Android vs. iOS. Safety issue

Some time ago, we at Symantec reviewed two popular platforms - Android and iOS for their security. Without further ado we announce the details of our research.


So, Google and Apple mobile platforms rely to varying degrees on the five basic principles of mobile security ...

We presented these principles and behaviors of the platforms in the table for clarity:
')

1. Access control

Each native application is a separate process that runs directly from an ARM processor; Applications cannot use shared objects (for example, DLL files);	Each bytecode based application runs on a separate virtual machine, in a separate Linux process; Applications can have native common objects based on the ARM architecture (for example, DLL files).

2. Verification of the origin of applications

Each application must be signed by an official certificate issued by Apple; Applications hosted for public use must be manually / automated tested by Apple; Applications hosted for public use must be physically located at the Apple app store; Certified companies can distribute independently developed applications on the devices of their employees, which are subject to the certificate of the organization.

Each application must be signed with a digital certificate; However, self-signing with anonymous certificates is allowed; Applications can be placed without the consent and verification by Google; Applications can be distributed from any website (by default, from the Android Market).

3. Encryption

iOS stores all data in an encrypted format on the SD card of the device; The data is automatically decrypted when reading iOS and applications, there are no passwords; iOS secondarily encrypts email with code protection, blocking access, unless the device is apparently unlocked; Third-party applications can also use encryption using code protection of application programming interfaces (APIs).	Android has built-in encryption of sensitive data (applications, calendar, contacts, passwords, etc.) appeared only from version 3.0; Applications can use Java Encryption Application Programming Interfaces (APIs) to hide data.

With a few exceptions, Apple’s approach to determining the origin of applications is very effective. Google’s rigorous approach to determining the origin of applications makes Android vulnerable to evolving malware and legal programs attacked by Trojans. Lightweight certification has led to the fact that today we can observe a constant increase in the number of malicious programs for Android devices.
Go ahead:

4. Isolation of processes

Applications cannot overwrite / read / write other applications / OS / data; Applications are limited to user mode and cannot install drivers; Isolation rules block access to folders of incoming email and SMS, sending SMS, initiating phone calls, GPS.	Applications can rewrite other applications and examine their source code, but not sensitive data; However, the data stored on the default SD memory card can be read by everyone; Applications are limited to user mode and cannot install drivers; Applications gain access to most system services only after an affirmative user response to a request.

5. Access control by roles

The user must give permission for: access to GPS, enable remote notifications, start phone calls and send SMS; The access / blocking policy for all other subsystems is embedded in iOS and the approval / verification procedure from Apple.	Applications can rewrite other applications and examine their source code, but not sensitive data; However, the data stored on the default SD memory card can be read by everyone; Applications are limited to user mode and cannot install drivers; Applications gain access to most system services only after an affirmative user response to a request; Android OS, not Dalvik VM, provides isolation.

The iOS sandbox model limits potential application harm, but at the same time complicates the development of iOS security applications. As for Android, with the exception of the ability to access an external SD card, the default isolation rules are even more stringent than those used in iOS.
Of course, only a few applications are limited to the default rules.

Unfortunately, despite the rather stringent security requirements that were put forward during the development of prepared platforms, their degree of security is not sufficient to protect corporate information that so often falls on them. With proper use and configuration, both platforms — Android and iOS — give users the ability to simultaneously synchronize their machines with multiple (private and corporate) cloud services without the risk of leakage. If it is incorrect, they give attackers the opportunity to steal data about the location of the device, phone number, email address and contacts, steal a valid IMEI code and install it on a deactivated / fake phone, receive payment for installing left applications, force the phone to send SMS messages or dial numbers for paid ones calls, change the settings of the Internet access server to the proxy server of the attackers, spy, and much more.