Apple's iOS more secure than Google's Android, says Symantec
iOS, the mobile operating system that powers Apple's popular iPhone and iPad devices, offers more protection than its Android counterpart, the security experts at Symantec have concluded in a newly published report.
Symantec this week published "A Window Into Mobile Device Security," a 23-page document that details the security approaches employed by Apple and Google in their respective mobile operating systems. It also offers a closer look at past and possible future security holes found in the iOS and Android platforms.
In a head-to-head comparison, Symantec found that Apple's iOS is more secure than Google's Android. Specifically, iOS was characterized as having "full protection" against malware attacks, while Android was deemed to have "little protection."
iOS also has more protection than Android against resource abuse and service attacks, data loss, and data integrity attacks. Apple's platform was also found to have greater security feature implementation in the categories of access control, application provenance, and encryption.
In fact, Google's Android platform only topped iOS in one security category: isolation. There, Android received the highest marks, while iOS was said to offer "moderate protection."
In specifically discussing iOS, Symantec's report concluded that Apple's "provenance approach" acts as a strong security barrier, as every app that is to be released on the App Store goes through vetting procedures. This, according to the paper, has ?proved a deterrent against malware attacks, data loss attacks, data integrity attacks, and denial of service attacks."
The report characterized iOS as "well designed and thus far...has proven largely resistant to attack."
However, Symantec did find vulnerabilities within iOS, namely 200 different security holes dating back to 2007. While any vulnerability is a weakness, the bulk of issues were found to be of lower severity, which, according to the report, would allow the assailant to "take control of a single process but not permit the attacker to take administrator-level control of the device."
The study did discover security concerns that could allow entry to administrator-level control, and were therefore of the highest severity. If an attacker had administrator-level control, it would reward them with access to "virtually all data and services on the device," Symantec wrote in the report.
Synamtec's report highlights what is likely the most public example of an iOS security breach, the iPhoneOS.Ikee worm released in November 2009. But that worm only affected devices that users have willingly "jailbroken," a term used to describe a warranty-voiding process that allows users to install unauthorized software on their iPhone, and something that Apple explicitly tells its customers is a major security concern.
Also highlighted in the report is iOS?s isolation model. While iOS "totally prevents traditional types of computer viruses and worms, and limits the data that spyware can access," Symantec said it does not "prevent all classes of data loss attacks, resource abuse attacks, or data integrity attacks."
Lastly, iOS?s permission model can safeguard access to the devices location as well as the SMS and Phone applications. This stops the attacker from knowing where you are, being able to send SMS messages, and phoning numbers without your consent.
As for Android, Symantec found that although Google's mobile operating system is a considerable improvement over traditional desktop operating systems, it has two extreme weaknesses.
First, the provenance system in place "enables attackers to anonymously create and distribute malware," they found. In addition, its permission system "relies upon the user to make the important security decisions," and considering most of Android users are not of high technical capability, this causes problems.
During February this year, Sophos security researchers encouraged Google to cancel its over-the-air installation of apps. They urged Google because they expected it would allow the swift and quiet installation of malware to unsuspecting Android users.
Sophos warned that as soon as the "install" button was pressed on the website, the application would be installed on the device in the background, without any input from the user.
The review concluded that "mobile devices are a mixed bag when it comes to security." While they may have been built to be secure, they are made for the consumer market, which has has led to less security for more usability.
Symantec this week published "A Window Into Mobile Device Security," a 23-page document that details the security approaches employed by Apple and Google in their respective mobile operating systems. It also offers a closer look at past and possible future security holes found in the iOS and Android platforms.
In a head-to-head comparison, Symantec found that Apple's iOS is more secure than Google's Android. Specifically, iOS was characterized as having "full protection" against malware attacks, while Android was deemed to have "little protection."
iOS also has more protection than Android against resource abuse and service attacks, data loss, and data integrity attacks. Apple's platform was also found to have greater security feature implementation in the categories of access control, application provenance, and encryption.
In fact, Google's Android platform only topped iOS in one security category: isolation. There, Android received the highest marks, while iOS was said to offer "moderate protection."
In specifically discussing iOS, Symantec's report concluded that Apple's "provenance approach" acts as a strong security barrier, as every app that is to be released on the App Store goes through vetting procedures. This, according to the paper, has ?proved a deterrent against malware attacks, data loss attacks, data integrity attacks, and denial of service attacks."
The report characterized iOS as "well designed and thus far...has proven largely resistant to attack."
However, Symantec did find vulnerabilities within iOS, namely 200 different security holes dating back to 2007. While any vulnerability is a weakness, the bulk of issues were found to be of lower severity, which, according to the report, would allow the assailant to "take control of a single process but not permit the attacker to take administrator-level control of the device."
