Chilling_Silence's blogSecurity – Android vs iOS
There’s been a fair amount of hype recently around the security of both operating systems, specifically in relation to the Android Market and Apples App Store.
I’m going to take a quick look into both, look at the hype, look at the history, and hopefully clarify some things along the way.
The main comment that I hear from people is that Apples iOS is more secure than Android. However, I’m consistently left wondering how they reach those conclusions, nobody has yet to give me any form of logical reasoning to it.
Both Android and iOS require you to sign in with some form of an account in order to download / install apps from the applicable store / marketplace. For iOS, you use your iTunes account. For Android, you use your Google account.
Now Apple reviews all their apps prior to allowing them onto their App Store. That has both its benefits and its disadvantages, as we’ll see later.
First, I’ll start with this:
“All the worlds websites in your hands”
Yes, thats what the TV Ad for the iPad says:
http://www.apple.com/ipad/gallery/#ad
Except that we’re not able to see all the worlds websites, because the iPad doesn’t support Adobe Flash.
Sure you can fire up the YouTube app to view YouTube video, but you can’t do other things like TVNZ On Demand.
According to Apple, Adobe Flash is a big security risk, not to mention it crashes lots and kills your battery life:
http://www.apple.com/hotnews/thoughts-on-flash/
While there are some merits to their thoughts, the fact that both Adobe and Apple claim to be “Open” while running a closed-source system means they’re both delusional. Being realistic here, while Flash *may* well be a security issue running on Android, thankfully (AFAIK by default) you have to tap on where the video should be. At least, it certainly is for me, here’s the TVNZ OnDemand website:
Here’s that same website on my Android phone after I tap on one of the arrows and it loads all the Flash content:
Looks *identical* to the regular version of tvnz.co.nz/video that you see on your browser.
Here’s what it looks like on the iPad, which can’t do Flash:
Not terribly useful, I thought.
Personally, considering there is an estimated 95% of Desktop PC’s running Flash, I like the idea of being able to run it on my phone also. 90%+ of people still run Windows on their Desktop / Laptops, yet it’s also heralded as having one of the worst security track records ever also.
I must admit, I like the stand that Apple have taken against Flash. I’m all for the adoption of HTML5 standards and the likes of the WebM Project for streaming video, but I also want to be able to see “All the worlds websites”. Of course, we’re leaving out the likes of Silverlight, mostly because nobody cares about it, but that’s a whole different kettle of fish.
But anyway, back to the App Stores.
“We review all apps to keep the bad stuff out”
To keep the bad stuff out? To maintain a higher quality of standard? Sounds great, sign me up!
…Except, that’s not quite true.
Yes, Apple has a relatively strict review process that sees many people each week turned down, to go make adjustments on their app, which in turn ought to lend itself to higher quality applications. Crash information may be sent to Apple, but not specifically to the developer.
Android on the other hand has no App submission review process like Apple, but relies properly on community ratings, comments and the end-users to flag something as inappropriate for whatever reason. Crash information is sent directly to the developer, and in certain circumstances those crashes can be viewed by other developers, and they can submit patches / fixes for the broken application, end-users can watch progress on a bug-fix for their particular application, and the whole process is relatively transparent.
To throw a spanner in the works, the Apple review process is known to be terrible, to the point where they let an inconspicuous Flashlight application through which doubled as a WiFi-Tethering app (Something you can normally ONLY do through USB on the iPhone):
http://consumerist.com/2010/07/teen-developer-gets-tethering-app-on-and-off-iphone-app-store.html
http://appshopper.com/blog/2010/07/20/handy-light-tethering-app-camouflaged-as-flashlight/
Great reviewing there Apple, top marks. Essentially, that throws the whole “We review apps for you, to keep your device safe” theory down the toilet. It’s nice to have, but shouldn’t be relied upon, as we’ve just seen the process is potentially useless if they let through Apps like that which blatantly shouldn’t be allowed through.
However, what about the fact that Android apps supposedly have *full* access to the device, potentially to do something malicious?
Application Permissions – What can this app do?
Well, if you’ve got an App on an iOS device, that app can do whatever the hell it likes. Looking at the above, it’s clear that an App doesn’t have to have any specific type of permissions at all, and can even do things that Apple have specifically tried to disable. Tethering is specifically allowed via USB on iOS devices (Not WiFi), and even then if you’re in the US, it will cost you $20 a month for that ability.
So you can see that’s a pretty major boo-boo that they’ve made allowing such an App through.
If you have an Android device however, prior to installation, the App will ask you for permissions to certain parts of your device, such as “Not letting the screen sleep”, or “Access to the Internet through Wifi / 3G”.
Let’s say that you’re installing a Flashlight app, and it’s asking for access to the Internet, that’s probably so it can display Ads. Fair call, if it’s a free app, right? What about if it’s asking for access to your contacts list, or to make phone calls, or to read your SMS apps? It probably doesn’t need that. So in that case, you could deny it, and go find an alternative app.
Once an App is installed, if its permissions change, it’ll prompt you to manually review the new permissions (It can’t be auto-updated) prior to installing the update:
Then once you have selected the App that requires a manual update, it presents you with this:
Unfortunately it doesn’t show you what’s changed since last time, nor let you deny access to certain things on a case-by-case basis, though I’m nitpicking.
What happens when you install on your iOS device? Choose the App, punch in your password, and the App then gets *full* permissions to your device. You have no idea if it’s looking through your contacts list, using your wireless / 3G internet connection, reading your emails / SMS messages, or even doing something that Apple want to specifically block their device from doing, such as WiFi tethering.
Tell me which you think is the safer route?
Security through the purchasing Account
There have been claims that using your Google Account is not as secure as having a dedicated Apple iTunes account.
I find this interesting, especially in light of this:
http://www.pcworld.com/article/200618/apple_itunes_hack.html
Basically, it’s estimated that between 400 and 3,000 accounts were compromised by this certain individual and used to boost this developers Book ratings. Once he had access to their accounts, he would purchase his own apps, making his Books rule about 40 of the Top 50.
Fault of Apples, or fault of the users? Hard to say, there’s been no hard and fast evidence to prove they all had nice long secure passwords, though there’s the potential that Key-loggers on your Desktop PC picked up their passwords as they were being entered into iTunes.
At the end of the day, both Google and Apple store your credit card, if you allow them to. Both of them have similar sort of password complexity requirements (Next to none), and neither is particularly easier nor more difficult to purchase Apps from for their respected OS’s. Does it matter how you purchase your Apps for your device? Maybe it does, maybe it doesn’t, it’s not something we can know, nor is it something Apple are likely to be concerned about following it up.
So, Security for the devices?
You decide which is supposedly “more secure”, or even if it’s of any relevance to you …
I know which I feel is more secure, but in saying that it wouldn’t specifically stop me from purchasing a device running either OS.
As always, I’d love some feedback / comments 🙂
Cheers
Chill.
Leave a Reply