Although the mobile operating systems most in use on smart phones today – Android and Apple’s oOS – are inherently more secure than the average PC operating system, there are still gaps that users should be aware of.
This is the warning from Symantec, which has published a white paper entitled “A Window into Mobile Device Security: Examining the security approaches employed in Apple’s iOS and Google’s Android”, which conducts an indepth technical evaluation of the two platforms.
Chief among the findings is that while the most popular mobile platforms in use today were designed with security in mind, these provisions are not always sufficient to protect sensitive enterprise assets that regularly find their way on to devices.
Complicating matters, today’s mobile devices are increasingly being connected to and synchronised with an entire ecosystem of third-party cloud and desktop-based services outside the enterprise’s control, potentially exposing key enterprise assets to increased risk.
The paper offers a detailed analysis of the security models employed by Apple’s iOS and Google’s Android platforms, evaluating each platform’s effectiveness against today’s major threats, including:
* Web-based and network-based attacks;
* Social engineering attacks;
* Resource and service availability abuse;
* Malicious and unintentional data loss; and
* Attacks on the integrity of the device’s data.
This analysis has led to some important conclusions, including:
* While offering improved security over traditional desktop-based operating systems, both iOS and Android are still vulnerable to many existing categories of attacks.
* iOS’s security model offers strong protection against traditional malware, primarily due to Apple’s rigorous app certification process and their developer certification process, which vets the identity of each software author and weeds out attackers.
* Google has opted for a less rigorous certification model, permitting any software developer to create and release apps anonymously, without inspection. This lack of certification has arguably led to today’s increasing volume of Android-specific malware.
* Users of both Android and iOS devices regularly synchronise their devices with 3rd-party cloud services (e.g., web-based calendars) and with their home desktop computers. This can potentially expose sensitive enterprise data stored on these devices to systems outside the governance of the enterprise.
* So-called “jailbroken” devices, or devices whose security has been disabled, offer attractive targets for attackers since these devices are every bit as vulnerable as traditional PCs.
"Today’s mobile devices are a mixed bag when it comes to security,” says Carey Nachenberg, Symantec fellow and chief architect of Symantec Security Technology and Response. “While more secure than traditional PCs, these platforms are still vulnerable to many traditional attacks. Moreover, enterprise employees are increasingly using unmanaged, personal devices to access sensitive enterprise resources, and then connecting these devices to 3rd-party services outside of the governance of the enterprise, potentially exposing key assets to attackers.”