Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

11/5/2014
11:25 AM
Adam Ely
Adam Ely
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

iOS 8 Vs. Android: How Secure Is Your Data?

With iOS 8, the lines between iOS and Android are blurring. No longer is iOS the heavily fortified environment and Android the wide-open one.

Apple recently released iOS 8, several updates, and two iPhone 6 models. There has been plenty of noise around the releases, from the botched 8.0.1 update to the Touch ID fake fingerprint vulnerability to concerns that Apple Pay was pushing mobile PCI scope and unknowingly sharing consumer data.

The ever-changing security posture of iOS, however, has yet to be discussed. Apple released an updated iOS security whitepaper covering Touch ID, the “Secure Enclave,” and everything in between. The paper is a good read for those curious about how hardware plays into the security posture of a device and features of the iOS operating system.

There are a number of security features on iOS 8 that were included to increase the adoption of Touch ID and Apple Pay. The security features are different from previous iOS releases and updates because the operating system is becoming a less restrictive platform.

Often, enterprises criticize Android for being too open and allowing too much interaction among applications via broadcast receivers. With the new iOS 8, we’re seeing more similarities when comparing iOS to Android. As a result, enterprises should be more concerned with the trust-worthiness of devices versus the actual operating systems.

For example, one of the worst cases I’ve seen for key logging and data theft is when users download third-party keyboards that leak or steal data on Android. Many infosec people I’ve spoken to use this simple example to explain why iOS is more secure than Android. While previous iOS versions did not allow third-party keyboards, iOS 8 does.

But the real harbinger of the future, in my view, is the introduction of app extensions in iOS 8. App extensions allow applications to make certain functionalities available to other applications. Proving Apple’s intent to make its ecosystem more integrated, these iOS extensions are different from what we see in Android; the iOS extensions give unrelated applications the ability to interact. (Whether the application you just downloaded really needs access to your SMS messages is another question.)

Another potential trouble spot is the introduction of App Groups, which allows applications from the same developer to share data with one another. While this information sharing is nothing new, it has always been done through either the server side or unsupported, covert channels, usually unbeknownst to the user. What makes the intro of App Groups a concern is that this allows applications, by the same developer, to share the same sandbox. Now the security (or insecurity) of one app could affect the security of another app. Because organizations split application development up into teams and outsourced developers, the security of apps, even when from the same company, is not uniform. This opens up organizations and consumers to greater risk.

[Read about more infosec headaches: Is Enterprise IT Security Ready For iOS 8?]

The lines between iOS and Android are blurring. No longer is iOS the heavily fortified environment and Android the wide-open one. Android is beginning to add more enterprise security features to its operating systems, and iOS is beginning to open its kimono, making it easier for developers to create apps. In the future, these two operating systems will continue to look more alike, driving the need for CISOs to focus on securing applications on mobile devices and on data security, rather than focusing on the devices themselves.

Adam Ely is the founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SDiver
50%
50%
SDiver,
User Rank: Strategist
11/13/2014 | 9:31:01 AM
Secure Element vs. HCE
Unfortunately, I think this article misses the heart of the differences between iOS and Android.  Apple utilizes a Secure Elemenent (SE) which is a hardware device that stores cardholder data crytpgographically while Wallet uses a software emulation of the SE called the Host Card Emulator (HCE).  The core difference is that the SE is a crytpographic hardware "black box" while the HCE is a software emulation of the HCE.


Software is traditionally one of the weakest points of security of any enterprise system so Google has their work cut out for them.  There have been compromises of Wallet in the past.  This article fails to compare the security between both solutions.
Helpful
100%
0%
Helpful,
User Rank: Apprentice
11/6/2014 | 12:32:33 PM
Misunderstood security of App Groups
An App Group is an Xcode mechanism of specifying that an App and it's Extension can access a shared data container. As shown in the diagram, the Extension must be enclosed within the App. The Extension's data container and the App's data container remain distinct and separate. An app by the same Company / Developer cannot access any of their other app containers. Apple does not break the fundamental rule of sandboxing -- not even for a Developer's set of apps. See Figure 4-1 on Apple's documentation, it illustrates the very secure sand boxing of App Extensions and the true usage of App Groups: https://developer.apple.com/library/ios/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html
Helpful
50%
50%
Helpful,
User Rank: Apprentice
11/6/2014 | 12:25:25 PM
Mis-understood usage of Extensions
An App Extension is another word for "widget", a user-facing capability. The Extension is small set of information that the App Developer has decided to display within the Notification Center. Apple keeps the Developer within his app, there is no data spill into other apps nor from other apps.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/5/2014 | 4:07:53 PM
iOS 8 Vs Android
This is indeed an interested development , Adam. Thanks for sharing your insights. On the Android side of the equation, I'm curious to know what enterprise security features Android has added to its operating systems that's making it a tougher competitor to iOS 8.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27743
PUBLISHED: 2020-10-26
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.
CVE-2020-1915
PUBLISHED: 2020-10-26
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application usi...
CVE-2020-26878
PUBLISHED: 2020-10-26
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
CVE-2020-26879
PUBLISHED: 2020-10-26
Ruckus vRioT through 1.5.1.0.21 has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.
CVE-2020-15272
PUBLISHED: 2020-10-26
In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version ...