With the increase in mobile device usage, more and more organisations are starting to implement mobile device solutions. The ability to access work emails and files from a phone or tablet is no longer reserved just for executive staff as our offices and working arrangements become more flexible and more mobile. When looking at an enterprise mobile device solution there are two main platforms that most organisations will look at, Apples’ iOS and Google’s Android. With the recent push for both platforms to be enterprise ready they both are addressing security, but their approaches are different. iOS is made by Apple and therefore is only available on Apple devices whilst the open sourced nature of Android means that there are a large number of devices with different specifications and price points that come with the Android OS (Operating System). This flexibility makes Android an attractive choice for a mobile device solution but before you implement an Android solution there are some considerations that need to be made.
Apple devices are generally known for their strong security. Apple owns and controls the hardware, the firmware and the software, allowing iOS devices to be secured on all three of those levels by a single developer. The open sourced nature of Android allows manufacturers and carriers to change and modify the operating system as required for their specific device. This increases the security risk as each manufacturer has its own modified version of the Android OS and most carriers also make changes on top of that. For example, a Samsung on the Telstra network will have a different OS (even if it has the same Android version) to a Samsung on Optus. This complexity can not only cause weaknesses in the architecture of the device and its software but also causes issues around security updates and patches.
Security Updates and Patches
We are all used to getting security updates on our PCs. Most PC Operating Systems have an auto update function or will check for updates and let you know when one is available. More and more applications also check for regular updates in the same way that an OS does. Apple users are all familiar with the “Software Update” prompt that comes up as soon as Apple releases an update. Whilst Apple can develop and send a security patch or update to all its devices at once, the patch cycle for Android is not as simple.
Like Apple, Google have an extremely fast response to push updates and patches on the Android OS but due to the open source nature and customised versions of Android, it can sometimes take months before the update or patch reaches the users. This is because once Google push the fix to their Android Open Source Project (AOSP) repository, manufactures and carriers must then update their own versions of Android. This stage of the patching process is the most complex and causes the biggest delay, as a single device model may have hundreds of variations of an update to support carrier-specific customisations. Security and vulnerability patching is subject to the dedication of the device manufacturer and mobile carrier as opposed to Google itself.
Because of the plethora of versions of Android, the distribution of Android OS versions is, for lack of a better description, all over the shop. Most Android devices are running old, out of date versions that contain various security vulnerabilities. According to Google, approximately 24% of devices are using the 2 most recent versions of Android (Marshmallow and Nougat). In comparison, 92% of all apple devices are running iOS 9 or 10. Androidvulnerabilities.org, a site that tracks, monitors and reports on Android OS vulnerabilities, estimates that ~80% of Android devices are insecure and contain at least 1 of the top 14 Android Vulnerabilities.
|4.0.3 –||Ice Cream Sandwich||1.30%|
Vulnerabilities and Exploits
Because of its much larger market share Android is bigger target for malicious attackers, in addition, its more open and flexible platform continue to make it more vulnerable to cyberattacks. Recent vulnerabilities including Stagefright, Drammer and Quadrooter are estimated to affect over 900 million Android devices each and are largely un-patched. That being said, iOS isn’t 100% safe either. Recent examples, like XCodeGhost have proven that iOS can also be vulnerable to malicious attacks.
Apps and Market Place
Apple’s App Store is setup in such a way where applications are fully vetted before being made available to customers. This ‘walled garden’ approach has so far prevented widespread malware infection of iOS users. The App Store provides confidence that the apps download have been tested and validated by Apple. Apple also do not release their APIs to developers so the iOS system has fewer exploited vulnerabilities.
Google Play provides a similar centralised market for Android’s mobile apps but Android also allows its users to install apps from third-party sources. Some of these are well known and considerably safe, such as Samsung Galaxy Apps or Amazon App Store but others are not and can originate from malware hotspots like Russia and China. Most of these malicious developers reverse engineer paid apps like Angry Birds and publish malicious versions for free.
Whether implementing an iOS, Android, hybrid or other solution, organisations will need to make sure that they have sufficient security controls in place. A full risk assessment should be undertaken for all platforms to ensure that all mobile devices that are to connect to their network will be appropriately secure. There are several 3rd party applications designed to implement both Android and iOS in an enterprise environment. Together with good security controls and practices, these can ensure that your mobile device solution is secure and your data is safe.