Gallery
Posted on 16 Mar 2012 at 10:11
Davey Winder compares the security of Android and Apple devices
I wrote some of this article while flying between Vienna and Bratislava to visit ESET, maker of NOD32 Antivirus software, to get a heads-up on the latest antivirus software for securing Android smartphones.
You may think me mad for travelling all the way to Slovakia to listen to a vendor preach about smartphone security, a topic that’s attracted plenty of scorn over recent years. I’ll admit that I’ve expressed highly sceptical opinions regarding the motives of those security vendors that have released antivirus products for mobile phones while the real-world threat was less than credible.
Many of those press releases, blog entries and keynote speeches from security researchers would appear to be little more than carefully constructed exercises in FUD (fear, uncertainty, doubt), designed to drive up sales of software that protects your mobile from, well, nothing at all really. But that was then and this is now, and everything has changed.
The story I received from the guys on the frontline of malware discovery – guys who spend their entire working day analysing data samples and determining just how real a potential threat is – confirms reports coming from other security labs that Android malware is exploding. At the start of last year, owners of Android devices had only a 1% chance of running into malicious apps; this had leapt to 4% by the end of the year, thanks to a near-50% increase in the number of such apps.
The time has finally come when mobile phone security software is no longer the stuff of vendor fantasies
The ESET researchers are now seeing hundreds, sometimes thousands, of Android malware data samples come through their labs for analysis each week, compared to only tens a year ago, and there are now thousands of identified malicious apps in the wild (mainly on third-party app stores rather than the official Android one) and an estimated one million infected devices. Microsoft – with a grim irony given Windows’ security track record – has even started offering Android users the opportunity to swap to a Windows Phone-powered device for free if they’ll post their Android malware experiences online.
I don’t doubt that things will only become worse before they get better as far as Android malware is concerned; not least because around 90% of Android devices are vulnerable to an exploit that relatively easily enables root access, and makes it child’s play to install further malware packages and trojans without the user realising. If the malware you’re infected with doesn’t include such a rooting capability then I’m a Dutchman’s uncle, because I can’t recall the last time I heard of Android malware that didn’t work in this way. The point is that the time has finally come when mobile phone security software is no longer the stuff of vendor fantasies, but a real-world requirement.
The security software that ESET showed me takes a fairly holistic approach – reminiscent of desktop security suites – by offering both on-demand and on-access scanning of files, firewalling, spam filtering for SMS, remote wiping and an all-in-one security audit function, which scans and checks pretty well everything that could be in danger. But while Android gets such anti-malware treatment, what’s happening in the world of iOS, where things remain eerily quiet?
The usual online and print suspects have written little about iPad security, which is odd considering that Apple’s market-leading tablet is increasingly being used within businesses, and has a rapidly expanding portfolio of productivity apps. So just how secure is the iPad?
That’s the kind of question that, asked in the context of just having hammered home the potential risk of using an unprotected Android device, is almost guaranteed to provoke a fiery and less-than-rational response from irascible fans of both OSes, so let’s separate FUD from fact and get straight to the point. In terms of malware threats to iOS spotted in the wild so far (and hence to both iPad and iPhone), it’s currently about as safe as a smartphone or tablet OS gets. iOS apps are isolated from each other in terms of memory design – with the notable exception of Apple’s own apps, of course – and so they run in a sandboxed environment, which means that malware has literally nowhere to go and nothing to do.
Unless you’ve jailbroken your iPad, you have to go through the walled garden that is the App Store to get your applications, and the chance of any malicious app gaining entry there is so minimal it’s all but non-existent right now. Apps are signed by both Apple and their developer, preventing your PC from installing any app directly due to malware already installed upon it: an app that’s been modified in any way without being re-signed by both Apple and the developer simply can’t run.
One of the problems that Android has is that there are myriad different devices using myriad different OS versions, and the updating mechanism once a vulnerability is detected and patched is neither timely nor effective. Apple rarely manages to deliver patches within weeks of a vulnerability being uncovered in iOS, but at least it’s rolled out automatically, so that the majority of devices will be running the patched version within weeks of its availability, helping to reduce the spread of security incidents.
I’m deliberately sidestepping the serious question:“what about the bring-your-own-device (BYOD) problems faced by businesses when staff connect an iPad or iPhone to the corporate network?”. Those kinds of security and privacy issues aren’t what I’m concerned with in this column; all I’m exploring here is whether it’s safe for the typical iPad user to operate without any kind of security software installed, and the answer would appear to be a resounding “yes”.
Currently there’s no known malware in the wild that attacks the iPad, and nothing that could execute any payload thanks to the sandboxed runtime environments of apps. Sure, there’s the possibility you could transfer a malware file from your iPad to a PC when you connect the two, or else deliver malware to the PC by way of an email attachment, but it’s stretching the point to suggest that’s the iPad’s security problem.
There are even security-related apps available from the App Store, including an antivirus scanner for the iPad, but these appear to be pointless as far as I can tell. You could pay a few pounds and install something such as VirusBarrier from Intego, which lets you scan email attachments and files, including those in remote locations such as Dropbox accounts, but iOS won’t permit it to scan files automatically or even run scheduled scans, which means you’d have to scan everything on-demand, proactively. Given that the files pose no danger to your iPad, it would be better to allow the endpoint protection on the machine you’re connecting to scan for such stuff.
During my trip to Bratislava, I spoke at length to ESET’s chief technology officer, Pavel Luka, about the security aspects of iOS, and it was telling that he uses an iPhone rather than an Android-based smartphone himself, despite his company developing a pretty comprehensive security solution for the latter. Luka suggests that it’s inevitable that at some point someone will break iOS’s application sandbox, and when they do it will break in a big way.
Due to the open nature of Android, just about every security vendor is investing heavily in RD for security solutions for that platform, in order to head off threats as they surface – such investment is ongoing, and the research labs are well placed to analyse emerging malware threats and defend against them.
However, Apple’s walled-garden approach, content to merely propagate the security myth of the “impregnable Mac” to iOS devices, means that little or no research is being done into iOS vulnerability, there’s no investment by security vendors, and hence no products waiting for that break to happen and apply a quick fix. In other words, the iPad and your iPhone are secure right now, but if and when they do break, expect it to happen in a big and bloody way.
Article source: http://www.pcpro.co.uk/realworld/373615/how-secure-is-an-ipad