Built-in Android and iOS security mechanisms: Looking at their effectiveness
September 5, 2014
Tatyana Mahlaeva is mobile applications QA manager for A1QA
While having security is crucial, when a system is hacked, consumers tend to remember the lack of security rather than the security that was in place. The situation with mobile devices is even worse.
Today, users know a lot about the consequences of desktop and Web applications hacking, but they tend to give smartphones and tablets security less thought.
In fact, there are three categories of people invested in mobile device security:
• Product developers and owners
Every group has its own risks and security requirements. This article will cover the Android and iOS security mechanisms that should be top of mind for each group.
A user’s device security depends upon the security of the mobile operating system (OS).
Having found breaches in the OS, hackers can easily attack the device, even if users apply only highly secure applications. Though being almost equal in security protection, the attack tactics are different.
When taking a look at OS security, it is first important to note basic security principles, such as “read-only mode” and process delimitation at the kernel level.
Android and iOS system partitions are unavailable for records, which prevents accidental or purposed file changing.
Moreover, both operating systems apply the “sandbox” principle.
According to this principle, every application operates separately and cannot access system files or other applications’ data.
In an iOS system, almost all applications run under an unprivileged user named “mobile.”
In an Android system, every application has its own user, which delimits the rights of running applications at the kernel of the operating system.
The main differences between security mechanisms for Android and iOS boil down to:
• Limited access to the kernel
• Verification of downloaded OS
• Access right control
Before appearing in the App Store, iOS applications get checked, tested and verified according to the requirements.
Every application installed on the iOS should have a unique certificate – «iOS Developer Program» – received after the verification process. These measures provide protection against malware in the App Store.
Google does not check applications before uploading them to Google Play, but regularly runs a scan of the store to detect malware. This approach might not be secure, and it is true – there are many OSes to watch out for in Google Play.
But according to Hewlett-Packard research and the “HP Security Research Cyber Risk Report 2013,” these programs are unable to do much harm and are simply advertising applications.
Google Play definitely has malware, but with some basic user skills, you can defend your device and OS.
For example, when downloading applications to an Android device, a user can see the full list of access permissions the application needs. If something like a flashlight application requests access to the contacts list or Internet access, it is definitely malware.
The situation with access permissions is a bit different in iOS: every access request should be accepted or canceled by the user.
What about the vulnerabilities in the OS itself?
Everyone knows that Android is an “open” system, which means a user should expect a great number of vulnerabilities in the system. Nevertheless, it is iOS that is considered to be a more vulnerable operating system.
According to the research performed in 2014, at the time this article was written, the amount of vulnerabilities in all iOS versions had reached the number of 359 and only 37 in Android.
I anticipate that the number of vulnerabilities in the iOS system will increase, as new targets for attack (a side keypad, and an increased number of API-calls new in the innovative SDK and HomeKit system) appeared following the introduction of the iOS8 beta version.
Still, Apple users should not worry too much about security, as Apple engineers have a history of quickly responding to new issues.
Google, in turn, amplifies the protection mechanisms of its operating system. The SELinux module integrated into the Android 4.4 provides severe access control on the kernel level, while in Android 4.3, SELinux is turned off.
This module runs independently from the basic Linux security model.
Still, given growing trends such as bring your own device (BYOD), concerns about mobile security continue to rise as well. Though using mobile devices for different purposes is a great thing, it is also a great security risk for corporations.
Attacking any vulnerable or lost device – a smartphone or a tablet – hackers can get secret documentation and access to internal resources such as corporate email.
As a result, there is a great demand for mobile device management (MDM) solutions that allow for the management of mobile security policies of mobile devices that run in corporate networks.
It appears, therefore, that we do not have a clear winner when it comes to looking at security from the user perspective.
Android and Apple both have powerful mechanisms to provide protection from hackers’ attacks and pay special attention to OS security.
From the developer’s viewpoint, the main risk is client loss as a consequence of a hacker`s attack.
Android and iOS are similar in resisting local and Web attacks. However, if developers follow the security criteria in the process of development, they can develop a well-protected application for Android and iOS.
Generally, Android applications are written in Java language and are immune to buffer overflow attacks, unlike iOS applications written on Objective-C.
Android applications are still easy to decompile and interchange the primary code to a harmful one, thus developers should apply code obfuscation techniques.
Though the iOS applications are vulnerable to the buffer overflow, iOS developers use mechanisms that can prevent exploitation of these vulnerabilities.
Among those mechanisms are used compilation parameters such as PIE (Position Independent Executable), SSP (Stack Smashing Protection) and ARC (Automatic Reference Counting).
These parameters effectively manage memory and prevent the mistakes that can lead to the buffer overflow.
Moreover, with iOS8, Apple has introduced a new programming language – Swift – that will be used instead of Objective-C. It is claimed that this new language is more secure, but we will not know whether this is truly the case until the end of this year.
Therefore, both Android and iOS applications are quite secure, when developers follow the security requirements.
From the corporation’s viewpoint, Apple OS is the more attractive option.
There are powerful means for centralized device management in iOS: configuration profiles, remote data reset and incorporated support of outside MDM solutions.
Android has no such offerings. To integrate with an MDM system, Android needs to download a specialized OS.
It is worth mentioning that Samsung has produced some of the most secure mechanisms for Android: the SAFE (Samsung For Enterprise) program and KNOX suite. They separate all work activities in the MDM system from all others.
Thus, all Samsung devices operating on Android 4.3 and higher fully comply with corporate security principles.
Comparing with Android-running devices, Apple has a smaller range of products and can easily provide support for corporate security systems for all versions of its smartphones, tablets and OSes.
In the case of corporations, the mobile security winner is iOS.
Breaking it down
To provide a quick recap, below are the pros and cons of the OSes from the security viewpoint:
• “Open” for security research
• Applications are immune to buffer overloads
• Severe access control on the kernel level
• Potentially harmful software in Google Play
• Poor corporate security opportunities
• Great number of OS versions and device models, which complicates the security methods standardization
• Control of downloaded applications in App Store
• Quick response to the security issues
• Opportunities to support corporate security systems
• Many vulnerabilities in the operating system
• Recent increase of potential targets for attacks
THE TRUTH IS, few people choose a smartphone because of high security protection. And for the most part, that is OK – Android and iOS are similar in their security approaches.
That does not mean security should not be a consideration at all, however.
If you want to be assured you have the highest mobile security available, choose any Apple device or something by Samsung that operates on Android 4.3 version or higher.
Tatyana Mahlaeva is mobile applications QA manager for A1QA, an Austin, TX-based global software testing and quality assurance company. Reach her at .