updated 06:25 pm EDT, Tue June 28, 2011
Symantec says Android slipping vs iOS on security
Symantec in a study Tuesday (below) gave Android and iOS an advantage over computers in security but gave Apple the edge. Both the Apple and Google mobile platforms are more secure than on many computers, especially Windows, since they prevent "drive-by" app installs and often can't get as many privileges. The presences of app signatures on either adds a layer of security that desktop platforms don't always have.
The two platforms are nonetheless wildly different in practical security, the antivirus developer says. Apple's model is noticeably superior since it runs a "rigorous" screening of security threats in apps. While complaints have been made regarding the flexibilities and freedoms for iOS apps, the requirement that every app must be digitally signed also prevents instances of apps that are either stolen and modified or else are inadvertently infected. Apps are inherently sandboxed, and much of the information either is or can be hardware-encrypted using a tough 256-bit algorithm, the study finds.
Of the four incidents of intrusive iOS code Symantec uses as examples, only two are actual malware and only ever affect jailbroken devices, where Apple's security layers are stripped off. The security software developer acknowledged that it might be very difficult, though not impossible, to compromise iOS through the app model.
"In this regard, Apple has been effective," Symantec says. "Thus far, we haven't seen actual malware targeting non-jailbroken iOS devices."
Android is facing a considerably bleaker situation, Symantec warns. Google makes sure apps are sandboxed and can keep browser attacks largely limited to the web app itself. The company's deliberately looser app certification process, permissions for non-Market apps, and vague permission systems, however, are all contributing to a rapidly growing malware problem.
Google is increasingly allowing malware in signed apps, and unsigned apps don't face any blocks, according to Symantec. The permission system is proving to be fruitless since many either ignore the warnings of what access an app needs or don't understand their meanings to start with.
Device fragmentation also remains a problem. Because custom implementations can prevent updates for months or sometimes prevent them altogether, only a fraction of devices are running Android 2.3 and are fully patched up against the exploits Google so far defends against. Only Android 3 has hardware data encryption, too, leaving all 2.x devices open to data being intercepted with the right exploit.
All examples of Android malware given by Symantec are real, in-the-field attacks that have done damage to stock, non-rooted devices and in some cases have been on Android Market until they were pulled, even just recently.
Either platform still has vulnerabilities. None does an effective job of guarding against phishing or other scams, and either is still open to attack from someone who has physical access. They in some cases give access to calendars, contacts, and other information without explicitly informing the user. They can also be conduits to PCs in a workplace, such as if an infected phone is synced without being monitored or pushing rogue code through the cloud. Corporate customers get a "mixed bag" where security is at once tighter and yet sometimes more of a risk.
The report still ends up defeating calls from Kaspersky's CTO to open up iOS. Kaspersky and Symantec alike would stand to profit from selling security software on iOS but, to date, can't prove that the platform needs the code. Google's choices lead to more variety and capability in apps but have created the vulnerabilities that would require antivirus apps.