Android Security VS Iphone Security

Question: Discuss about theAndroid Security VS Iphone Security. Answer: Introduction Recently, the world has seen the emergence of mobile computing whose sophistication has never been witnessed before. Most of the mobile phone makers have been making leaps and bounds in order to be ahead of their competitors in providing mobile phones and solutions geared towards fast adoption by customers. These mobile devices are highly technologically advanced that many of the functions performed on a computer can also be done on a mobile phone while still maintaining the same great user experience (Chittoria and Aggarwal, 2014:1). In the present market, the most renowned mobile devices are those running on Android operating system belonging to Google and those running on iOS belonging to Apple. Mobile applications have become integral and ubiquitous to our lives and therefore they have attracted the interest of unethical/criminal hackers who are interested in stealing information they come across in these mobile devices and their applications (Kaspersky Lab United States, 2016). Google and Apple have taken huge strides in creating various measures to ensure secure usage of mobile devices. This research report emphasizes on security of the mobile applications that run on the aforementioned operating systems. Security should always be considered in all phases of a mobile application life cycle which include stages such as development, publishing, installation and execution/usage of the application. It should start from the very first point of developing the application to the last stage which is execution. After execution, security must be checked at all times. Security Consideration Overview This report is subdivided into four parts which further elaborate on the security aspects in Android and iPhone. They are: Security at the time of developing the application. Security when publishing the application to the online stores of Android and iPhone. Security at the time of installation especially the features in both mobile operating systems. Security at the time of execution of the application on a users mobile phone Smart mobile devices are characterized by the capability to execute numerous and synchronized applications supporting diverse degrees of portability and modification and by supporting alternating distant service access and working according to limited resource constrictions (Susanto et al., 2016). This comes at a cost since security will have to be considered in the whole cycle of app execution, failure to which would see the application exposing its user to security attacks. Security at the Time of Developing the Application In an ideal world, it would be every application developers dream to create a bug free application with perfectly secure data storage and transmission (Das, Goswami and Bhunia, 2016: 1). Since there is nothing as a perfect application, bugs are bound to exist, with majority of them emerging at the time of application design and development due to a mistake or two, done by the software engineer or the individual responsible for developing an application. Consequences of these bugs include compromising of user data and sometimes injection of applications that execute illegal processes such as key logging. To achieve security in Android, the developer is responsible for isolating an application from other resources belonging to the system through a technique called sandboxing. A sandbox is firmly restricted environment where applications and programs can be executed. Sandboxes control what block or pieces of application code can do, thereby giving them as many permissions as they require without including extra permissions which could be misused (Howtogeek.com, 2016). Sandboxing in Android is usually controlled by each application. The application usually requires permission and approval in order for a continued access to resources the application needs. This improves and tightens security since each application has its own listing/directory and permissions per each active application (Holla and Katti, 2016:489). In iPhones iOS, sandboxing comprises of a set of fine-grained restrictions that bound the application access to the file system, network as well as the hardware of the device. It contains an extremely robust sandbox in which applications use the same sandbox with a higher protection and less access by other applications (Tabini, 2014). IPhone is more secure compared to android. This is because; iPhone permits access to the system file in the root and not phone settings. Android depends more on the user since the user usually is required to modify or set security for every application at the time of its installation. In android, storage can be built in or external which doesnt have permissions by default except for reading. Therefore, all applications are able to read data from the external storage automatically. An application may end up accessing unwanted code within the external storage thereby spreading viruses and malware. In iOS, the device doesnt have an external storage or memory and only contains fixed internal or built in storage. For an application to be accessed or manipulated, it must get permission from the data through the DPA (Data Protection APIs) that are inbuilt into the IOS core. This is then joined to a complex entry code that increases security of data in the operating system (Sheldon, 2013). Security when Publishing the Application to the Online Stores of Android and iPhone After the application have been completely developed and tested, it is now ready to be distributed to users. This is called publishing. This is popularly done through application stores hosted by Google for android or Apple for iOS with respect to which operating system an application have been built to run on. Application store for android is called Google Play and that for iOS, is called Apple store. To publish applications to the Google play store, the creator or developer is required to have access to the Googles Developer Console which is a set of tools which permit the developer in publishing and monitoring their applications (Play.google.com, 2016). However, Google play store is not the only place