app wants to communicate over the Internet, it must request permission from the user, otherwise the default isolation policy blocks it from initiating direct network communications.

Each app contains an embedded list of permissions that it needs in order to function, and these permissions are given by the user at installation.

“At first glance, Android’s permission system seems to be extremely robust, enabling software vendors to limit an application to the minimal set of device resources required for operation,” the report concludes. “The problem with this approach is it relies upon the user to make all policy decisions and decide whether an app’s requested combination of permissions is safe. Unfortunately, in the vast majority of cases, users are not technically equipped to make these security decisions.”

The full paper, entitled “A Window into Mobile Device Security: Examining the security approaches employed in Apple’s iOS and Google’s Android,” is downloadable for free at Symantec’s website.

Read more on IT risk management