Symantec: Android and iOS differ widely on security
Both are built from the start for secure access, unlike PCs, but both have vulnerabilities for enterprise users
Published: 29 June, 2011
Security issues dog all the mobile operating systems as they become full applications platforms with their doors constantly open to the network. Android and Apple iOS have both paid close attention to security features from day one, but neither quite commands the full confidence of enterprise users, according to security specialist Symantec. And for companies looking to deploy either OS, their characteristics in this area are very different.
The vulnerabilities created by these two mobile platforms are not the same, according to the new Symantec analysis, as reported in NetworkWorld. The report, 'A window into mobile device security', was written by the company's chief architect Carey Nachenberg, who set ou to to analyze the core security architecture of iOS and Android and their potential vulnerabilities.
Both support traditional password protection, which can be controlled by administrators, though iOS scores more points in this respect by enabling remote device wiping when security is compromised.
One of the biggest differences between the two OSs is their approach to 'application provenance', or the process of certifying and vetting an app publishing it in a store. Apple is more stringent, with its famous control freakery around App Store, which is the only source for iOS software. Apple also offers corporations a signing certificate that lets them distribute iOS apps to their users internally, bypassing the App Store. By contrast, Google has no vetting of Android Market, and apps can be taken from other sites too. "In effect, Google lets you create your own signing certificate and public/private key pairs," writes Nachenberg.
Apple also seems to shine more brightly in data encryption, with built-in hardware encryption for all on-device data. However, the key is stored on the device and the data can be decrypted if someone gains physical control of the device. Apple does not use a more secure, secondary level of encryption, but the commonly used Android 2.2 and 2.3 have "no encryption at all'. There is an encryption option in Honeycomb, but it has to be activated by the user and takes an hour to run the first time.
Both platforms make use of isolation and permission-based access control, and data associated with each app always remains private to that program. However, an Android app can read the entire contents of a plug-in SD card, Nachenberg says including any sensitive corporate data that might be on it.
In the end, Android places more responsibility on the user or IT department to set policies and activate security, but for both OSs, in the immature world of mobile security, Nachenberg's final recommendation is to 'protect information, not devices. What types of information can your user gain access to£ If you limit this, it won't get onto the device in the first place."