Symantec Analyzes the Security of Apple iOS vs Google Android

Symantec has just released a report detailing the security analysis of Apple’s iOS and Google’s Android mobile operating systems. The report is a very intriguing and detailed read, and worth while if you want an in-depth look into the security of both platforms. They claim both are more secure than PCs, but gaps remain.

Here are the highlights of their iOS analysis:

Overall, Symantec considers iOS’s security model to be well designed and thus far it has proven largely resistant
to attack. To summarize:
• iOS’s encryption system provides strong protection of emails and email attachments, and enables device wipe,
but thus far has provided less protection against a physical device compromise by a determined attacker.
• iOS’s provenance approach ensures that Apple vets every single publicly available app. While this vetting approach is not foolproof, and almost certainly can be circumvented by a determined attacker, it has thus far
proved a deterrent against malware attacks, data loss attacks, data integrity attacks, and denial of service
attacks.
• iOS’s isolation model totally prevents traditional types of computer viruses and worms, and limits the data that
spyware can access. It also limits most network-based attacks, such as buffer overflows, from taking control of
the device. However, it does not necessarily prevent all classes of data loss attacks, resource abuse attacks, or
data integrity attacks.
• iOS’s permission model ensures that apps can’t obtain the device’s location, send SMS messages, or initiate
phone calls without the owner’s permission.
• None of iOS’s protection technologies address social engineering attacks such as phishing or spam.

Here is a snippet of their summary analysis of Android OS:

Overall, while we believe the Android security model is a major improvement over the models used by traditional desktop and server-based operating systems, it has two major drawbacks. First, its provenance system enables attackers to anonymously create and distribute malware. Second, its permission system, while extremely powerful, ultimately relies upon the user to make important security decisions. Unfortunately, most users are not technically capable of making such decisions and this has already led to social engineering attacks. To summarize:
• Android’s provenance approach ensures that only digitally
signed applications may be installed on Android devices. However, attackers can use anonymous digital certificates to sign their threats and distribute them across the Internet without any certification by Google. Attackers can also easily “trojanize” or inject malicious code into legitimate applications and then easily redistribute them across the Internet, signing them with
a new, anonymous certificate.

You can read the entire report here. As seen from the graphical comparison, iOS is ‘safer’ than Android but not without its own history of vulnerabilities. The safety of iOS is that all apps require approval by Apple to enter the App Store, ensuring no malware or ill-advised apps get approved. Android OS on the other hand, is a whole different ball game.

What’s safer? iOS or Android?

[Symantec]

Founder and Editor-in-Chief of iPhoneinCanada.ca. Follow me on Twitter, and @iPhoneinCanada, and on Google+.

  • Anonymous

    There is a real advantage to Apple owning every piece of the iOS and device chain.  As much as it drives me nuts sometimes, having that control is what makes iOS and Mac OS so secure and safe to use.

  • Anonymous

    There is a real advantage to Apple owning every piece of the iOS and device chain.  As much as it drives me nuts sometimes, having that control is what makes iOS and Mac OS so secure and safe to use.

  • I don’t understand this chart. How can IOS be considered superior to resource abuse, data loss, or data integrity attacks, when it has no permission model whatsoever????

     That is, if some malware sneaks into the app store, all bets are off. And yes, it has aleady happened. At least with Android, when you  install *ANYTHING* (from the market or otherwise), that application can not do anything you don’t explicitly allow it do do, because it has a forced permission model that *makes* the user aware of what that application is doing.

    IOS has no such model – every application has the whole world.

    Basically IOS is like Windows 95 except that you can only buy stuff from one store. That is not real security.

  • I don’t understand this chart. How can IOS be considered superior to resource abuse, data loss, or data integrity attacks, when it has no permission model whatsoever????

     That is, if some malware sneaks into the app store, all bets are off. And yes, it has aleady happened. At least with Android, when you  install *ANYTHING* (from the market or otherwise), that application can not do anything you don’t explicitly allow it do do, because it has a forced permission model that *makes* the user aware of what that application is doing.

    IOS has no such model – every application has the whole world.

    Basically IOS is like Windows 95 except that you can only buy stuff from one store. That is not real security.

  • I don’t understand this chart. How can IOS be considered superior to resource abuse, data loss, or data integrity attacks, when it has no permission model whatsoever????

     That is, if some malware sneaks into the app store, all bets are off. And yes, it has aleady happened. At least with Android, when you  install *ANYTHING* (from the market or otherwise), that application can not do anything you don’t explicitly allow it do do, because it has a forced permission model that *makes* the user aware of what that application is doing.

    IOS has no such model – every application has the whole world.

    Basically IOS is like Windows 95 except that you can only buy stuff from one store. That is not real security.