that one can place their application for download. A user can decide to install an application which has been emailed or downloaded from a website just by making modifications to a security setting that permits installation of android applications from unknown sources. This fails to provide security verification and in the process exposing a mobile phone to malware (Chittoria and Aggarwal, 2014:1). In iOS, the Xcode which is an integrated development environment (IDE) uses a signing identity mechanism in order to sign up an application when it is undergoing the build process. The signing identity usually has got a public and a private key paired together. The private key is used by cryptographic functions to fire up the signing of identity process while the public key helps to recognize the developer as the rightful owner of the both keys. Therefore, a developer can acquire developer certificates for purposes of public distribution and distribution certificates in order to submit to the Apple application store. This ensures that the operating system does not allow installation of applications from unauthorized sources. Security at the time of installation especially the features in both mobile operating systems The android operating system normally contains permissions for individual applications which are also the same for the iPhone operating system. In the android operating system, a list of permissions and resources required by the application in order to execute are displayed. During installation, the user usually selects a list of permissions he or she would like to be associated with a particular application. Permissions include read phone identity and state, internet access, automatically start or boot etc. however, a user only has two options; give all the permissions required by an application or simply not carry out the installation of the application. Again, it is up to the installers decision to consider the permissions while doing installation and allow them or deny them and abandon installation. Unfortunately, majority of users do not put into consideration these permissions and this is a form of security breach since some permissions may be harmful in the long run. IPhone has a different approach to application permissions during installation. No application permissions are asked during installation. Unlike in android where one has to give all permissions to be able to install or deny them and fail to install, iOS for iPhone only permits the most basic permissions to be authorized by the user. Therefore, at the time of installation, only the application is installed without any permissions having been granted. These permissions are authorized when a user is executing an application and it requires a certain resource to properly function. For example, after installing Google maps and not using it, there is zero permission associated with it. However, any attempt to use its mapping features throws a prompt to the user asking for permission to use the current location of the users device. This is more secure compared to android since one can deny this permission and then continue using the application in other manner with respect to its specificat ions. This shows that android is highly exposed to security breaches since one cannot make specific choices on permissions to allow or deny. Its either you allow all or deny all (Savvy Apps, 2016). Security at the Time of Execution of the Application on a users Mobile Phone It has been discussed above that iPhone requires app permissions during execution while android requires them during installation. For the iPhone, an application will execute only when permissions are authorized. This is because when an application execute, it requests for access to the necessary resources in order for it to give output to the user. The operating system prompts the user with the help of a dialog box whether they permit the application to use the resource it is demanding. IPhone also offers runtime security through a process referred to as code signing. This process prevents an unauthorized application from running on the mobile phone. In an android application, it is the responsibility of the developer to build and test the security of an application while it is executing. This is by following android best practices which include ensuring that the application is not performing insecure creation of files, listening to communications such as SMSes, improper storage of user and device data etc (developer.android.com, 2016). Root kits are more common in android than iPhone. These are malwares aimed at giving criminal hackers administrative access to a mobile phone (Schultz, 2008). Types of root kits include user mode root kits and kernel mode root kits. A hacker most coveted prize in the mobile sector is gaining root access to a mobile device. Root access is the process of having control of various android subsystems. If a mobile phone gets infected with a root kit, the owner of the root kit has all the permission to do what he wants in the mobile such as turning off safety features, install and deploy applications they want and even listening for communications and stealing data (Kassner, 2008). Conclusion In the table below, we provide a comparison of security for the applications in iPhone and Android based on the phase in which an application is currently in. Application phase Android IPhone During development Sandboxing in Android is usually controlled by each application. The application usually requires permission and approval in order for a continued access to resources the application needs. In iPhones iOS, sandboxing comprises of a set of fine-grained restrictions that bound the application access to the file system, network as well as the hardware of the device. This improves and tightens security since each application has its own listing/directory and permissions per each active application It contains an extremely robust sandbox in which applications use the same sandbox with a higher protection and less access by other applications During publishing The creator or developer is required to have access to the Googles Developer Console which is a set of tools which permit the developer in publishing