Experts: Android, iPhone security different but matched

Apple may vet apps for the iPhone but Android restricts apps to their "sandbox," thus limiting any damage that could be done from a malicious app, experts say.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
5 min read
This screen shot shows what the My Tracks Android app has access to and prompts the user for approval before the app can be installed.
This screen shot shows what the My Tracks Android app has access to and prompts the user for approval before the app can be installed. Google

So, which is more secure to use, the iPhone or the Android?

Neither, according to security experts who say the two fastest-growing smartphone platforms are different but comparable.

The main difference is that Apple must approve all apps distributed via the Apps Store, which is the only way to get apps on the iPhone unless it is jail broken so it can run whatever software an owner wants. Android apps are not vetted by Google or anyone prior to distribution.

Another big difference is that the Android user is informed about what data and resources an app will have access to and user permission is required before the app can be installed. Meanwhile, iPhone apps are all given the same limited default data and resource access, except for location-based information that requires special permission from the user. The reach of Android apps is more limited, generally.

(Microsoft appears to borrow a bit from both models. The company vets the apps, but also uses sandboxing technology that limits then apps' access to their own data, according to Todd Biggs, director of product management for Microsoft's Windows Phone Marketplace.)

So, in essence, Apple serves as a gatekeeper that may be helpful in keeping blatantly malicious apps out but if something malicious does sneak in it could conceivably cause more damage than if it were on an Android because it may be able to access data and resources it shouldn't have access to, experts said.

"Both sides have pluses and minuses," said Kevin Mahaffey, co-founder and chief technology officer of mobile security provider Lookout.

Some security researchers question Apple's ability to adequately screen apps, given there are so many being developed so quickly.

"There are thousands of apps for the iPhone, and Apple has to approve each one," said Charlie Miller, a principal analyst at Independent Security Evaluators. He was the first person to hack the iPhone, via a hole he found in the mobile version of Safari in 2007, and he discovered two vulnerabilities in the Android browser.

Earlier this year, Swiss researcher Nicolas Seriot complained to CNET about lax security at Apple's Apps Store after some apps were found to be harvesting user data, either intentionally or unintentionally. They were pulled from the online store.

To illustrate the threat from over reaching or rogue apps, Seriot created a proof-of-concept app called "SpyPhone" that used the application programming interfaces to access all sorts of data on a phone that could be used to track users and their activities.

It's unclear exactly what Apple looks for in its application certification process.

Apple representatives were not available to be interviewed for this story, however, an Apple spokeswoman provided this statement: "Apple takes security very seriously. We have a very thorough approval process and review every app. We also check the identities of every developer and if we ever find anything malicious the developer will be removed from the iPhone developer program and their apps can be removed from the Apps Store."

Apple assumes both the control over which apps users can download, as well as the burden for making sure the apps are safe to use. Android users have more choice in what apps to download but they also should carefully read the permissions screen that describes what the apps will do before they install them.

"The bad thing (about the Android model) is it puts some burden of security on the end user," Miller said. "If I download a game and it says it wants access to GPS and the Internet, that is suspicious and I can say 'no.' But on the other hand, I don't want my sister or grandmother making security decisions. If people are just going to click 'yes,' then it doesn't do any good."

Android users can check to see what specific apps have access to any time after they have been installed.
Android users can check to see what specific apps have access to any time after they have been installed. Google

The Android Permissions Dialogue language explains clearly what an app is capable of doing on the device, said Mahaffey, who said he will present an analysis of what Android and iPhone apps are actually doing on devices at the Black Hat security conference in July. (A list of the permissions here.)

"There are risks associated with an open apps model, but there's also a lot of user benefit and the level of risk a user is exposed to depends more on the user than the platform. Users know what they are getting in the Android model," he said. "In the pre-approved model, users don't have full knowledge of an application's capabilities. While there aren't any known examples of this, an approved application may download code from the Internet to add malicious behavior without a user's knowledge."

Because Android apps are not scrutinized closely before being available for download, it's possible that misleading or dubious apps will make it onto phones. This happened recently with two proof-of-concept apps researcher Jon Oberheide of Scio Security created to test the feasibility of distributing a program that could later be used to take control of an Android device in an attack exploiting a vulnerability in the Android operating system.

The apps were not malicious, but because they misrepresented their purpose, Google asked the developer to remove them from the Android Marketplace and remotely wiped them from hundreds of phones that had installed them--the first ever use of the Android Remote Application Removal Feature.

Despite the potential for abuse from unvetted apps, Oberheide said the open Android model was still preferable to a closed apps store like with the iPhone. "We know there can be malicious apps, therefore the security model is being adapted under those assumptions," he said.

Beyond any potential threat from rogue apps, both iPhones and Androids are susceptible to Web-based malware that might be written to exploit a vulnerability in the software, just as any Internet-connected device is.

To some, however, the threats may be more hype than reality, at least for now.

"We've seen exploits on all platforms but haven't seen them used on any platform yet," said Mikko Hypponen, chief research officer at security firm F-Secure. (Asked which was more secure between Android and iPhone, he replied iPhone "because of the Apps Store" approval process. However, later he said that programs like FlexiSpy, which purport to be one thing but are used for another after install, point to a potential weakness in the Apple Apps Store model.)

"Security concerns are mostly theoretical, at this point," Miller said. "You are more likely to lose the phone" than get hit by malware.