iPhone and Android Security

idleheadedceleryMobile - Wireless

Dec 10, 2013 (3 years and 6 months ago)

48 views

iPhone and Android Security

James Shore

COP 5611

iPhone and Android Security


Many security features are common to both systems


Screen locking, access
passcodes


Network security and encryption (WEP, WAP, etc)


There are also fundamental decision affecting the security
of the systems


Open vs. Closed Source


Freely distributable applications


Neither system is without its weaknesses


Both systems suffered from SMS based vulnerabilities


Both systems suffered from web browser based vulnerabilities


Fundamental Differences


Open Source (Android) vs. Closed Source (iPhone)


The open source nature of Android makes it easier for would
be attackers to find faulty code


It also makes it easier for the community to contribute fixes


Closed source means fewer eyes on the code, for better or
worse


Available Applications


Android can install applications found outside the app store


Pro: Increased freedom for the user


Con: Increased freedom for the user


Acceptance into the Android app store is less rigorous


Pro: Easier for developers to make applications available


Con: May allow lower quality applications


Fundamental Differences


Available Applications


Acceptance into the iPhone app store is a long and scrutinizing
process


Pro: Ideally only high
-
quality, safe applications would be allowed


Con: Many legitimate apps may be rejected; Increased difficulty for
developers to make their apps available; limits the choice of what
users can run on their own devices


Fundamental Differences


Application Signing


The iPhone uses signing as a way of controlling which
applications can run on the device


Android uses signing mainly for developer identification and
relationships between applications


Application Signing


Android signing requires no certifying authority; many
applications are “self
-
signed”


Pro: Gives developers freedom and control over their own
applications


Con: No outside authority to verify the validity of an application


iPhone developers must request certification; iPhone signing is
used to verify

Vulnerabilities


Flaws in the Core multimedia application framework of
Android allowed remote control of the browser, allowing
access to saved credentials and history, February 2009



Fuzzing

the Phone in your Phone,” July 2009


Paper described methods to crash the window management
application on the iPhone as well as kick both iPhone and Android
devices from their networks


Android phones were kicked permanently from the network if the SIM
card had a PIN set


iPhone could be taken over by malicious SMS messages


iPhone could be taken over by visiting malicious website
which crashed the browser, August 2007

Conclusion


Both systems have their strengths and weaknesses


The iPhone has a much larger user base


more likely to
be exploited


References


http://www.informationweek.com/news/security/vulnerabilities/
showArticle.jhtml?articleID=218800192


http://www.readwriteweb.com/archives/android_vulnerability_s
o_dangerous_shouldnt_use_web_browser.php


http://developer.android.com/guide/topics/security/security.htm
l


http://support.apple.com/kb/HT3754


http://securityevaluators.com/content/case
-
studies/iphone/