Mobile

11/5/2014
11:25 AM
Adam Ely
Adam Ely
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

iOS 8 Vs. Android: How Secure Is Your Data?

With iOS 8, the lines between iOS and Android are blurring. No longer is iOS the heavily fortified environment and Android the wide-open one.

Apple recently released iOS 8, several updates, and two iPhone 6 models. There has been plenty of noise around the releases, from the botched 8.0.1 update to the Touch ID fake fingerprint vulnerability to concerns that Apple Pay was pushing mobile PCI scope and unknowingly sharing consumer data.

The ever-changing security posture of iOS, however, has yet to be discussed. Apple released an updated iOS security whitepaper covering Touch ID, the “Secure Enclave,” and everything in between. The paper is a good read for those curious about how hardware plays into the security posture of a device and features of the iOS operating system.

There are a number of security features on iOS 8 that were included to increase the adoption of Touch ID and Apple Pay. The security features are different from previous iOS releases and updates because the operating system is becoming a less restrictive platform.

Often, enterprises criticize Android for being too open and allowing too much interaction among applications via broadcast receivers. With the new iOS 8, we’re seeing more similarities when comparing iOS to Android. As a result, enterprises should be more concerned with the trust-worthiness of devices versus the actual operating systems.

(Source: Methodshop)
(Source: Methodshop)

For example, one of the worst cases I’ve seen for key logging and data theft is when users download third-party keyboards that leak or steal data on Android. Many infosec people I’ve spoken to use this simple example to explain why iOS is more secure than Android. While previous iOS versions did not allow third-party keyboards, iOS 8 does.

But the real harbinger of the future, in my view, is the introduction of app extensions in iOS 8. App extensions allow applications to make certain functionalities available to other applications. Proving Apple’s intent to make its ecosystem more integrated, these iOS extensions are different from what we see in Android; the iOS extensions give unrelated applications the ability to interact. (Whether the application you just downloaded really needs access to your SMS messages is another question.)

Another potential trouble spot is the introduction of App Groups, which allows applications from the same developer to share data with one another. While this information sharing is nothing new, it has always been done through either the server side or unsupported, covert channels, usually unbeknownst to the user. What makes the intro of App Groups a concern is that this allows applications, by the same developer, to share the same sandbox. Now the security (or insecurity) of one app could affect the security of another app. Because organizations split application development up into teams and outsourced developers, the security of apps, even when from the same company, is not uniform. This opens up organizations and consumers to greater risk.

[Read about more infosec headaches: Is Enterprise IT Security Ready For iOS 8?]

The lines between iOS and Android are blurring. No longer is iOS the heavily fortified environment and Android the wide-open one. Android is beginning to add more enterprise security features to its operating systems, and iOS is beginning to open its kimono, making it easier for developers to create apps. In the future, these two operating systems will continue to look more alike, driving the need for CISOs to focus on securing applications on mobile devices and on data security, rather than focusing on the devices themselves.

Adam Ely is the founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SDiver
50%
50%
SDiver,
User Rank: Strategist
11/13/2014 | 9:31:01 AM
Secure Element vs. HCE
Unfortunately, I think this article misses the heart of the differences between iOS and Android.  Apple utilizes a Secure Elemenent (SE) which is a hardware device that stores cardholder data crytpgographically while Wallet uses a software emulation of the SE called the Host Card Emulator (HCE).  The core difference is that the SE is a crytpographic hardware "black box" while the HCE is a software emulation of the HCE.


Software is traditionally one of the weakest points of security of any enterprise system so Google has their work cut out for them.  There have been compromises of Wallet in the past.  This article fails to compare the security between both solutions.
Helpful
100%
0%
Helpful,
User Rank: Apprentice
11/6/2014 | 12:32:33 PM
Misunderstood security of App Groups
An App Group is an Xcode mechanism of specifying that an App and it's Extension can access a shared data container. As shown in the diagram, the Extension must be enclosed within the App. The Extension's data container and the App's data container remain distinct and separate. An app by the same Company / Developer cannot access any of their other app containers. Apple does not break the fundamental rule of sandboxing -- not even for a Developer's set of apps. See Figure 4-1 on Apple's documentation, it illustrates the very secure sand boxing of App Extensions and the true usage of App Groups: https://developer.apple.com/library/ios/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html
Helpful
50%
50%
Helpful,
User Rank: Apprentice
11/6/2014 | 12:25:25 PM
Mis-understood usage of Extensions
An App Extension is another word for "widget", a user-facing capability. The Extension is small set of information that the App Developer has decided to display within the Notification Center. Apple keeps the Developer within his app, there is no data spill into other apps nor from other apps.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/5/2014 | 4:07:53 PM
iOS 8 Vs Android
This is indeed an interested development , Adam. Thanks for sharing your insights. On the Android side of the equation, I'm curious to know what enterprise security features Android has added to its operating systems that's making it a tougher competitor to iOS 8.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4035
PUBLISHED: 2019-03-22
IBM Content Navigator 3.0CD could allow attackers to direct web traffic to a malicious site. If attackers make a fake IBM Content Navigator site, they can send a link to ICN users to send request to their Edit client directly. Then Edit client will download documents from the fake ICN website. IBM X...
CVE-2019-4052
PUBLISHED: 2019-03-22
IBM API Connect 2018.1 and 2018.4.1.2 apis can be leveraged by unauthenticated users to discover login ids of registered users. IBM X-Force ID: 156544.
CVE-2019-9648
PUBLISHED: 2019-03-22
An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information.
CVE-2019-9923
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9924
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.