Thursday, June 30, 2011

Symantec report on mobile security concludes iOS and Android both vulnerable to attacks

In Symantec's bleak, dystopian world, it doesn't matter whether you choose Android or iOS -- you'll be making yourself vulnerable to attacks regardless of the camp you're in. The company just concluded a study pitting iOS's security against Android's -- an undertaking intended mainly for corporate IT staffs trying to figure out which devices they can safely issue to employees. (Curiously, despite the enterprise focus, you won't find a single comparison against BlackBerrys.) Although iOS won higher marks when it came to thwarting traditional malware and showed a more modest advantage in terms of data loss, data integrity, and service attacks, the two platforms proved equally adept at preventing web-based attacks -- and equally powerless to catch socially engineered ones. And when it came to implementing certain security measures, such as permissions-based controls, Android pulled ahead.

Ultimately, Symantec (which sells mobile security software of its own, by the by) concluded that both "are still vulnerable to many existing categories of attacks," not least because both platforms allow users to sync with third-party apps or web services that may or may not be secure themselves. Indeed, Symantec's thesis is that Apple's App Store approval process helps explain its lead in the malware-blocking department. Also, in shocking news, Symantec adds that people using jailbroken are especially attractive targets for attackers, and that these devices are as vulnerable as computers. Don't say no one warned you. Head past the break for a press release with a summary of the findings or, if you're curious, hit the source link for a PDF version of the full report.

Show full PR text

Symantec Analysis of Apple's iOS and Google's Android Platform Cites Improved Security over PCs, but Major Gaps Remain
The mass adoption of both consumer and managed mobile devices exposes enterprises to new security risks

MOUNTAIN VIEW, Calif. – June 28, 2011 – Symantec Corp. (Nasdaq: SYMC) today announced the publication of "A Window into Mobile Device Security: Examining the security approaches employed in Apple's iOS and Google's Android" (PDF). This whitepaper conducts an in-depth, technical evaluation of the two predominant mobile platforms, Apple's iOS and Google's Android, in an effort to help corporations understand the security risks of deploying these devices in the enterprise.

Chief among the findings is that while the most popular mobile platforms in use today were designed with security in mind, these provisions are not always sufficient to protect sensitive enterprise assets that regularly find their way onto devices. Complicating matters, today's mobile devices are increasingly being connected to and synchronized with an entire ecosystem of 3rd-party cloud and desktop-based services outside the enterprise's control, potentially exposing key enterprise assets to increased risk.

The paper offers a detailed analysis of the security models employed by Apple's iOS and Google's Android platforms, evaluating each platform's effectiveness against today's major threats, including:

Web-based and network-based attacks
Malware
Social engineering attacks
Resource and service availability abuse
Malicious and unintentional data loss
Attacks on the integrity of the device's data

This analysis has led to some important conclusions:

While offering improved security over traditional desktop-based operating systems, both iOS and Android are still vulnerable to many existing categories of attacks.
iOS's security model offers strong protection against traditional malware, primarily due to Apple's rigorous app certification process and their developer certification process, which vets the identity of each software author and weeds out attackers.

Google has opted for a less rigorous certification model, permitting any software developer to create and release apps anonymously, without inspection. This lack of certification has arguably led to today's increasing volume of Android-specific malware.

Users of both Android and iOS devices regularly synchronize their devices with 3rd-party cloud services (e.g., web-based calendars) and with their home desktop computers. This can potentially expose sensitive enterprise data stored on these devices to systems outside the governance of the enterprise..

So-called "jailbroken" devices, or devices whose security has been disabled, offer attractive targets for attackers since these devices are every bit as vulnerable as traditional PCs.