and monitoring their applications. The Xcode which is an integrated development environment (IDE) uses a signing identity mechanism in order to sign up an application when it is undergoing the build process. The signing identity usually has got a public and a private key paired together. The private key is used by cryptographic functions to fire up the signing of identity process while the public key helps to recognize the developer as the rightful owner of the both keys. During installation List of permissions and resources required by the application in order to execute are displayed. During installation, the user usually selects a list of permissions he or she would like to be associated with a particular application. At the time of installation, only the application is installed without any permissions having been granted. These permissions are authorized when a user is executing an application and it requires a certain resource to properly function. During execution It is the responsibility of the developer to build and test the security of an application while it is executing. This is by following android best practices which include ensuring that the application is not performing insecure creation of files, listening to communications such as SMSes, improper storage of user and device data etc An application will execute only when permissions are authorized. This is because when an application execute, it requests for access to the necessary resources in order for it to give output to the user. The operating system prompts the user with the help of a dialog box whether they permit the application to use the resource it is demanding. It is every individuals responsibility, whether a user or a developer to ensure security of a device is maintained at all times failure to which both stand to lose. References Casteel, K., Derby, O. and Wilson, D. (2012). Exploiting common Intent vulnerabilities in Android applications. [online] Available at: https://css.csail.mit.edu/6.858/2012/projects/ocderby-dennisw-kcasteel.pdf [Accessed 22 Oct. 2016]. Chittoria, Y. and Aggarwal, N. (2014). Application Security in Android-OS VS IOS. International Journal of Advanced Research in Computer Science and Software Engineering, [online] 4(5), p.1. Available at: https://www.ijarcsse.com/docs/papers/Volume_4/5_May2014/V4I5-0847.pdf. Das, M., Goswami, R. and Bhunia, C. (2016). Implementation of New Method to Generate a Key in Automatic Variable Key for Perfect Security. IJSIA, 10(4), pp.1. developer.android.com (2016). Best Practices for Security Privacy | Android Developers. [online] Developer.android.com. Available at: https://developer.android.com/training/best-security.html [Accessed 22 Oct. 2016]. Goetsch, S. (2016). Secure Mobile Development Best Practices. [online] NowSecure. Available at: https://www.nowsecure.com/ebooks/secure-mobile-development-best-practices/#viaforensics [Accessed 22 Oct. 2016]. Hill, S. (2012). Android app security basics: Easy ways to keep your phone safe. [online] Digitaltrends.com. Available at: https://www.digitaltrends.com/mobile/android-app-security-basics/#ixzz33JTbRJ3U [Accessed 22 Oct. 2016]. Hoffman, C. (2013). iOS Has App Permissions, Too: And Theyre Arguably Better Than Androids. [online] Howtogeek.com. Available at: https://www.howtogeek.com/177711/ios-has-app-permissions-too-and-theyre-arguably-better-than-androids/ [Accessed 22 Oct. 2016]. Holla, S. and Katti, M. (2016). Android Based Mobile Application Development and its Security. International Journal of Computer Trends and Technology, [online] 3(3), p.489. Available at: https://www.ijcttjournal.org/Volume3/issue-3/IJCTT-V3I3P130.pdf. Howtogeek.com. (2016). Sandboxes Explained: How Theyre Already Protecting You and How to Sandbox Any Program. [online] Available at: https://www.howtogeek.com/169139/sandboxes-explained-how-theyre-already-protecting-you-and-how-to-sandbox-any-program/ [Accessed 21 Oct. 2016]. Kaspersky Lab United States. (2016). Kaspersky Personal Family Security Software. [online] Available at: https://usa.kaspersky.com/internet-security-center/threats/android-vs-iphone-mobile-security#.WAmeKeh97Dd [Accessed 21 Oct. 2016]. Kassner, M. (2008). 10+ things you should know about rootkits - TechRepublic. [online] TechRepublic. Available at: https://www.techrepublic.com/blog/10-things/10-plus-things-you-should-know-about-rootkits/ [Accessed 22 Oct. 2016]. Play.google.com. (2016). [online] Available at: https://play.google.com/apps/publish/signup/ [Accessed 22 Oct. 2016]. Sacco, A. (2008). Six Essential Apple iPhone Security Tips. [online] PCWorld. Available at: https://www.pcworld.com/article/152128/iphone_security.html [Accessed 22 Oct. 2016]. System Permissions | Android Developers. [online] Developer.android.com. Available at: https://developer.android.com/guide/topics/security/permissions.html [Accessed 22 Oct. 2016]. Savvy Apps. (2016). How to Create Better User Permission Requests in iOS Apps. [online] Available at: https://savvyapps.com/blog/how-to-create-better-user-permission-requests-in-ios-apps [Accessed 21 Oct. 2016]. Shah, K. (n.d.). Top 10 iPhone Security Tips. [online] Santa Clara: McAfee. Available at: https://www.mcafee.com/us/resources/white-papers/foundstone/wp-top-10-iphone-security-tips.pdf [Accessed 22 Oct. 2016]. Schultz, E. (2008). Rootkits: The Ultimate Malware Threat. [online] Infosectoday.com. Available at: https://www.infosectoday.com/Articles/Rootkits.htm [Accessed 22 Oct. 2016]. Sheldon, R. (2013). How Apple iOS encryption and data protection work. [online] Search Mobile Computing. Available at: https://searchmobilecomputing.techtarget.com/tip/How-iOS-encryption-and-data-protection-work [Accessed 21 Oct. 2016]. Source.android.com. (n.d.). Security | Android Open Source Project. [online] Available at: https://source.android.com/security/ [Accessed 22 Oct. 2016]. Susanto, H., Almunawar, M., Leu, F. and Chen, C. (2016). Android vs iOS or Others? SMD-OS Security Issues. International Journal of Technology Diffusion, 7(2), pp.1-18 Tabini, M. (2014). Why Apple should open up the iOS sandbox. [online] Macworld. Available at: https://www.macworld.com/article/2148362/how-inter-app-communication-on-ios-could-benefit-users.html [Accessed 21 Oct. 2016].