Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

11/5/2014
11:25 AM
Adam Ely
Adam Ely
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

iOS 8 Vs. Android: How Secure Is Your Data?

With iOS 8, the lines between iOS and Android are blurring. No longer is iOS the heavily fortified environment and Android the wide-open one.

Apple recently released iOS 8, several updates, and two iPhone 6 models. There has been plenty of noise around the releases, from the botched 8.0.1 update to the Touch ID fake fingerprint vulnerability to concerns that Apple Pay was pushing mobile PCI scope and unknowingly sharing consumer data.

The ever-changing security posture of iOS, however, has yet to be discussed. Apple released an updated iOS security whitepaper covering Touch ID, the “Secure Enclave,” and everything in between. The paper is a good read for those curious about how hardware plays into the security posture of a device and features of the iOS operating system.

There are a number of security features on iOS 8 that were included to increase the adoption of Touch ID and Apple Pay. The security features are different from previous iOS releases and updates because the operating system is becoming a less restrictive platform.

Often, enterprises criticize Android for being too open and allowing too much interaction among applications via broadcast receivers. With the new iOS 8, we’re seeing more similarities when comparing iOS to Android. As a result, enterprises should be more concerned with the trust-worthiness of devices versus the actual operating systems.

(Source: Methodshop)
(Source: Methodshop)

For example, one of the worst cases I’ve seen for key logging and data theft is when users download third-party keyboards that leak or steal data on Android. Many infosec people I’ve spoken to use this simple example to explain why iOS is more secure than Android. While previous iOS versions did not allow third-party keyboards, iOS 8 does.

But the real harbinger of the future, in my view, is the introduction of app extensions in iOS 8. App extensions allow applications to make certain functionalities available to other applications. Proving Apple’s intent to make its ecosystem more integrated, these iOS extensions are different from what we see in Android; the iOS extensions give unrelated applications the ability to interact. (Whether the application you just downloaded really needs access to your SMS messages is another question.)

Another potential trouble spot is the introduction of App Groups, which allows applications from the same developer to share data with one another. While this information sharing is nothing new, it has always been done through either the server side or unsupported, covert channels, usually unbeknownst to the user. What makes the intro of App Groups a concern is that this allows applications, by the same developer, to share the same sandbox. Now the security (or insecurity) of one app could affect the security of another app. Because organizations split application development up into teams and outsourced developers, the security of apps, even when from the same company, is not uniform. This opens up organizations and consumers to greater risk.

[Read about more infosec headaches: Is Enterprise IT Security Ready For iOS 8?]

The lines between iOS and Android are blurring. No longer is iOS the heavily fortified environment and Android the wide-open one. Android is beginning to add more enterprise security features to its operating systems, and iOS is beginning to open its kimono, making it easier for developers to create apps. In the future, these two operating systems will continue to look more alike, driving the need for CISOs to focus on securing applications on mobile devices and on data security, rather than focusing on the devices themselves.

Adam Ely is the founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SDiver
50%
50%
SDiver,
User Rank: Strategist
11/13/2014 | 9:31:01 AM
Secure Element vs. HCE
Unfortunately, I think this article misses the heart of the differences between iOS and Android.  Apple utilizes a Secure Elemenent (SE) which is a hardware device that stores cardholder data crytpgographically while Wallet uses a software emulation of the SE called the Host Card Emulator (HCE).  The core difference is that the SE is a crytpographic hardware "black box" while the HCE is a software emulation of the HCE.


Software is traditionally one of the weakest points of security of any enterprise system so Google has their work cut out for them.  There have been compromises of Wallet in the past.  This article fails to compare the security between both solutions.
Helpful
100%
0%
Helpful,
User Rank: Apprentice
11/6/2014 | 12:32:33 PM
Misunderstood security of App Groups
An App Group is an Xcode mechanism of specifying that an App and it's Extension can access a shared data container. As shown in the diagram, the Extension must be enclosed within the App. The Extension's data container and the App's data container remain distinct and separate. An app by the same Company / Developer cannot access any of their other app containers. Apple does not break the fundamental rule of sandboxing -- not even for a Developer's set of apps. See Figure 4-1 on Apple's documentation, it illustrates the very secure sand boxing of App Extensions and the true usage of App Groups: https://developer.apple.com/library/ios/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html
Helpful
50%
50%
Helpful,
User Rank: Apprentice
11/6/2014 | 12:25:25 PM
Mis-understood usage of Extensions
An App Extension is another word for "widget", a user-facing capability. The Extension is small set of information that the App Developer has decided to display within the Notification Center. Apple keeps the Developer within his app, there is no data spill into other apps nor from other apps.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/5/2014 | 4:07:53 PM
iOS 8 Vs Android
This is indeed an interested development , Adam. Thanks for sharing your insights. On the Android side of the equation, I'm curious to know what enterprise security features Android has added to its operating systems that's making it a tougher competitor to iOS 8.
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.