The study did discover security concerns that could allow entry to administrator-level control, and were therefore of the highest severity. If an attacker had administrator-level control, it would reward them with access to "virtually all data and services on the device," Symantec wrote in the report.
Synamtec's report highlights what is likely the most public example of an iOS security breach, the iPhoneOS.Ikee worm released in November 2009. But that worm only affected devices that users have willingly "jailbroken," a term used to describe a warranty-voiding process that allows users to install unauthorized software on their iPhone, and something that Apple explicitly tells its customers is a major security concern.
Also highlighted in the report is iOS?s isolation model. While iOS "totally prevents traditional types of computer viruses and worms, and limits the data that spyware can access," Symantec said it does not "prevent all classes of data loss attacks, resource abuse attacks, or data integrity attacks."
Lastly, iOS?s permission model can safeguard access to the devices location as well as the SMS and Phone applications. This stops the attacker from knowing where you are, being able to send SMS messages, and phoning numbers without your consent.
As for Android, Symantec found that although Google's mobile operating system is a considerable improvement over traditional desktop operating systems, it has two extreme weaknesses.
First, the provenance system in place "enables attackers to anonymously create and distribute malware," they found. In addition, its permission system "relies upon the user to make the important security decisions," and considering most of Android users are not of high technical capability, this causes problems.
During February this year, Sophos security researchers encouraged Google to cancel its over-the-air installation of apps. They urged Google because they expected it would allow the swift and quiet installation of malware to unsuspecting Android users.
Sophos warned that as soon as the "install" button was pressed on the website, the application would be installed on the device in the background, without any input from the user.
The review concluded that "mobile devices are a mixed bag when it comes to security." While they may have been built to be secure, they are made for the consumer market, which has has led to less security for more usability.
Comments
I can't let you install that malware Dave.
Really?? 2011 now and for the jailbreak... geez.. not official = great risk someone is collecting your data. At least now the iPhones in US can be acquired legally unlocked.
I'm curious what Symantec would have viewed as defence against Social Engineering Attacks. Full fledged AI?
I can't let you install that malware Dave.
Lol. Well done, sir.
One word: Duh
My thought exactly.
I guess the news here is that one of the antivirus guys actually admitted it.
One word: Duh
Aww that was gonna be my post.
I guess the news here is that one of the antivirus guys actually admitted it.
Sure makes a change!
Some of the biggest idiots I know are security guys. Biggest bullshitters in the business.
Now that we all know the obvious result of which almost anyone could have seen coming from a mile away....let's wait for next years PWN2OWN, and see if things are any different, than this year's.
Oh I'm sure there are still a few holes left in safari, but then I'm also sure that iPhones are more likely to be updated than Android phones - since the OS doesn't have to get filtered down to users in the same way.
But mobile devices certainly will be targets for attacks, but it will probably be by small groups of low-skilled thieves who now do things like steal credit cards, buy stolen credit card numbers off the Internet or write hot checks. As more individuals start carrying around all the personal information on their mobile device, including access to personal bank and financial accounts, they will be attacked. That is where the Apple controlled eco-system will help. It is harder for someone to slip in hidden code which might provide a backdoor to a hacker. With Android there will be more malware and rootkits created that criminals who could not code a line of software will be able to download and use to craft tools to attempt to steal info off mobile devices. Expect to see a lot more man-in-the-middle attacks where hackers attempt to fool mobile devices and their owners. That goth kid at the corner table at Starbucks could be using his Android wi-fi hotspot capabilities to spoof the free wi-fi network - so your phone connects to his phone and he captures all your wi-fi traffic while you surf the web.
Shocker.
Is that a picture of Andy wearing a condom?
With so many vulnerabilities on the servers that mobile devices connect to, why bother attacking individual phones? The list of security breaches in just the last 6 months has been incredible. Until companies do a better job of protecting their customers data, hackers will focus on the servers. Lots of data to be stolen all in one place.
Imagine a botnet of 100 million mobile devices.
Symantec affirmed that the "curated App Store" works in protecting against malware. But Symantec mentioned that encryption is a weakness in iOS.
Here's a link to a story on MacWorld:
http://www.macworld.com/article/1608..._security.html.
To say that "iOS is more secure than Android" is oversimplifying things and taking them completely out of context. There are many aspects to security.
Do you think it'll differ much from the one last March?
To be fair..didn't the Chrome hackers not show up for this years Competition?
Here's how the International Business Times summed it up in a way that more accurately reflects the report as a whole:
Seriously you think that was better? A paragraph and a half FUD piece, also with no link to the original article? And with none of the data from the article? If anything their take on it seems to favor Apple over Google in this area