Android and IOS security mechanisms. OS vulnerabilities
Everyone knows that Android is an “open” system, which means a user should expect a great number of vulnerabilities in the system. Nevertheless, it is iOS that is considered to be a more vulnerable operating system. According to the research of 2014 the amount of vulnerabilities in all iOS versions reached the number of 335, while in Android system only 36.
From the perspective of mobile app security testing, it is assumed that the number of vulnerabilities in the iOS system would increase, as after the presentation of iOS8 beta-version there appeared new targets for attack: a side keypad, increased number of API-calls new in the innovative SDK and HomeKit system. Still, Apple users should not much worry about security as Apple engineers quickly response to new issues.
Google, in its turn, amplifies the protection mechanisms of operating system. SELinux module integrated in Android 4.4 performs severe access control on the kernel level, while in Android 4.3 SELinux is turned off. This module runs independently from the basic Linux security model.
So, none of the both operating systems wins the “security mechanisms competition”, though Android and Apple have powerful mechanisms to provide protection from the hackers` attacks and pay special attention to OS security.
Above these all, the BYOD tendency rapidly increases its popularity. Though using mobile device for different purposes is a great thing, it is also a great security risk for corporations. Attacking any vulnerable or lost device – a smartphone or a tablet – hackers can get secret documentation and access internal resources like corporate email. As a result, there is a great demand for Mobile Device Management (MDM) solutions that allow managing security policy of mobile devices that run in corporate networks.
From the corporations` viewpoint Apple OS has more advantages over Android. There are powerful means for centralized device management in iOS: configuration profiles, remote data reset and incorporated support of outside MDM solutions. Android has no such an opportunity. To integrate with MDM system Android needs downloading a specialized OS.
It is worth mentioning that Samsung corporate security mechanisms left behind lots of Android devices producers. I mean the SAFE (Samsung For Enterprise) program and KNOX suite. They separate all work activities in MDM-system from all others. Thus all Samsung devices operating on Android 4.3 and higher versions fully comply with corporate security principles. Comparing with Android running devices, Apple has a smaller range of products and can easily provide support for corporate security systems for all versions of its smartphones, tablets and OSs. In this case the winner is iOS.
The topic of the security mechanisms of both operating systems deserves, I guess, a series of articles, this was just an overview. Those who want to have more profound information about Android and Apple security mechanisms can read detailed manuals on the companies` websites.
I would like to resume pros & cons of the OSs from the security viewpoint:
- “Open” for security research
- Applications are immune to buffer overloads
- Severe access control on the kernel level
- Lots potentially harmful software in Google Play
- Poor corporate security opportunities
- Great number of OS versions and device models, which complicates the security methods standardization
- Control of downloaded applications in App Store
- Quick response to the security issues
- Opportunities to support corporate security systems
- Lots of vulnerabilities in the operating system
- Increase of potential targets for attacks
To cut the long story short, I want to say that today very few people choose a smartphone because of high security protection. And that`s not a mistake, as Android and iOS are similar in their security approach. Still, if the device security is really essential for you, choose any Apple device or something by Samsung operating on Android 4.3 version and higher ones.