Android vs. iOS Security issue

Some time ago, we at Symantec examined two popular platforms - Android and iOS for their safety. Without further addendum, we announce the details of our research.


So, Google and Apple mobile platforms rely to different degrees on the five basic principles of mobile security ...

We presented these principles and features of platform behavior in the table for clarity:

1. Access Control

Each "native" application is a separate process that works directly from the ARM processor; Applications cannot use shared objects (e.g. DLL files);	Each bytecode-based application runs on a separate virtual machine, in a separate Linux process; Applications can have “native” shared objects based on the ARM architecture (eg. DLL files).

2. Checking the origin of applications

Each application must be signed with an official certificate issued by Apple; Applications hosted for general use must undergo a manual / automated review by Apple; Applications hosted for public use must be physically hosted in the Apple App Store; Certified companies can distribute self- developed applications on the devices of their employees, which are covered by the organization’s certificate.

Each application must be signed with a digital certificate; However, self-signing by anonymous certificates is allowed; Applications can be hosted without the consent and verification of Google; Applications can be distributed from any website (by default, from the Android Market).

3. Encryption

iOS stores all data in encrypted format on the device’s SD card; Data is automatically decrypted when read by iOS and applications, no passwords; iOS secondly encrypts email using code protection, blocking access, unless the device is obviously unlocked; Third-party applications can also use encryption using code protection of application programming interfaces (APIs).	Android has built-in encryption of sensitive data (applications, calendar, contacts, passwords, etc.) appeared only from version 3.0; Applications can use Java encryption of application programming interfaces (APIs) to hide data.

With a few exceptions, Apple's approach to determining the origin of applications is very effective. Google’s stiff approach to determining the origin of applications makes Android vulnerable to evolving malware and legal programs attacked by Trojans. Lightweight certification has led to the fact that today you can see a constant increase in the number of malicious programs for Android devices.
Move on:

4. Process isolation

Applications cannot overwrite / read / write other applications / OS / data; Applications are limited to user mode and cannot install drivers; Isolation rules block access to the folders of incoming e-mail and SMS, sending SMS, initiating phone calls, GPS.	Applications can rewrite other applications and examine their source code, but not sensitive data; However, the data stored on the SD memory card by default can be read by everyone; Applications are limited to user mode and cannot install drivers; Applications gain access to most system services only after the user has answered “yes” to the request.

5. Access control by roles

The user must give permission to: access to GPS, enable remote notifications, start phone calls and send SMS; Access / blocking policy for all other subsystems is built into iOS and Apple approval / verification procedure.

Applications can rewrite other applications and examine their source code, but not sensitive data; However, the data stored on the SD memory card by default can be read by everyone; Applications are limited to user mode and cannot install drivers; Applications get access to the majority of system services only after an affirmative answer of the user to the request; Android OS, not Dalvik VM, provides isolation.

The iOS sandbox model limits the potential harm from applications, but at the same time, complicates the creation of iOS security applications. As for Android, with the exception of the ability to access an external SD card, the default isolation rules are even more stringent than those used in iOS.
Of course, only a few applications are limited to the default rules.

Unfortunately, despite the rather stringent security requirements that were put forward during the development of the platforms we prepared, the degree of security is insufficient to protect the corporate information that so often falls on them. When used and configured correctly, both platforms - Android and iOS - give users the ability to simultaneously synchronize their devices with multiple (private and corporate) cloud services without the risk of leakage. If it’s wrong, they give attackers the opportunity to steal data on the device’s location, phone number, email address and contacts, steal a valid IMEI code and install it on a deactivated / fake phone, get a fee for installing left-wing applications, force the phone to send SMS messages or dial numbers for paid ones calls