iOS Safer Than Android? Maybe Not

Android Fragmentation

Common wisdom holds that iOS devices are inherently secure, like Macs. Android devices are inherently vulnerable, like Windows. Given that Macs are actually more vulnerable than people think, that mindset doesn’t work. A new study by Marble Security found that, at least in a corporate environment, Android and iOS devices pose nearly equal security dangers.

Android Fragmentation
One big problem for Android security is OS fragmentation. Most iOS users get operating system updates seamlessly and automatically. For Android users, security updates may not even be available, depending on the device and version, and users don’t always apply available updates. A report atopensignal.com identifies over 11,000 distinct combinations of Android device and OS version. It’s definitely a problem.

In addition, Apple maintains stronger control over app distribution than Google does. The report notes that even without jailbreaking, Android users can download apps from “Google Play, Amazon, 1Mobile, Appia, App Brain, AppsFire, AppsZoom, Android Pit, Baidu, Brophone, CNET, Handango, Handster, Insyde Market, Mobango, Mobile9, Nexva, Opera Mobile App Store, Soc.io, and Yandex.”

Jailbreak Jammers
A jailbroken device, whether iOS or Android, can download and install apps from any source, including dangerous sources. Jailbreaking really isn’t a good idea, but users find reasons to do it. The Marble Security report notes quite a few, including watching DRM-restricted movies without paying, switching to a cheap foreign carrier while on vacation, and changing system settings that are protected by the OS. When an employee uses a jailbroken device on the corporate network, the company’s intellectual property is in danger.

IT departments typically create procedures that prevent jailbroken devices from connecting to the network. Problem solved? Not really. Apps called “jailbreak jammers” disguise the fact that a device has been jailbroken. According to the report, “within three months of the release of new iOS or Android versions…there is no difference in the risk of jailbreak or rooting, and…tools to prevent detection are similar on both platforms.”

Platform-Agnostic Threats
The report lists 14 types of security threats, most of which are common to both iOS and Android. The danger of attack via malicious profiles is specific to iOS. Android devices are subject to fragmentation and can sideload apps; in addition, Android apps can harvest phone and SMS logs. The other ten threat types are common to both platforms.

Phishing, in all its varieties, is a totally platform-agnostic attack. Regardless of the operating system, social engineering may well convince a gullible employee to run a dangerous program, or visit a malicious website. With access to, say, the corporate directory, an attacker can craft ever more believable spear-phishing emails.

The report notes that both iOS and Android use SLL for secure communication. That includes the possibility of relying on OpenSSL, the source of the Heartbleed fiasco. “Apple has discouraged the use of OpenSSL,” notes the report, but “both operating systems permit apps to compile their own SSL libraries to communicate securely over the Internet.” As for Android, a code library called Cupid demonstrates a functional Heartbleed attack on devices running Android 4.1.0 and 4.1.1.

Bring Your Own Threat?
If you’re concerned about your company’s security, you’ll definitely want to read the full report. This report isn’t attempting to sell you protection against what they’re calling “Bring Your Own Threat.” Rather, it aims to dispel the attitude that iOS devices are safer than Android devices.

Of course, if you’re actually in the market for enterprise mobile security, you’ll want to include Marble’s Mobile Threat Prevention for the Enterprise in your investigations.

Source:  http://securitywatch.pcmag.com/hacking/324705-ios-safer-than-android-maybe-not