Android's and iPhone's security compared?

When you see an article grandly titled, "Google's Android vs. Apple's iPhone: Which is More Secure?", what might you expect? That somebody has managed to compare the Android and iPhone systems in terms of:

1. How easy it is to hack into the system, snoop around for information, control the system, etc.
2. How easy it is to infect the system with virus, spyware and other such malicious software.
3. How easy it is to prevent or clean-up after such attacks.

And similar other questions.

Instead, Kenneth van Wyk, a "20-year veteran of IT security" and "co-author of two security-related books", compares the two systems on the following basis and gives them the following grades:

1. In Android, each application is assigned its own unique Linux user-ID at the time of installation and this ID is used to run the application. Where as, in the iPhone, "applications appear to all run with root (administrative) privileges on a single UNIX kernel". Based on this difference (and appearance), Android gets an A- grade and iPhone gets an F or "F-, if that’s possible".
2. Android is an open system, which has led to at least one product vendor announcing the development of security applications. We have heard of no such thing about the closed iPhone system. Grades: Android B, iPhone D.
3. iPhone has a well-developed and easy system for providing updates and patches through iTunes. We don't know of any such thing for Android. Individual handset makers will probably have to come up with their own update and patching process for their particular phones. Grades: Android INCOMPLETE, iPhone B+.

And, after this very arbitrary and subjective comparison, he declares Android to be the more secure platform!

Granted, at the very beginning of the article, Kenneth van Wyk, admits that there is no Android handset available right now for him to compare with the iPhone. So, this is an "apples and oranges" comparison. Nevertheless, this comparison and conclusion is not convincing enough.

In fact, it is very obvious that the open nature of Android, the ease of development of applications which control the phone's features and functionality, and the corresponding ease in installing such applications will see a proliferation of malicious software for the phone. The more popular Android becomes, the more threats there will be. It is actually a pretty scary situation to imagine something as personal as the cell phone being compromised. Imagine someone getting access to all your most personal information and conversations. Imagine someone using your phone to silently route expensive calls, for which you get dinged on your bill!

I think it is too early to comment on how secure future Android handsets will be. We can comment only on what is available now - Android SDK. And, it is certain too early to compare just the SDK with the iPhone to reach any convincing conclusion right now.


[via Earthweb]

Anti-virus for Android

SMobile Systems, which designs security software for mobile phones, has announced that it has tweaked its main security software suite to run on Android.

From prnewswire.com:

Today, SMobile Systems announced its standard security offering, called SecurityShield(TM) -- an integrated application that includes anti-virus, anti-spam and firewall protection-- is up and running on the Android operating system.

"We believe that the launch of Android powered phones will usher in a period when the use of smartphones will skyrocket," said Rick Roscitt, chairman and chief executive officer, SMobile Systems. "As more consumers in the U.S. begin using their mobile devices as mini-computers for surfing the web and downloading third-party applications, mobile security becomes of paramount importance. Without security, millions of people could be at risk for hackers, spammers and others intent on stealing crucial personal, financial and even health information from their new Google-powered phones."

The company plans on adapting the remainder of their applications to the Android platform in the coming weeks and months. Additionally, SMobile plans on creating new security products specifically tailored to Android, including an advanced application level firewall and system monitor. Currently, the Android platform does not allow the user to decide whether an application can make phones calls, send text or multi-media messages or make connections to the Internet during normal device use. This means that a virus can pose as an application and do things like dial phone numbers, send text messages and other functions that can cost the user money and leave their highly personal information vulnerable. The new technologies under development at SMobile will protect users against these new threats.

The hell's army of spammers, phishers, hackers and virus-makers are just looking for any open door, window or hole to exploit your system and your wallet. Given the openness of the Android platform, this is a welcome announcement.

Given that many applications which mash Google's services on Android will need access to our Google account password, I wonder what type of security Android has incorporated to protect our passwords. Time to go hunting for the answer... If you know it already, save me some time and post it in the comments. :)

[via prnewswire.com]

Android Security concerns = Generic security concerns

Google's Android platform could complicate security : This article on Searchsecurity.com expresses security concerns regarding a mobile device running Android. All the concerns turn out to be generic ones when:

(a) Users have the free ability to install software applications which access their device's core functionality (such as making calls, sending sms, using the camera, etc. for a phone).

(b) Such a device connects to the corporate network.

So, there is really no security concern in the article that is hyper-specific to Android... such as, say a security hole or bug in the platform.