Symantec recently released a report called, “A Window into Mobile Device Security,” which examines the security approaches of Google’s Android and Apple’s iOS.
I believe there will be some writers out there that will try to slant the report in favor of one or the other, but in reality they both have vulnerabilities.
Android:
Symantec believes the Android security model is better than the traditional desktop, but has two major drawbacks:
First, it enables attackers to anonymously create and distribute malware even though Google ensures that only digitally signed applications can be installed. Attackers can use anonymous digital certificates to sign their threats and distribute them without certification by Google. The plus side is that Google charges a fee to developers that want to distribute via the Android Market. This should deter less organized attackers.
Second, its permission system relies on users to make important decisions. Symantec believes most users are not “technically capable” to make these decisions. This leaves them open to malware attacks.
Other items to note are that Android 3.0 has built-in encryption, but all earlier versions have no encryption capability. Last but not least, there is no mechanism to prevent phishing attacks.
Apple:
Symantec feels that iOS’s security model is well designed and is largely resistant. There is a strong protection of emails and email attachments, but has less protection against a physical device compromise.
Apple’s approach to vet every single publicly available app is not 100%, but has been a good deterrent against malware attacks, data loss attacks, data integrity attacks, and denial of service.
Traditional types of viruses and worms are totally prevented, but it does not prevent all classes of data loss attacks, resource abuse attacks, or data integrity attacks.
As like Android, there is no prevention for phishing attacks.
In summary here is the summary of Symantec’s conclusions:
Resisting attack types:
|
Resistance to |
iOS |
Android |
|
Web based: |
Full |
Full |
|
Malware: |
Full |
Little |
|
Phishing: |
Little or None |
Little or None |
|
Resource Abuse: |
Good |
Moderate |
|
Data Loss: |
Moderate |
Little |
|
Data Integrity: |
Moderate |
Little |
Security Feature Implementation
|
Security Pillar |
iOS |
Android |
|
Access Control: |
Good |
Moderate |
|
Application Provenance: |
Full |
Little |
|
Encryption: |
Good |
Little |
|
Isolation: |
Moderate |
Full |
|
Permission Based Access Control |
Moderate |
Moderate |
Security is an ongoing problem for all platforms. For now is looks like iOS has the edge. Google went for big growth, and with that, security had to suffer. Fortunately, any attacks that have surfaced have been dealt with. I expect that Google will catch up with Apple by the end of the year with the release of Ice Cream Sandwich.
[via symantec]