When comparing security features, the iPhone has a good lead over Android phones, says Australian data security expert Adam Pointon of Sentinel Data Security. Apple wins the security contest due to a tighter app approval process, patented device-wiping technology and “probably the most successful use of public-key cryptography in publicly controlled hardware devices”.
Meanwhile, Android users face a lag of up to six months for firmware updates on cellphones sold through carriers.
“A lot of security folks have moved away from Android for that reason alone,” Pointon says.
Smartphones are emerging as a critical element to security in the cloud. Smartphones (and tablets) running operating systems by Apple and Google are less vulnerable to viruses and hackers than desktop computers; see Safest way to access the cloud? Use your phone.
BoxFreeIT asked Pointon why Android was so far behind the iPhone in the security stakes.
BoxFreeIT: What is the most secure way to access cloud software? With an iPhone or an Android smartphone?
Pointon: Mobile devices running Apple’s iOS operating system are still regarded as the most secure for many reasons; from the operating system itself, to Apple’s patch management and security methods, and the vetting processes for apps sold on the Apple App Store.
BoxFreeIT: Why are Apple’s iPhone and iPad so secure?
Pointon: There are three reasons. The first has to do with applications made for the iPad and iPhone by third-party developers. The security of Apple’s App Store is better than Android, and far better than any other platform. Apple currently has the most robust software review process for new applications which includes automatically and possibly manually reviewing the code for malicious behaviour, such as accessing other parts of the phone (contacts, photos, etc).
The second reason is that Apple has the most secure key-signing process for protecting user information stored on an iPhone or iPad. It is probably the most successful, widely deployed use of public-key cryptography in publicly controlled hardware devices. This was outlined at Blackhat.com 2012 in Las Vegas, which was the first public presentation by the Apple security team.
Third, Apple has patented its device-wiping technology due to the efficient way it securely wipes information remotely from an iPhone or iPad. Instead of wiping the data itself, the Apple operating system encrypts all the data from day zero, and then on a wipe, it simply wipes the encryption key required to decrypt the data. The net result is the data is inaccessible without the keys and thus useless.
BoxFreeIT: There have been reports of apps on the Android app store stealing personal information. Why doesn’t this happen on Apple’s App Store?
Pointon: In the case of iOS, applications must first be vetted by Apple through their app-store validation process, which has so far done a reasonable job at blocking malicious software from entering the market. The applications also operate within a chain of trust, and should the software be found malicious it’s possible to remove or disable it relatively easily. This is better than using anti-virus software, which is essentially chasing something it can never catch.
In the case of Android apps, the vetting process is less stringent and third-party applications can be installed more easily by “rooting” the phone (cracking the security of the operating system). This is the same as jailbreaking in the iOS world, but Apple has done a great job at ensuring vulnerabilities that lead to jailbreaking are limited.
BoxFreeIT: Are there any other differences in security between Android smartphones and iPhones?
Pointon: Telcos which sell their own Android phones, such as Telstra, don’t keep up with security updates from Android. In some cases telcos haven’t updated the phone’s firmware for over six months, which is terrible. A lot of security folks have moved away from Android for that reason alone.
BoxFreeIT: Why don’t they update the security?
Pointon: Because Telstra create their own firmware for Android smartphones, and they need to go through a testing and review process with each new release of Android firmware. That takes a few months at best, which means Android users with phones running firmware from Telstra or other telcos are vulnerable to issues that other Android users aren’t.
BoxFreeIT: So what’s the upshot?
Pointon: You are safer using a pure Android phone than a telco-branded Android phone.
BoxFreeIT: Are there any other ways to hack an iPhone?
Pointon: iOS devices are still vulnerable to physical-access attacks from commercial (government-restricted) tools such as the iPhone forensic toolkit from Elcomsoft. I’ve used these tools in a project for a client and they do work. However, it’s an arms race – Apple improves security against these attacks with each update and I’m not sure if it works with the latest iOS version (6.1).