By Anil Parmar
Before I begin with the security discussion, let me make it clear that iOS which is owned by Apple Inc. is a hardware company whilst Android owned by Google is an advertising company.
You may have come across a number of articles discussing which platform is the most preferred one, Android or iOS?
However, each platform has its own advantages and disadvantages which all depends on the user’s preferences and usage.
I’m surely not going to add on to the topic of who is the best? However, considering the increasing number of Android and iOS mobile users the most important factor primarily above everything else is “security.”
So, in this article, I would discuss the security concerns that include system security, encryption and data protection, and additional privacy control offered by both the platforms.
Firstly let’s take a look at stance of security from each brand owner
Security and privacy are fundamental to the design of all our hardware, software, and services, including iCloud and new services like Apple Pay. And we continue to make improvements. Two-step verification, which we encourage all our customers to use, in addition to protecting your Apple ID account information, now also protects all of the data you store and keep up to date with iCloud, mentioned by CEO Tim Cook in Apple’s Commitment to Security.
Eric Schmidt, the CEO of Google, said in an interview “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place”
https://www.youtube.com/watch?v=A6e7wfDHzew
He further added, “The way that some of your privacy is compromised when you search for something is that the search engines not only retain what the search was for but also what IP address the search came from. If you don’t want them to know link the search to your IP address you can use an anonymizing service. There are both free and paid solutions for this.”
Both the brands are equally clear with their stance on security!
Three major security concern areas to enhance your knowledge on privacy levels offered by iOS and Android
1- System Security
The stronger integration between the software and hardware will ensure that each component of the system is reliable and secure.
Considering Boot-up process
For Android: The platform provides the security level of “Linux kernel” and “inter-process communication (IPC) facility.”
Coded by “Application Sandbox,” the Android platform offers verified boot guarantee where each stage cryptographically verifies the integrity and authenticity of the next stage before executing it.
Android 7.0 and later version strictly verified boots using dm-verity (device-mapper-verity) kernel feature, which means compromised device will not be able to boot.
For iOS: The platform provides the security level of Low Level Bootloader (LLB), iBoot, and iOS kernel.
The LLB is first verified by the Apple Root CS public key from the Boot ROM code to ensure that iBoot Bootloader is signed by Apple and then iBoot verifies and executes the iOS kernel.
Therefore, iOS platform also utilizes a secure boot process to ensure its separate software is verified and signed by Google.
Considering Software updates
For Android: Android offers monthly bulletin updates, the latest partial security patch level string 2017-07-01 discusses issues to fix a subset of vulnerabilities similar for all Android devices.
To stay updated with the latest software concerns join Android Security Updates group.
For iOS: This platform uses a process called System Software Authorization to eliminate the downgrades as it can increase the number of chances for the attacker to enter the system and exploit a vulnerability that’s been fixed in the new version.
To stay updated with the latest software concerns connect with Apple security updates list.
Considering Touch ID
Android and iOS both are seen to enhancing fingerprint scanning authorization security with the launch of their new models.
Both, have implemented a compulsion passcode authorization that is created by the user and must be entered before registering or altering fingerprints.
2- Encryption and data protection
This becomes important to ensure the architect and design of the OS protect the user data from the unauthorized attempt to use or modify.
Considering Hardware
For Android: The latest Android 8.0 version offers advanced hardware security features that include “Android Keystore API” and the underlying “Keymaster HAL” that mitigates the risks of security compromises due to misuse of keys.
For iOS: With a dedicated “AES 256 crypto engine” built into the “DMA path” between the flash system storage and the main system memory makes file encryption highly effective.
Additionally, the device‘s “unique ID (UID)” and a device “group ID (GID)” are AES 256-bit fused during the manufacturing.
This means, it will not allow any software or firmware to read the file, they will only be able to see the encryptions and decryptions operations performed by the dedicated AES engines.
Considering File data protection
For Android: This platform allows its users to save data via internal storage, external storage, or by a content provider.
The files created in the internal storage will be accessible only to the app owner- while Android takes care of the protection.
To provide additional security for sensitive data- you can encrypt local files using a key that is not accessible to the app.
For files stored in the external storage are globally readable and writable, hence Android suggests not to store sensitive information using external storage.
Content providers (e.g. Xender, Dropbox) offer a structured storage mechanism limited to one app or exported to allow access by other applications.
For iOS: Whenever there is data partition- iOS Data Protection created a 256-bit per-file key and sends it to their hardware AES engine, who in turn uses a key to encrypt the file to flash memory using “AES CBC mode.”
The per-key file is then wrapped with one of the several class keys using “NIST AES key wrapping per RFC 3394.”
Apple controls the above undertakings and does not allow any of these controls over to developers.
Considering Passcodes
For Android and iOS users, setting up a passcode will automatically enable Data protection. Android and iOS support four and six-digit alphanumerical passcodes.
This means the attacker who has the possession of your device will not be able to access your phone data without entering the passcode.
Similar to the passcode, PIN number, face, IRIS, and fingerprint recognition security authentications are offered by both the platforms.
3- Additional Privacy controls
This will determine the capability of the OS to control access to Location Services and user data.
Considering Location service
Android and iOS platforms both offer inbuilt security levels for location services- access can be set to:
- Never allow location-based information
- Allow location-based information when in use
- Always allow location-based information
Depending on the selection you make for your device- both the platforms provides reminder approval and can anytime change the app’s access.
Wrapping up
With the above factors, we can conclude that both Android and iOS are constantly seen to be working on high-level security measures to identify and reduce flaws in existing operating systems.
Additionally, updating to the latest OS version, usage of a passcode, installation of anti-virus and firewall software, enabling device- tracking system, and creating backups of sensitive information can further enhance the security level of the operating system you use.
Below are the links to the vulnerability list of Android and iOS:
http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html
https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-15556/Apple-Iphone-Os.html
It’s better to be safe than sorry.
Anil Parmar is the co-founder of Glorywebs, a mobile app development company that aims to help clients with app design & development, digital marketing, web development and more. Mobile apps and websites we develop have a common # 1 goal: Keep it as simple as possible for technical as well as non-tech geeks. Find him on Twitter @abparmar99.
