April 24, 2014

Android or iPhone: Which Smartphone is Safer?

Android or iPhone

When comparing security features, the iPhone has a good lead over Android phones, says Australian data security expert Adam Pointon of Sentinel Data Security. Apple wins the security contest due to a tighter app approval process, patented device-wiping technology and “probably the most successful use of public-key cryptography in publicly controlled hardware devices”.

Meanwhile, Android users face a lag of up to six months for firmware updates on cellphones sold through carriers.
“A lot of security folks have moved away from Android for that reason alone,” Pointon says.

Smartphones are emerging as a critical element to security in the cloud. Smartphones (and tablets) running operating systems by Apple and Google are less vulnerable to viruses and hackers than desktop computers; see Safest way to access the cloud? Use your phone.

BoxFreeIT asked Pointon why Android was so far behind the iPhone in the security stakes.

BoxFreeIT: What is the most secure way to access cloud software? With an iPhone or an Android smartphone?

Pointon: Mobile devices running Apple’s iOS operating system are still regarded as the most secure for many reasons; from the operating system itself, to Apple’s patch management and security methods, and the vetting processes for apps sold on the Apple App Store.

 

BoxFreeIT: Why are Apple’s iPhone and iPad so secure?

Pointon: There are three reasons. The first has to do with applications made for the iPad and iPhone by third-party developers. The security of Apple’s App Store is better than Android, and far better than any other platform. Apple currently has the most robust software review process for new applications which includes automatically and possibly manually reviewing the code for malicious behaviour, such as accessing other parts of the phone (contacts, photos, etc).

The second reason is that Apple has the most secure key-signing process for protecting user information stored on an iPhone or iPad. It is probably the most successful, widely deployed use of public-key cryptography in publicly controlled hardware devices. This was outlined at Blackhat.com 2012 in Las Vegas, which was the first public presentation by the Apple security team.

Third, Apple has patented its device-wiping technology due to the efficient way it securely wipes information remotely from an iPhone or iPad. Instead of wiping the data itself, the Apple operating system encrypts all the data from day zero, and then on a wipe, it simply wipes the encryption key required to decrypt the data. The net result is the data is inaccessible without the keys and thus useless.

 

BoxFreeIT: There have been reports of apps on the Android app store stealing personal information. Why doesn’t this happen on Apple’s App Store?

Pointon: In the case of iOS, applications must first be vetted by Apple through their app-store validation process, which has so far done a reasonable job at blocking malicious software from entering the market. The applications also operate within a chain of trust, and should the software be found malicious it’s possible to remove or disable it relatively easily. This is better than using anti-virus software, which is essentially chasing something it can never catch.

In the case of Android apps, the vetting process is less stringent and third-party applications can be installed more easily by “rooting” the phone (cracking the security of the operating system). This is the same as jailbreaking in the iOS world, but Apple has done a great job at ensuring vulnerabilities that lead to jailbreaking are limited.

 

BoxFreeIT: Are there any other differences in security between Android smartphones and iPhones?

Pointon: Telcos which sell their own Android phones, such as Telstra, don’t keep up with security updates from Android. In some cases telcos haven’t updated the phone’s firmware for over six months, which is terrible. A lot of security folks have moved away from Android for that reason alone.

 

BoxFreeIT: Why don’t they update the security?

Pointon: Because Telstra create their own firmware for Android smartphones, and they need to go through a testing and review process with each new release of Android firmware. That takes a few months at best, which means Android users with phones running firmware from Telstra or other telcos are vulnerable to issues that other Android users aren’t.

 

BoxFreeIT: So what’s the upshot?

Pointon: You are safer using a pure Android phone than a telco-branded Android phone.

 

BoxFreeIT: Are there any other ways to hack an iPhone?

Pointon: iOS devices are still vulnerable to physical-access attacks from commercial (government-restricted) tools such as the iPhone forensic toolkit from Elcomsoft. I’ve used these tools in a project for a client and they do work. However, it’s an arms race – Apple improves security against these attacks with each update and I’m not sure if it works with the latest iOS version (6.1).

 

Comments
5 Responses to “Android or iPhone: Which Smartphone is Safer?”
  1. My vote in Apple iPhone. Because always Apple iPhone beats Samsung smartphones.

  2. Ryan Cooley says:

    They failed to illustrate the differences in the security strategies of the two phones. Essentially, that iOS depends on surface attack restrictions but ignores internal, system attack restrictions. Android is simply the opposite. So you aren’t likely to install a malicious program, but if you jailbreak an iPhone, the is noticeable performance degradation and you are more vulnerable to system attacks. Plus iOS has little to no resource control mechanism. So if you lack the resources to do something, you’re likely to see that right away. This presents another security problem since malicious code needs only to executed within a browser to compromise the whole system. So while an application may be safe, the remote functions are where the vulnerabilities exist.
    Android, on the other hand, is susceptible to malware externally, but not internally. You are far less vulnerable with a reasonable security solution which does have the potential to slow down your phone’s system, but at least you’ll catch more vulnerabilities. Whereas with iOS, there is no mechanism available to deal with a compromised system other than the recommended Apple solution of wiping it and starting over or their more preferred method of buying a new phone.
    Also, the telcos also have an interest in not making phones upgradeable. That’s how they get to sell more phones. That’s Apple advantage, to a degree, since they have already abandoned support for an entire set of devices that are only upgradeable to iOS 5.1.
    But I do like the fact that these potable media consumption devices (not really production devices) are more secure than a desktop computer or traditional workstation device with a full OS. I would like to see those comparisons, though.
    Still, the security flaws in iOS are not likely to be addressed since that compromise strikes at the heart of usability implementations. The same with Android. Only Android allows for security applications to supplement its vulnerabilities without sacrificing usability. So it’s a trade off.
    Most consumers don’t understand these factors and so they will simply keep buying what they’re used to using.

  3. Norman says:

    Sorry, don’t know how to edit the previous post. Here’s correct link to Dr. Charlie Miller’s interview on Android vs iOS security comparison: http://privacy-pc.com/news/ios-and-android-security-comparison.html

Leave A Comment