09:59 AM

Smartphone Security Smackdown: iPhone Vs. Android

How do Apple iOS and Google Android stack up on security? Both could take one lesson from RIM, says Symantec security expert.

Lookout Mobile Security Protects Android Smartphones
Slideshow: Lookout Mobile Security Protects Android Smartphones
(click image for larger view and for slideshow)
In the smartphone platform wars, which side can claim the better security?

Both Apple iOS and Google's Android were designed to offer strong security out of the box, in Apple's case by improving on Apple's OS X operating system, and for Android, building on Linux. "They each employ far more elaborate security models than are designed into their core implementations," according to a new report from Symantec. "The ostensible goals of their creators: to make the platforms inherently secure rather than to force users to rely upon third-party security software."

But according to the report, which assesses each platform's relative strengths and weaknesses, the end result is still "a mixed bag." For example, Apple iOS offers full protection against malware attacks, fully vets application provenance, offers good encryption and access-control capabilities, but is only moderately good at isolating applications, enforcing permission-based access control, and preventing resource abuse.

Meanwhile, Google Android offers little protection against malware or data integrity attacks, and doesn't have much in the way of application provenance checks or encryption. But unlike iOS, Android runs applications in full isolation, which restricts their ability to inappropriately interact with sensitive systems, as well as other applications.

Both platforms, however, make security tradeoffs. "On the one hand, these platforms have been designed from the ground up to be more secure--they raise the bar by leveraging techniques such as application isolation, provenance, encryption, and permission-based access control," according to the report. "On the other hand, these devices were designed for consumers, and as such, they have traded off their security to ensure usability to varying degrees. These tradeoffs have contributed to the massive popularity of these platforms, but they also increase the risk of using these devices in the enterprise."

In other words, when it comes to smartphone security, it's unclear if one platform could reasonably be declared the winner. Asked that question directly, report author Carey Nachenberg, a VP and fellow at Symantec, said, "I want to stay away from saying one is better than the other."

But he did say that beyond addressing the strengths and weaknesses of each one, as called out in the report, there's another way they could both make a large security improvement. "The one thing that most devices could probably use is the ability to segment enterprise data from consumer data, so devices could be used in an enterprise, and have a certain set of data locked down and inaccessible to any part of the device that's consumer-owned," said Nachenberg.

So, as an example, a smartphone's locally stored enterprise address book or calendar appointments could be saved in the enterprise section, featuring full encryption, remote wiping, and fronted by a mandatory password. Meanwhile, personal information could be saved to a section that allowed the user to set whichever level of security protection they wanted.

"RIM, with the BlackBerry Balance, has a system like this that they're trying to roll out," said Nachenberg. "The idea is that they segment enterprise and consumer-owned content." Notably, BlackBerry Balance silos enterprise data, preventing it from interacting with any personal data stored on the device.

Baking enterprise security capabilities into smartphones offers one strategy for addressing what appears to be widespread resistance to adding third-party security tools to smartphones. Notably, only 15% of smartphone users had added mobile antivirus tools to their smartphones, according to a SANS study conducted last year. IT managers display a similar aversion to add-on smartphone security, according to a McAfee-sponsored study released by Carnegie Mellon University's CyLab in May. That research found an "apparent unwillingness of the majority of administrators to pay for mobile security products or services."

Virtual Event: Business Mobility Unleashed. Zero in on the top mobile technologies and techniques to ensure your organization thrives in the wireless world. Learn about strategies and products that offer remote user applications support, Wi-Fi management, security features, and device management. Our virtual event happens Thursday, July 14. Register now.

Comment  | 
Print  | 
More Insights
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest August 03, 2015
The networking industry agrees that software-defined networking is the way of the future. So where are all the deployments? We take a look at where SDN is being deployed and what's getting in the way of deployments.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 26, 2015.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.