  • That’s not true. iOS apps are very restricted in how they can access your device and can only do so through specific API’s provided by Apple.  These API’s only allow very specific access to aspects of the device.  Want to send an email from the app?  The new email message screen pops up with a pre-canned e-mail message in it, but no contact information has been auto-selected, there is no access to the rest of the mail app and the email can’t be sent without the user hitting send.  The same for SMS, Camera, Contacts, phone, etc., it is extremely difficult for apps to do things without a users knowledge.  Even if they do manage it, the app has no access to any user information because of the isolationist style of iOS.  Similarly that is why files can only be saved within a particular app’s data and cannot be accessed from other apps without the file being transferred from the original app or through iTunes.  It is occasionally a pain but it limits a maleware app’s ability to cause havok.  That is not to say it can’t happen, or that every app with a non-standard API in it gets caught by Apple right away (nobody’s perfect) but it is not the free-for-all you make it out to be.

    Whether what you say about Android is correct, I don’t know, and thus can’t comment.

  • That’s not true. iOS apps are very restricted in how they can access your device and can only do so through specific API’s provided by Apple.  These API’s only allow very specific access to aspects of the device.  Want to send an email from the app?  The new email message screen pops up with a pre-canned e-mail message in it, but no contact information has been auto-selected, there is no access to the rest of the mail app and the email can’t be sent without the user hitting send.  The same for SMS, Camera, Contacts, phone, etc., it is extremely difficult for apps to do things without a users knowledge.  Even if they do manage it, the app has no access to any user information because of the isolationist style of iOS.  Similarly that is why files can only be saved within a particular app’s data and cannot be accessed from other apps without the file being transferred from the original app or through iTunes.  It is occasionally a pain but it limits a maleware app’s ability to cause havok.  That is not to say it can’t happen, or that every app with a non-standard API in it gets caught by Apple right away (nobody’s perfect) but it is not the free-for-all you make it out to be.

    Whether what you say about Android is correct, I don’t know, and thus can’t comment.

  • That’s not true. iOS apps are very restricted in how they can access your device and can only do so through specific API’s provided by Apple.  These API’s only allow very specific access to aspects of the device.  Want to send an email from the app?  The new email message screen pops up with a pre-canned e-mail message in it, but no contact information has been auto-selected, there is no access to the rest of the mail app and the email can’t be sent without the user hitting send.  The same for SMS, Camera, Contacts, phone, etc., it is extremely difficult for apps to do things without a users knowledge.  Even if they do manage it, the app has no access to any user information because of the isolationist style of iOS.  Similarly that is why files can only be saved within a particular app’s data and cannot be accessed from other apps without the file being transferred from the original app or through iTunes.  It is occasionally a pain but it limits a maleware app’s ability to cause havok.  That is not to say it can’t happen, or that every app with a non-standard API in it gets caught by Apple right away (nobody’s perfect) but it is not the free-for-all you make it out to be.

    Whether what you say about Android is correct, I don’t know, and thus can’t comment.

  • That’s not true. iOS apps are very restricted in how they can access your device and can only do so through specific API’s provided by Apple.  These API’s only allow very specific access to aspects of the device.  Want to send an email from the app?  The new email message screen pops up with a pre-canned e-mail message in it, but no contact information has been auto-selected, there is no access to the rest of the mail app and the email can’t be sent without the user hitting send.  The same for SMS, Camera, Contacts, phone, etc., it is extremely difficult for apps to do things without a users knowledge.  Even if they do manage it, the app has no access to any user information because of the isolationist style of iOS.  Similarly that is why files can only be saved within a particular app’s data and cannot be accessed from other apps without the file being transferred from the original app or through iTunes.  It is occasionally a pain but it limits a maleware app’s ability to cause havok.  That is not to say it can’t happen, or that every app with a non-standard API in it gets caught by Apple right away (nobody’s perfect) but it is not the free-for-all you make it out to be.

    Whether what you say about Android is correct, I don’t know, and thus can’t comment.

  • That’s not true. iOS apps are very restricted in how they can access your device and can only do so through specific API’s provided by Apple.  These API’s only allow very specific access to aspects of the device.  Want to send an email from the app?  The new email message screen pops up with a pre-canned e-mail message in it, but no contact information has been auto-selected, there is no access to the rest of the mail app and the email can’t be sent without the user hitting send.  The same for SMS, Camera, Contacts, phone, etc., it is extremely difficult for apps to do things without a users knowledge.  Even if they do manage it, the app has no access to any user information because of the isolationist style of iOS.  Similarly that is why files can only be saved within a particular app’s data and cannot be accessed from other apps without the file being transferred from the original app or through iTunes.  It is occasionally a pain but it limits a maleware app’s ability to cause havok.  That is not to say it can’t happen, or that every app with a non-standard API in it gets caught by Apple right away (nobody’s perfect) but it is not the free-for-all you make it out to be.

    Whether what you say about Android is correct, I don’t know, and thus can’t comment.

  • That’s not true. iOS apps are very restricted in how they can access your device and can only do so through specific API’s provided by Apple.  These API’s only allow very specific access to aspects of the device.  Want to send an email from the app?  The new email message screen pops up with a pre-canned e-mail message in it, but no contact information has been auto-selected, there is no access to the rest of the mail app and the email can’t be sent without the user hitting send.  The same for SMS, Camera, Contacts, phone, etc., it is extremely difficult for apps to do things without a users knowledge.  Even if they do manage it, the app has no access to any user information because of the isolationist style of iOS.  Similarly that is why files can only be saved within a particular app’s data and cannot be accessed from other apps without the file being transferred from the original app or through iTunes.  It is occasionally a pain but it limits a maleware app’s ability to cause havok.  That is not to say it can’t happen, or that every app with a non-standard API in it gets caught by Apple right away (nobody’s perfect) but it is not the free-for-all you make it out to be.

