We talked to mobile security experts about the strengths and weaknesses of each system.
Just like the BetaMax and VHS video wars of a few decades ago, there are staunch proponents and loyal users of Android and iOS (Apple)-based products.
But unlike videocassettes and recorders, Android and Apple products carry personal, financial and other valuable information that hackers covet and work hard to obtain, using a combination of malware and social engineering.
Apple/iOS: Close, but Not Complete, Control
Pros of Apple’s iOS include the fact that it is proprietary, closed-source and more secure “by fault” with a single user per device,” said Jason Van Zanten, information security lead at JAMF Software. “The Apple App Store is tightly controlled, and the global partnership between Apple and IBM (IBM MobileFirst for iOS) empowers enterprise users.”
Additional positives include Apple Push Notification service (APNs) for mobile device management, configuration profiles with device settings, app distribution, and remote management commands (lock, wipe, etc.), he said.
Others, however, sound more cautionary notes about Apple security.
“While Apple’s approach is often seen as stronger in terms of security by providing a managed and controlled transaction environment, no system can truly be 100 percent fixed and closed off,” said Sam Rehman, chief technology officer for Arxan Technologies. “At times this could provide a false sense of security which emphasizes risks of certain weaknesses.”
“The Apple ecosystem has a lot to offer its users – except for the reality that there is no possibility of a truly secure brand or data control in any meaningful way,” agreed Andrew McLennan, vice president of the mobile security division, of INSIDE Secure. “The phone user is entirely in the hands of Apple and if there is a major breach it could be catastrophic.”
Android: a Popular Target
“Android offers much more freedom and control, and it is easily possible to get hardware-like security protection using software fixes with native languages such as C++,” McLennan said. “With the Android platform, you can control your own security destiny, particularly if using a mobile solution that also deals with device fragmentation.”
While this makes Android “generally a much better place to be than with the Apple platform,” he said, this is not true if Java is employed for sensitive code. “Java is completely useless for code that needs security, as it takes mere minutes to influence or subvert this code.”
James Quin, CDM Media senior director of content and c-suite communities, said studies show that as much as 97 percent of all mobile malware targets Android while iOS “suffers from functionally none.”
Android’s ubiquity accounts for much of its popularity with hackers, he said. “When malicious code writers sit down to develop threats, they’re going to do so in the manner that gives them the most attack surface, and that always comes from attacking the most populous platform.”
Host Card Emulation
Android’s security vulnerabilities and the sheer variations of devices and permutations of the platform and associated software created the need for Host Card Emulation (HCE), a software-based, self-sufficient and protected solution for mobile payments, Rehman said. While HCE provides flexibility, he said, it also brings a new requirement for strong, software-based protection to secure the storage of sensitive card data on the phone/device and to protect static and dynamic keys stored in the device.
This requirement is critically important to address since the 2015 Verizon Data Breach Investigations Report (DBIR) found that nearly 25 percent of breaches are attributable to memory scraping, a hacking technique that enables access to unprotected cryptographic keys and data.
Hacks with Device Administrator
A popular hacker strategy is to develop Android malware utilizing device administrator to gain very high levels of permission on phones, said Cameron Palan, senior threat research analyst at Webroot. “After approving its request to be a device administrator, it then has the power to prevent you from revoking that permission, prevent you from uninstalling the app, change system settings, wipe your phone and cause other damage.”
Since Android is available on a larger family of phones, look to the device manufacturer to determine just how secure your device is, said Barracuda software engineer and data scientist Luis A. Chapetti.
“When it comes to Android, the level of security essentially depends on the manufacturer of the Android phone due in part because the hardware that it’s running is often times different,” Chapetti said. “Android tends to be much more adventurous when it comes to rooting/running unknown applications, which in and of itself is a huge security risk.”
Whether using Apple or Android, experts said much of the security of any device revolves around user behavior. Unfortunately, studies show few users make use of available protections for the devices. For instance, a recent study showed that nearly 60 percent of Apple devices in the enterprise lack software to enforce strong passwords and just 17 percent use an employer-supplied password manager.
Original article by eSecurity Planet can be found here. 8/31/2015