Received the dreaded “your device is at risk…” message recently? Instead of acting on the prompt to click here and potentially download actual malware on your new smart phone or tablet, we thought it was time to get under the skin of the latest smart devices and tablets and find out what make them tick and what you should be aware of when choosing between iOS and Android.

Firstly, let us look at some numbers:

• In the last year it was reported that 950 million Android devices could be hacked by sending a simple text message
• In July 85 million Android phones were hacked and 10 million infected with Hummingbird
• In August 900 million Android devices were reported as potentially vulnerable to the Quadrooter attack.

Staggering statistics, but how worried should we really be?

Sean Davin, Head of Cyber Security at Sevin Cyber Security says it is important not to get swayed by the numbers too easily.

“We often get asked questions around which devices or software offer a better or more secure choice given the regularity of updates and recent issues around hacking and batteries.

“Whilst it is easy to simply reiterate the hype, it is worth looking at it from our vantage point as cyber security advisors.

“Both Apple iOS and Android are excellent advances in providing everyone with access to Applications (Apps) on their phones; thereby making it possible to have a compatible devices akin to their home or work computers on the move.”

So with Google, the Android author, playing catch-up with security patch after security patch and Apple iOS continuing to demonstrate an excellent track record and not reporting as many high profile hacks, surely this should indicate a win for Apple.

Not so simple says Mr Davin.

“Both iOS and Android have good potential for security:

• Apple's is primarily based upon tying the devices down to its hardware and approved Apps ensuring that Apple can vouch for its security, but the flip-side is that you only get what Apple allows you to have.
• Android's security is primarily based upon adding on good security modules to the operating system and ensuring that the operating system is configured to run these at the earliest opportunity.
• Android's operating system security is also based upon an incredibly wide base of developers who are continually testing the security, but leaving the end-user open to choose the types and source of applications and the types of devices that they want to use.

Where does this leave us?

In essence, Mr Davin recommends that, as a user, we should be aware that both types of devices, Apple and Android are vulnerable to attack.

Instead, he says it is worth focussing our security efforts on the biggest area of continual weakness i.e. the Apps and how much trust we as users put into them.

So how does Apple iOS work on the iPhone or iPad?

Mr Davin says:

“Apple iOS is built around a very well designed security architecture whereby only ‘trusted’ applications (including “Apps”) run on the iPhone or tablet. In this, Apple plays a part in ensuring that these Apps can be trusted.

“From the point at which an iOS device is started, the Apple mechanisms kick in, and only bits of software that have come from the Apple laboratories are allowed to start and get running.  As the iPhone continues to start, it runs other Apple applications (by first proving that these are real trusted Apple applications).”

Some of the start-up of the device includes starting the encryption devices using the built-in cryptographic chipset (ensuring high performance and low power encryption); and only once these fundamental programmes are running can a user start interacting with the phone or tablet.

Before you as the user get to actually use the iPhone, Davin says you can be sure it has started securely and ensured that everything that you do is encrypted.

If something goes wrong the malware is limited in how far it can “reach” into the phone, thereby limiting its damage achieved by using a technique called “Sandboxing”.

Mr Davin adds that, as users, we want to download Apps (all the useful applications for shopping, booking travel, playing games, etc.) from the Apple Store as the Apple devices are a little “bare” of functionality when they are initially delivered.

“For all of these Apps, Apple themselves have had a role in verifying that these are compliant in the way they operate on the device.  To this extent, all App developers have to register with Apple and adhere to its developers’ code of conduct and hence all Apps can be traced back to their author in case of any problems.”

However, Mr Davin says that Apps are not without problems though and despite this audit trail, independent App developers sometimes do not show the same extent of security awareness as Apple itself.

Further still, in 2015 the Apple App store was hacked and quite a few Apps infected with malware apparently from China, by causing App developers to pick up the infected source code rather than the genuine Apple code. This has been sorted out though.

In very recent months a few parts of the core Apple software have been found to contain some weaknesses in a much publicised press release, which were very rapidly patched by Apple.

In summary: The security of Apple iPhones and tablets resisting attack is good due to Apple only letting Apple approved software run on their devices, which means Apple can keep tight control on things.  The downside is that only Apple approved software can run on Apple devices, meaning that the configurability, flexibility and choice of applications is much more limited. Sometimes a small, yet significant, flaw is found in the core Apple software, which Apple is very keen to rectify as quickly as possible.

Android devices

Mr Davin explains that Android devices are not really Android devices as such; they are electronic phones and tablets that run the Android operating system.

“Android Inc. developed the Android operating system based on an Open Source version of Linux and is quite different in its ethos to the Apple iOS.

“Android Inc. (back then, soon to be acquired by Google) determined to make the operating system completely open source and to ensure that it could be used freely by mobile phone and other mobile device manufacturers. This has since made it the single most used operating system of any kind.

“Android is quite extensible and the configuration of the operating system can be adapted by the mobile device manufacturer.  The various flavours include being able to run a secure set of modules called SELinux.  SELinux is a serious contender for providing added security and is used extensively, even throughout Governments, to provide the security foundation on top of Linux systems.”

Being a widely used open source operating system, Mr Davin says this means that App authors are almost unlimited and Apps can be written by just about anyone, obtained from just about anywhere and installed onto just about any Android box. This does mean that there are so many more Apps for Android systems than there are for Apple iOS.

“Thankfully there is an audit trace, similar to that between Apple and the developer, for Android Apps.  Here, not only can the App be traced back to the developer, but that App developer can rest assured that their App has arrived on the Android device unaltered since they built it.”

Great. So does this mean that we can not only have many more Apps than for iOS, but we also have Government standards of security on our Android devices?

In theory yes, says Mr Davin, but in practice it is quite tricky to achieve such security. 

“In most Government style SELinux implementations, there are usually very strict controls around whose Linux device it is, who has access to the super-user account, and policies are in place to stop people installing applications without alerting the authorities with threats of dismissal or criminal investigations.

“In an Android device you are nearly on your own – it is your device, the device manufacturer has limited you doing some things but not others, and you have rights to install Apps whether they are good or bad.

“To help with some of the security, Android also provided some startup measures to help ensure that the device starts using the right software from the moment it is switched on, calling this “Verified Boot,” and which tries to stop any unauthorised software putting its feet in the door during this startup.”

Android operating systems also use the technique described above as “Sandboxing” and encryption to help keep sensitive data away from applications behaving incorrectly, or away from hackers having got something malicious to run on the phone or tablet.

In summary: Android devices are very flexible in nature, can run on a massive variety of phones and tablets leaving the buyer with lots of choice, can allow Apps to be obtained from places other than just one supplier's store and is supported by a massive network of enthusiastic developers.  On the down side, the operating system is built to be flexible and this brings with it inherent weaknesses, with so many high profile vulnerabilities being found and published almost monthly.

Where does this leave us?

Both Apple iOS and Android offer benefits as explained above.

However, Android devices are continually in the news for more high profile attacks, on top of which, every now and then a fundamental flaw is found in the operating system undermining a significant amount of device security.

On the plus side, the Android community usually responds to these and gets them corrected really quickly, yet they are still trying to stem the flow of security flaws.

Mr Davin concludes that irrespective of whether the device is Apple or Android,  it is essential to be aware that all Apps can be badly written for security, but the Apple security model currently provides a little better security for the device being “broken” by hackers, yet this is still not a reason for complacency.