    Whether what you say about Android is correct, I don’t know, and thus can’t comment.

  • That’s not true. iOS apps are very restricted in how they can access your device and can only do so through specific API’s provided by Apple.  These API’s only allow very specific access to aspects of the device.  Want to send an email from the app?  The new email message screen pops up with a pre-canned e-mail message in it, but no contact information has been auto-selected, there is no access to the rest of the mail app and the email can’t be sent without the user hitting send.  The same for SMS, Camera, Contacts, phone, etc., it is extremely difficult for apps to do things without a users knowledge.  Even if they do manage it, the app has no access to any user information because of the isolationist style of iOS.  Similarly that is why files can only be saved within a particular app’s data and cannot be accessed from other apps without the file being transferred from the original app or through iTunes.  It is occasionally a pain but it limits a maleware app’s ability to cause havok.  That is not to say it can’t happen, or that every app with a non-standard API in it gets caught by Apple right away (nobody’s perfect) but it is not the free-for-all you make it out to be.

    Whether what you say about Android is correct, I don’t know, and thus can’t comment.

  • Anonymous

    Untrue (or only half true).

    iOS prompts you for specific access first time an app is run. Location, address book, maybe even messaging (I’ve not downloaded any SMS apps). And it always prompts if it thinks an app is triggering a phone call–it can’t dial in the background, and since iOS also doesn’t have unfettered multitasking, it probably prevents SMS being sent by 3rd party apps in the background, too (except perhaps the last one or two being sent right before the user exits the app).

    Meanwhile, Android may “make the user aware” but that’s proven to be about as useful as labeling a button “self-destruct, do not press”. Worse, it lists every permission at install time–great for techies, but Windows proved that users will ignore and quickly Okay any warning between them and teh new shiny.

  • Anonymous

    Untrue (or only half true).

    iOS prompts you for specific access first time an app is run. Location, address book, maybe even messaging (I’ve not downloaded any SMS apps). And it always prompts if it thinks an app is triggering a phone call–it can’t dial in the background, and since iOS also doesn’t have unfettered multitasking, it probably prevents SMS being sent by 3rd party apps in the background, too (except perhaps the last one or two being sent right before the user exits the app).

    Meanwhile, Android may “make the user aware” but that’s proven to be about as useful as labeling a button “self-destruct, do not press”. Worse, it lists every permission at install time–great for techies, but Windows proved that users will ignore and quickly Okay any warning between them and teh new shiny.

  • Anonymous

    Untrue (or only half true).

    iOS prompts you for specific access first time an app is run. Location, address book, maybe even messaging (I’ve not downloaded any SMS apps). And it always prompts if it thinks an app is triggering a phone call–it can’t dial in the background, and since iOS also doesn’t have unfettered multitasking, it probably prevents SMS being sent by 3rd party apps in the background, too (except perhaps the last one or two being sent right before the user exits the app).

    Meanwhile, Android may “make the user aware” but that’s proven to be about as useful as labeling a button “self-destruct, do not press”. Worse, it lists every permission at install time–great for techies, but Windows proved that users will ignore and quickly Okay any warning between them and teh new shiny.

  • Anonymous

    Untrue (or only half true).

    iOS prompts you for specific access first time an app is run. Location, address book, maybe even messaging (I’ve not downloaded any SMS apps). And it always prompts if it thinks an app is triggering a phone call–it can’t dial in the background, and since iOS also doesn’t have unfettered multitasking, it probably prevents SMS being sent by 3rd party apps in the background, too (except perhaps the last one or two being sent right before the user exits the app).

    Meanwhile, Android may “make the user aware” but that’s proven to be about as useful as labeling a button “self-destruct, do not press”. Worse, it lists every permission at install time–great for techies, but Windows proved that users will ignore and quickly Okay any warning between them and teh new shiny.

  • Calgary

    i dont think you  can even use the word ‘safer’ inside quotations. They are two different systems for two different types of users, you;ll buy the device based on the freedom on customization.

    sadly this report didn’t even comment on jailbroken devices

  • Calgary

    i dont think you  can even use the word ‘safer’ inside quotations. They are two different systems for two different types of users, you;ll buy the device based on the freedom on customization.

    sadly this report didn’t even comment on jailbroken devices

  • Actually it does highlight the insecurity of jailbroken devices during the iOS examples of security issues.

  • Yeah, in the bigger picture the control leads to a much better user experience.

  • Anonymous

    Once you jailbreak, the security goes right out the window (most of it)

  • Anonymous

    How is Apple responsible for jailbroken phones?  

  • Miso

    Exactly…
    What 30% of us did so far!

  • Miso

    Exactly…
    What 30% of us did so far!

  • John

     Not really – there is no name (nobody to take responsibility and stand at a public whipping post.  Nothing is perfect all the time. Not Windows and not iOS.