iOS and Android carry similar security risks

News by Steve Gold

New research shows that Apple's iOS mobile operating system is not that much safer from a risk and security perspective than Google's Android when used in a corporate environment.

The report - entitled `Marble Labs Mobile Threat Report, June 2014' - notes that, whilst malware creators have targeted Android in the past, some of the security risks stem from communications infrastructure problems.

It also concludes that within three months of the release of new versions of Android or iOS, there is no difference in the risk of jailbreak or rooting - and that tools to prevent detection are similar on both platforms.

The report - which is based on analysing around 1.2 million apps - goes on to say that the infrastructure issues - such app-based, SMS and spear variants of phishing and, of course, SSL vulnerabilities - level the risk/security playing field for Android and iOS.

"What we see here is that on iOS, games have huge variability in the types of data exfiltrated from user devices. This data can include contact information, which, if connected to corporate Active Directory, can be the entire database of all employees. It may also be device information, user location and authentication credentials," says the study.

"Frequently app developers add libraries for advertising, performance management, user tracking, and other features and have no visibility into that code, security assurances, or insight into how collected data will be protected, reused, resold or targeted," it adds.

One area of apps that Marble Security single out as having "wildly variant risky behaviours" on iOS is the news category. These, says the research firm, are apps that are typically free, yet sell user data and corporate data to varying degrees.

According to Sarb Sembhi, a director and analyst with Stormforce Guidance, he agrees the conclusions of the report, noting that this is one of the first times that a research firm has conducted a truly quantitive comparison between Android and iOS.

"My observations suggest that neither mobile operating system is better or worse than each other. It's worth noting that many of the security risks associated with smartphone/mobile usage are platform independent," he said, adding that, around eight years ago - a year before the first iPhone appeared - he was at a research event at which a colleague commented about the security risks of using a mobile being down to the communications and technology infrastructure.

The recent SSL/Heartbleed security issue, he explained, is indicative of this challenge.

Sembhi, who is also a member of the relations board with ISACA, the non-profit security association, says that it is very difficult to protect mobile devices from infrastructure issues, mainly because solving these types of challenges typically involves a rewrite of the technology involved.

Professor John Walker, a visiting professor with the Nottingham-Trent University's School of Science and Technology, said that the perceived view of most people is that Apple iOS is safer than Android, despite the fact that - as this report says - they are broadly equal in a corporate environment.

"It's all about the inferred level of security. Because Apple has the brand, many people believe it to be more secure," he said, adding that this is almost certainly why government agencies often mandate the use of Apple over Android.

"My own observations are that the use of secure technologies - such as Silent Circle's Blackphone - are the best way forward, as they make all the communications secure. The irony here is that the Blackphone is based on Android," he concluded.

Over at Check Point, UK managing director Keith Bird said that last year his company surveyed almost 800 IT professionals worldwide about mobile security, and asked them which of the most common mobile platforms they viewed as being the greatest security risk.

"Android was rated as the biggest risk (49 percent), followed by Apple/iOS (25 percent) and Windows Mobile (17 percent), but I would agree that once an Apple device is jailbroken and outside the iTunes 'walled garden', the risks will balance themselves out," he noted.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews