Symantec has just released a report detailing the security analysis of Apple’s iOS and Google’s Android mobile operating systems. The report is a very intriguing and detailed read, and worth while if you want an in-depth look into the security of both platforms. They claim both are more secure than PCs, but gaps remain.
Here are the highlights of their iOS analysis:

Overall, Symantec considers iOS’s security model to be well designed and thus far it has proven largely resistant
to attack. To summarize:
• iOS’s encryption system provides strong protection of emails and email attachments, and enables device wipe,
but thus far has provided less protection against a physical device compromise by a determined attacker.
• iOS’s provenance approach ensures that Apple vets every single publicly available app. While this vetting approach is not foolproof, and almost certainly can be circumvented by a determined attacker, it has thus far
proved a deterrent against malware attacks, data loss attacks, data integrity attacks, and denial of service
attacks.
• iOS’s isolation model totally prevents traditional types of computer viruses and worms, and limits the data that
spyware can access. It also limits most network-based attacks, such as buffer overflows, from taking control of
the device. However, it does not necessarily prevent all classes of data loss attacks, resource abuse attacks, or
data integrity attacks.
• iOS’s permission model ensures that apps can’t obtain the device’s location, send SMS messages, or initiate
phone calls without the owner’s permission.
• None of iOS’s protection technologies address social engineering attacks such as phishing or spam.
Here is a snippet of their summary analysis of Android OS:
Overall, while we believe the Android security model is a major improvement over the models used by traditional desktop and server-based operating systems, it has two major drawbacks. First, its provenance system enables attackers to anonymously create and distribute malware. Second, its permission system, while extremely powerful, ultimately relies upon the user to make important security decisions. Unfortunately, most users are not technically capable of making such decisions and this has already led to social engineering attacks.

To summarize:

• Android’s provenance approach ensures that only digitally
signed applications may be installed on Android devices. However, attackers can use anonymous digital certificates to sign their threats and distribute them across the Internet without any certification by Google. Attackers can also easily “trojanize” or inject malicious code into legitimate applications and then easily redistribute them across the Internet, signing them with
a new, anonymous certificate.


http://cdn.iphoneincanada.ca/wp-content/uploads/2011/06/ishot-521.jpg


http://cdn.iphoneincanada.ca/wp-content/uploads/2011/06/ishot-522.jpg




As seen from the graphical comparison, iOS is ‘safer’ than Android but not without its own history of vulnerabilities. The safety of iOS is that all apps require approval by Apple to enter the App Store, ensuring no malware or ill-advised apps get approved. Android OS on the other hand, is a whole different ball game.

Norton lol

I dont trust anything from those dudes, their software is so fuckin' flawed it's insane! Fuck symantec!

You mean open source software is more vulnerable? Its not like people can look at the code or anything. Oh, wait.

iOS = nazi germany

Android = america

of course Android is gona be more vulnerable. More freedom = more vulnerability

iOS = nazi germany

Android = america

of course Android is gona be more vulnerable. More freedom = more vulnerability

I think a better analogy would be something along the lines of

iOS = 2011 China
Android = UK

:lol

Anyway, good. I am glad someone (even a shitty company like symantec) is doing this. Hopefully it spurs some action by each company.

You mean open source software is more vulnerable? Its not like people can look at the code or anything. Oh, wait.

Actually, that should make it more secure... as Microsoft has proven for well over 20 years now, security through obscurity is the worst kind of security...

I should also note that Apple's iOS kernel is entirely based on Mac OS X kernel, which is also open source.

http://www.opensource.apple.com/

Actually, that should make it more secure... as Microsoft has proven for well over 20 years now, security through obscurity is the worst kind of security...

I should also note that Apple's iOS kernel is entirely based on Mac OS X kernel, which is also open source.

http://www.opensource.apple.com/

Microsoft never had a nazi appstore.

Microsoft never had a nazi appstore.

They sure do now...
http://www.microsoft.com/windowsphone/en-us/apps/default.aspx

But it's besides the point. We're talking about open source vs closed source security...

Actually, that should make it more secure... as Microsoft has proven for well over 20 years now, security through obscurity is the worst kind of security...

I should also note that Apple's iOS kernel is entirely based on Mac OS X kernel, which is also open source.

http://www.opensource.apple.com/

That's what I thought. Firefox is open source and isn't exactly unsecure.

They sure do now...
http://www.microsoft.com/windowsphone/en-us/apps/default.aspx

But it's besides the point. We're talking about open source vs closed source security...

The thread is about OS security. Appstore is part of the iOS. if you think Apple's closed nazi appstore has nothing to do with security, you are in a faraway place

The thread is about OS security. Appstore is part of the iOS. if you think Apple's closed nazi appstore has nothing to do with security, you are in a faraway place

Sure, but I was responding to Manny and his comment about open vs closed source...

That said, I agree that Apple's app store is a walled garden. You might want to call it Nazi, that's fine with me too.

That has a security value too, whether you like it or not.

sure. but you compared Microsoft's security with Apple security. IMO it's really "apples to oranges" as Apple's model starts and ends with their "walled garden"

in other words. Comparing MS vs. Apple is not really comparing open vs. closed.

sure. but you compared Microsoft's security with Apple security. IMO it's really "apples to oranges" as Apple's model starts and ends with their "walled garden"

in other words. Comparing MS vs. Apple is not really comparing open vs. closed.

A better comparison would be Linux vs. MS and we know how this turns out. But in Microsoft's defense 99% of commercial software was on MS vs. 1% in Linux.

there really is nothing to fairly compare to Microsoft as a whole. And today, the model has evolved once again.

sure. but you compared Microsoft's security with Apple security. IMO it's really "apples to oranges" as Apple's model starts and ends with their "walled garden"

Not really, no. I compared Microsoft as a model of security through obscurity with closed source vs Linux (Android), which Manny brought up as the open source vendor, hinting that open source would be more vulnerable because it was open, which is not really the case. I also pointed out to Manny that his equating of iOS as closed source is misguided. Apple does release the source of their kernel (which is primarily in charge of running the system, including all security layers) and other open source components they use.

The AppStore side of security in the form of code review is a different story.


in other words. Comparing MS vs. Apple is not really comparing open vs. closed.

Not as open as Linux, where everything is open, but certainly orders of magnitude more open than Microsoft, which is entirely closed, pretty much.

The 'walled garden' is not really a requirement. You can legally jailbreak your iOS device, and you can purchase apps for jailbroken devices from app stores that are not Apple's.


A better comparison would be Linux vs. MS and we know how this turns out. But in Microsoft's defense 99% of commercial software was on MS vs. 1% in Linux.

Well, that's indeed the comparison I made. And truth be told, while it's true that Windows might be a bigger target, the problem here is that the security issues are within the OS, in the form that they allow you to escalate security privileges. The closed source model prevents you both from reviewing that the fix that's supposed to be applied is proper, and prevents you from applying the fix yourself if you are in a critical situation.

Now, Linux isn't immune to issues. But more eyes on the code normally means better reviews, more squished bugs, and less exploits.


there really is nothing to fairly compare to Microsoft as a whole. And today, the model has evolved once again.

Sure there is. Their OS is no different than any other OS, and the exploits are not really different than any other OS exploits. Them having a bigger market share obviously makes them a bigger target. There's no dispute there.

Not really, no. I compared Microsoft as a model of security through obscurity with closed source vs Linux (Android), which Manny brought up as the open source vendor, hinting that open source would be more vulnerable because it was open, which is not really the case. I also pointed out to Manny that his equating of iOS as closed source is misguided. Apple does release the source of their kernel (which is primarily in charge of running the system, including all security layers) and other open source components they use.

The AppStore side of security in the form of code review is a different story.



Not as open as Linux, where everything is open, but certainly orders of magnitude more open than Microsoft, which is entirely closed, pretty much.


In my humble opinion Apple's OS cannot be called Open. It's either fully open or not. Partially open does not qualify. Many aspects of MS OS are open nowadays.



The 'walled garden' is not really a requirement. You can legally jailbreak your iOS device, and you can purchase apps for jailbroken devices from app stores that are not Apple's.

Are you saying a jailbroken iphone is as secure as a non-jailbroken?? I'm sure Symantec would disagree.



Well, that's indeed the comparison I made. And truth be told, while it's true that Windows might be a bigger target, the problem here is that the security issues are within the OS, in the form that they allow you to escalate security privileges. The closed source model prevents you both from reviewing that the fix that's supposed to be applied is proper, and prevents you from applying the fix yourself if you are in a critical situation.

Now, Linux isn't immune to issues. But more eyes on the code normally means better reviews, more squished bugs, and less exploits.

Sure there is. Their OS is no different than any other OS, and the exploits are not really different than any other OS exploits. Them having a bigger market share obviously makes them a bigger target. There's no dispute there.

I fully agree Microsoft security is very flawed and could have been a secure system from the beginning. But to say Linux is more "secure" just because there are no malware/viruses is really not fair. It's like saying New Zealand is more secure vs. terrorism than the USA. Just because there have been no attacks on NZ.

In my humble opinion Apple's OS cannot be called Open. It's either fully open or not. Partially open does not qualify. Many aspects of MS OS are open nowadays.

MacOS X core OS (kernel + tools) is 90% FreeBSD (which is a fully open source). There's another 5% which is the mach kernel, which is also open source. The remaining 5% is device drivers, 75% of which are open sourced.

There's a number of Linux flavors (including some of the more popular ones, like Ubuntu) that are not fully open either. From a security standpoint though, being able to review the source code of the foundation where everything else runs is simply beneficial in the long run. Well designed software is secure because it uses proven security methods, not just by obscuring implementation.

As far as Microsoft openness... well, the most critical part of OS security is prevention against illegal privilege escalation. That's definitely not open right now. Microsoft does submit their OS (source I presume) to different private entities in order to certify security ratings under different certification programs (they wouldn't be able to sell it to the government otherwise, for example). Not as good as open source, IMO, but better that nothing.


Are you saying a jailbroken iphone is as secure as a non-jailbroken?? I'm sure Symantec would disagree.

No, I'm saying that if you don't want to take advantage of the security options afforded by the 'walled garden', you have the option to go at it alone. As I pointed out earlier, the "Nazi app store model" also has a security value.


I fully agree Microsoft security is very flawed and could have been a secure system from the beginning. But to say Linux is more "secure" just because there are no malware/viruses is really not fair. It's like saying New Zealand is more secure vs. terrorism than the USA. Just because there have been no attacks on NZ.

Well, I didn't say there's no malware or viruses in Linux, did I? I actually said the opposite. Security isn't just open/closed source.
There's other meaningful areas where design with security in mind have a lot of value. For example, kernels previous to Win7 or MacOS 9 and previous version never had security as a main part of their design. Thus, security was always relatively poor. Kind of a taped add-on as an afterthought.

Unices in general were designed and developed with security as a central part of their design. MacOS X and iOS inherited that heritage from FreeBSD.
Microsoft instead went on re-tooling and redesigning a lot of their kernel with a security first approach starting with Vista (which really had a poor UI to interact with the user on security), and improved a lot with Win7. I think MS has done a good job refocusing on security.

Actually, that should make it more secure... as Microsoft has proven for well over 20 years now, security through obscurity is the worst kind of security...

I should also note that Apple's iOS kernel is entirely based on Mac OS X kernel, which is also open source.

http://www.opensource.apple.com/

I see what you mean. I guess I thought of it more as people have access to the code and can find the vulnerabilities to exploit rather than to fix. I guess we'll see how it pans out in the long run.

That's what I thought. Firefox is open source and isn't exactly unsecure.

What? Firefox used to be a better choice but my understanding is that its very insecure now. It was as bad if not worse than IE recently.

I see what you mean. I guess I thought of it more as people have access to the code and can find the vulnerabilities to exploit rather than to fix. I guess we'll see how it pans out in the long run.

Having open access to the source code means open and independent security audits. The discovered flaws can then be patched, and even if they are not at least as a consumer/user you can easily find information where you stand using that software.

The most secure operating system available is OpenBSD who has become so because it is open source - http://www.openbsd.net/

What? Firefox used to be a better choice but my understanding is that its very insecure now. It was as bad if not worse than IE recently.

I'll need to check that out then.

And was it me or did FF4 just come out last week?

What? Firefox used to be a better choice but my understanding is that its very insecure now. It was as bad if not worse than IE recently.

I would say that IE has lifted up it's security standard a lot lately, which combined with Win7 security features, makes the field more even that it used to be. IE6/XP were really, really bad. Especially the prevalence of ActiveX, which granted direct access to the system. Nowadays, with Flash/Silverlight running in a sandbox, things have gotten a lot better, for both browsers.

I'll need to check that out then.

And was it me or did FF4 just come out last week?

I believe FF5 came out last week, and FF4 is now obsolete. Mozilla has moved to a quick development cycle, so we'll see more releases more often now.