Both Apple iOS and Google's Android were designed to offer strong security out of the box, in Apple's case by improving on Apple's OS X operating system, and for Android, building on Linux. "They each employ far more elaborate security models than are designed into their core implementations," according to a new report from Symantec. "The ostensible goals of their creators: to make the platforms inherently secure rather than to force users to rely upon third-party security software."
But according to the report, which assesses each platform's relative strengths and weaknesses, the end result is still "a mixed bag." For example, Apple iOS offers full protection against malware attacks, fully vets application provenance, offers good encryption and access-control capabilities, but is only moderately good at isolating applications, enforcing permission-based access control, and preventing resource abuse.
Meanwhile, Google Android offers little protection against malware or data integrity attacks, and doesn't have much in the way of application provenance checks or encryption. But unlike iOS, Android runs applications in full isolation, which restricts their ability to inappropriately interact with sensitive systems, as well as other applications.
Both platforms, however, make security tradeoffs. "On the one hand, these platforms have been designed from the ground up to be more secure--they raise the bar by leveraging techniques such as application isolation, provenance, encryption, and permission-based access control," according to the report. "On the other hand, these devices were designed for consumers, and as such, they have traded off their security to ensure usability to varying degrees. These tradeoffs have contributed to the massive popularity of these platforms, but they also increase the risk of using these devices in the enterprise."
In other words, when it comes to smartphone security, it's unclear if one platform could reasonably be declared the winner. Asked that question directly, report author Carey Nachenberg, a VP and fellow at Symantec, said, "I want to stay away from saying one is better than the other."
But he did say that beyond addressing the strengths and weaknesses of each one, as called out in the report, there's another way they could both make a large security improvement. "The one thing that most devices could probably use is the ability to segment enterprise data from consumer data, so devices could be used in an enterprise, and have a certain set of data locked down and inaccessible to any part of the device that's consumer-owned," said Nachenberg.
So, as an example, a smartphone's locally stored enterprise address book or calendar appointments could be saved in the enterprise section, featuring full encryption, remote wiping, and fronted by a mandatory password. Meanwhile, personal information could be saved to a section that allowed the user to set whichever level of security protection they wanted.
"RIM, with the BlackBerry Balance, has a system like this that they're trying to roll out," said Nachenberg. "The idea is that they segment enterprise and consumer-owned content." Notably, BlackBerry Balance silos enterprise data, preventing it from interacting with any personal data stored on the device.
Baking enterprise security capabilities into smartphones offers one strategy for addressing what appears to be widespread resistance to adding third-party security tools to smartphones. Notably, only 15% of smartphone users had added mobile antivirus tools to their smartphones, according to a SANS study conducted last year. IT managers display a similar aversion to add-on smartphone security, according to a McAfee-sponsored study released by Carnegie Mellon University's CyLab in May. That research found an "apparent unwillingness of the majority of administrators to pay for mobile security products or services."
Virtual Event: Business Mobility Unleashed. Zero in on the top mobile technologies and techniques to ensure your organization thrives in the wireless world. Learn about strategies and products that offer remote user applications support, Wi-Fi management, security features, and device management. Our virtual event happens Thursday, July 14. Register now.