Mobile Security Pros and Cons
Both Apple's iOS and Android have security strengths and weaknesses,experts say:
Just like the Beta Max and VHS video wars of a few decades ago, there are
staunch proponents and loyal user of Android and iOS (Apple)-based products. But
unlike videocassettes and reorders, Android and Apple products carry
professional, financial and other valuable information that hackers covet and
work hard to obtain,using a combination of malware and social engineering.
We talked to security experts about the strengths and weaknesses of system.
Apple/iOS: Close, But Not Complete, Control
Pros of Apple's iOS includes the fact that it is proprietary, closed-source and
more secure "by fault"with a single user per device" said Jason Van Zanten,
information security lead at JAMF software.
"Apple approach is often seen as stronger in terms of security by providing a
managed and controlled transaction environment, no system can truly be 100%
fixed and closed off" said Sam Rehman, cheif technology officer for arxan
technologies. "At time sthis could provide a false sense of security which
emphasizes risks of certain weaknesses
"The phone user is entirely in the hand of Apple and if there is a major breach
it could be catastrophic"
Android: a Popular Target
"Android offers much more freedom and control, and it is easily possible to get
hardware like security protection using software fixes with native languages
such as C++" Mc Lennan said.
"Generally a much better place to be than with the Apple platform," he said
,this is not true if Java is employed for sensitive codes. "Java is completely
useless for code that needs security, as it takes mere minutes to influence or
subvert this code."
James Quin, CDM Media senior director of content and c-suit communities, said
studies show that as much as 97 % of all mobile malware targets Android while
iOS "suffers from functionally none."
Android's ubiquity accounts for much of its popularity with hackers, he said.
Host Card Emulation
Android's security vulnerabilities and the sheer variations of devices and
permutations of the platform and associated software create the need for Host
Card Emulation (HCE), A software-based,self-sufficient and protected solution
for mobile payments, Rehman said. While HCE provides flexibility, he said, it
also brings a new requirement for strong, software-based protection to secure
the storage of sensitive card data on the phone/device and to protect static and
dynamic keys stored in the device .
This requirement is critically important to address since the 2015 Version Data
Breach Investigations Report (DBIR) found that nearly 25% of breaches are
attributable to memory scraping, a hacking technique that enables access to
unprotected cryptographic keys and data.
Hacks With Device Administrator
A popular hacker strategy is to develop Android malware utilizing device
administrator to gain very high levels of permission on phones,said Cameron
Palan, senior threat research analyst on Webroot. "After its request to be a
device administrator, it then has the power to prevent you from revoking that
permission, prevent you from uninstalling the app, change system settings, wipe
your phone and cause other damage ."
"Android tends to be much more adventurous when it comes to rooting/running
unknown applications, which in and of it self is a huge security risk ."
Whether using Apple or Android, experts said much of the security of any device
revolves around user behavior. Unfortunately, studies show few users make use of
available protections for the device. For instance a recent study showed that
nearly 60% of Apple devices in the enterprise lack software to enforce strong
passwords and just 17% use an employer-supplied password manager .