Android vs. iOS: Security Comparison
Smartphones are enjoying an ever-increasing popularity due to the technological advancement taking place on a day-to-day basis and have become a basic need for users, just as a desktop computer. Users are aware about viruses and malwares that infect computers but the cellular world still seems mysterious due to the lack of knowledge. Also, the size of these devices is so small that they are easy to steal or lose and as a “user” you would not want a stranger to access any personal information stored on your mobile device. In this article, we shall discuss some of the differences in the security aspects of Google’s Android and Apple’s iOS platforms.
Specific Concern Areas
The key security concerns and risks that surround you if you do not adequately secure your device against theft or unauthorized usage are:
- Access to email and social networking accounts set up on your phone.
- Access to personal and confidential files, documents, emails, etc. that are stored on your device.
- Access to your personal messages and phone book.
- Sending messages to or calling premium numbers.
- Access to stored passwords.
Comparing the Security of the Android and the iOS
Description: Users of the Android and the iOS can download applications from a common repository called “App Stores”. App Stores refers to a collection of various online distribution platforms. A proper approval process has to be set in place in order to make sure that an application uploaded onto the App Store is safe for download and usage.
Android: Android users can download applications from a common infrastructure, which hosts all the Android applications in a centralized place called “Android Market” and maintains various versions and updates. Any application can be uploaded to the Android Market and Google does not seem to evaluate whether the application does more than what it says it can do. It follows what is known as a Capability-Based Security Model.
When the application is installed on a mobile device, the user is shown a list of all the permissions that the application needs access for in order to run and the user has to decide whether to continue with the installation process or not. It is left to the user to decide whether the application actually requires those capabilities or not.
For example: If an internet-based messenger application requests for internet permissions, it should not be an issue. But if a calendar application requests for similar internet permissions, then it may create suspicion in the user’s mind. The model does not provide the user with the understanding to choose to install or abort this installation. On the other hand, if an application has been reported to contain a malware or said to perform any kind of malicious activity, the application is wiped by Google’s remote wipe feature.
iOS: Apple has their own App Store, which hosts all the applications centrally for the entire iOS community. Unlike Android, Apple follows a strict approach for selecting an application. According to apple.com, the review process is not limited to tests for vulnerabilities such as software bugs, instability on the iOS platform, and the use of unauthorized protocols, but also tries to protect privacy issues, safeguard children from exposure to inappropriate content, and avoid applications that degrade the core experience of the iOS.
Description: Once an application has been installed in your device, it has access to all the device resources and can perform any kind of malicious operation using the permissions provided. It will be possible for the user to know which access permissions have been provided to the application so as to decide whether the application actually requires it or not.
Android: As discussed earlier, Android follows the Capability-Based Security Model. Each Android application must tell the Operating System what capabilities it requires. These capabilities are measured in terms of permissions. When the application is installed on a mobile device, the user is shown a list of all the permissions that the application requires access for in order to function and the user has to decide whether to continue with the installation process or not. Once the application has been provided with the appropriate permissions, there is no way of ensuring that the application would not perform any malicious activity using the specified permissions. The user thus chooses a fixed list of capabilities that the application should have. The application does not have the permission to perform any kind of action outside the scope of the explicitly specified permissions.
iOS: In iOS, there is no concept of explicit permissions. Thus, there is no way of restricting the actions that an application can perform. The application does not reveal what permissions the application requests for or accesses to the user. All the applications have equal access to all the iOS device resources and can use them without the permission of the user. Hence, once an application has been installed on the device, it can perform any operation under the pretext of performing an actual action.
Programming Language Used
Description: The programming language used for the development of applications not only affects the performance of the application, but the security is also affected by the choice of language and implementation methodology.
Android: Android applications are usually written in Java programming language. As per OWASP, applications written in interpretation languages like Java are immune to buffer overflow, which thus makes the Android platform somewhat resistant to buffer-overflow attacks. Even if buffer overflow takes place, each application runs in its own Virtual Machine and thus the overflow would neither affect any other application nor would lead to information leakage (unless they are shared applications).
iOS: iOS applications are written in Objective-C programming language. Applications are linked to C libraries and vulnerabilities in these standard libraries can cause vulnerabilities even in programs written in "safe" languages. The usage of common C string-handling routines like strcat, strcpy, gets, etc. are predominant in iOS applications and this makes these applications susceptible to buffer-overflow attacks.
Description: The availability model of a source code system affects the security of an application. However, the larger the corporation, the number of bugs reported in a closed source framework application can never match the ones reported in an open source one. There are thousands of security professionals studying the platform daily and trying to discover vulnerabilities as well as helping the makers of the application fix the existing vulnerabilities.
Android: Android is an open source platform and the code base for its underlying platform is available for anyone who needs to read, understand, implement or test the features of the platform. Due to this, the vulnerabilities are detected at a faster pace compared with any other closed platform. Thus, all the users of the platform play an integral role in securing the complete platform as a whole. Due to this open source nature of the Android code, new technologies can be incorporated into the code as and when they advance and thus the entire mobile community can reach new heights due to the openness of the code.
iOS: Compared with Android, the iOS is more of a closed platform with only part of the iOS framework, like a few webkits, being an open source. Thus, the speed at which bugs are found and fixed in an iOS can never be compared with the ones in an Android.
Description: Smartphones are small, stylish, smart and expensive, and hence become a prime target for thieves. Thus, it is very important to secure data in order to prevent data leakage due to mobile theft.
Android: In an Android, you can set up an access code PIN, which you would have to enter every time that you want to use the device. Without the access code, the device would be rendered useless. Although this sounds fool-proof, the Auto-lock process for the Android is really buggy and requires the user to enter the PIN Code even after a 1-minute call. This is quite irritating and eventually many users tend to disable the gesture and PIN Unlock feature of the Android. This allows data leakage whenever a stranger gains physical access to the device.
iOS: In contrast to Android’s PIN Unlock feature, iOS has what is called a delayed lock code. This gives the user the freedom to use the device without entering the Passcode for a small interval of time, like a minute or a custom time value specified by the user. This is preferred by users and from the security perspective as well, as a logged-in user need not repeatedly prove that he/she is logged-in.
After reviewing the security features of the Android and the iOS, we can conclude that there is no clear advantage of the one over the other. The Android has a nice permission model that allows users to know exactly which resources would be used by their application whereas Apple has a good approval process in place. Android applications are somewhat safe against buffer-overflow attacks, but their Auto-lock feature lacks the custom delayed Auto-lock feature that the iOS provides. The open source nature of Android has considerably contributed to the reduction of flaws in the existing operating system.
A few basic security pointers to keep your data on the respective mobile device safe are:
- Update your Smartphone OS, irrespective of it being an Android or an iOS, whenever any application patches or OS upgrades are released.
- Always use a Passcode to lock your device in order to avoid data leakage, if the device is being used by a stranger.
- Do not jail-break, root, or modify the OS files.
- Install an antivirus and firewall software to detect and stop any infection and intrusion.
- Install device-tracking applications to find the phone whenever it is lost or stolen.
- Regularly backup or synchronize your settings and other personal information in order to avoid the loss of data due to theft.
- Try to learn about the application’s reputation before installing it.