Open or Closed: The Data on Your Mobile Device is Still Accessible
Ten years ago, the biggest concern we had regarding our mobile phone was losing it (or worse, having it stolen). If our phone ended up in the wrong hands, the worst that could have happened was someone could use the phone to make international calls or call Miss Cleo for a tarot card reading, significantly increasing the cost of our phone bill. Social engineering was a rarity at the time, but today is a different story. Modern day hackers can obtain our banking information, credit card statements, medical records, calendars, and virtually all other details of our lives through our phones without ever having physical possession of them. The first decision we make in choosing a phone, iPhone or Android, has far reaching implications for how security is managed in our mobile devices. The worldwide leaders in mobile operating systems, Google and Apple, have developed similar products, but differ greatly when it comes to security. So, what do we choose, Android or iPhone?
Android vs iOS: Open vs Closed Source
So, which is safer, the Apple iPhone or an Android device, such as the Galaxy S7? The answer: both and neither. A study by FireEye published in February 2015 revealed a 188% increase in Android vulnerabilities compared to a 262% increase in iOS vulnerabilities from 2011 to 2014.1 Thus, both operating systems are vulnerable. Neither operating system is an impenetrable fortress, and the approach to securing the device varies for both. The steepest contrast between the two operating systems is simple: iOS is closed sourced, whereas Android is open sourced.
In short, closed source products like Apple do not allow users to access or edit any code; editing the code on an Apple iPhone would essentially require a user to hack their own phone. Because the code is not public knowledge, vulnerabilities may be more difficult for potential hackers to discover. The premise of this type of security is essentially security by obscurity, because no one other than Apple can be sure how the OS of a device is running. There may be weaknesses or bugs that exist, but they will be harder to find. The negative side of the argument for closed source code is that users are unaware if there is a vulnerability in the code, and thus cannot take their own steps to mitigate it.
On the other hand, open source operating systems like Android have published, visible code. This enables users to analyze it and protect their devices as they see fit. The open nature of the OS enables a community of users to help optimize the code and submit changes if they find vulnerabilities. This is, however, a double-edged sword as potential malicious actors have access to the code. While this community approach can certainly lead to quicker discovery and patching of vulnerabilities, it can also lead to increased exploitation. If security is vital to a company using Android devices, vigilance is of the utmost importance. Precautions like system hardening, encryption, and anti-virus are all at the discretion of the user, thus the security of the device is wholly dependent on the end user. At an organizational level, this may require the allocation of significant resources to monitor and maintain the devices, otherwise vulnerabilities may be difficult to discover and may even go unnoticed (a topic that will be covered in subsequent blog posts).
Another difference between the two operating systems is how users download applications. All Apple iOS applications need to be downloaded from iTunes. Apple verifies that applications do what they say they are going to do in the access agreements users agree to before downloading. It’s possible that an application is a Trojan or virus, but there is a layer of security checking done by Apple, making it unlikely. Conversely, Android devices allow users significantly more freedom when it comes to downloading applications. While many devices take advantage of “Google Play,” users are still able to download applications from unmanaged, third-party sources, which may or may not have stringent assessment standards. Because applications can be downloaded from several sources, it may be difficult for users to determine which apps can be trusted, and which contain malware. There is also no check to make sure the application is only accessing, or even doing, what it says that it will. Cloned applications are prevalent on third party stores; a user might be trying to download a “60 Minutes” app, but may accidentally stumble upon “6O Minutes” (spelled with the letter “O” rather than a zero) and download something malicious onto their phone.
One way that large organizations and government agencies counteract this issue is to create a custom “app store” for users. While this does help control what is/is not being downloaded onto employees’ phones, relying on a custom app store requires significant resources to maintain and could ultimately hurt the usability of the device.
Bringing it all together
In today’s day and age, everyone has to be connected all of the time. It has become almost heresy to not be reachable by your employer 24 hours a day, 7 days a week. Thanks to advances in mobile technology, not only are we always able to be connected, but we are always susceptible to attack. In fact, it’s possible that during the time you have taken to read this, you or someone you know has had their phone hacked or downloaded an application or file that has placed malware onto their device. We can’t stop the problem, but that doesn’t mean that we can’t take preventative measures to decrease the attack surface, minimize attack vectors, and lower the possibility of data being stolen. The debate as to the best manner in which we mitigate risk will continue, however it will be up to the consumer to educate themselves on the advantages and disadvantages of each mobile platform and make the decision: iPhone or Android? Be on the lookout for our next mobile security blog post which explores the challenges and choices of Enterprise Mobile Security.
- Open or Closed: The Data on Your Mobile Device is Still Accessible - November 3, 2016