Where iOS, Android flaws lie
No foolproof solution exists to protect mobile devices yet, says Dr Charlie Miller, renowned international security expert.
Although relatively few security issues have occurred against mobile devices so far, more can be expected because no foolproof solution exists to protect mobile devices yet.
This is according to Dr Charlie Miller, principal research consultant at Accuvant Labs, who will be a keynote speaker at the ITWeb Security Summit, to be staged at the Sandton Convention Centre, from 15 - 17 May this year.
Dr Miller made headlines when he developed an application that proved the existence of an iOS security flaw, and he was expelled from the Apple Store's developer network.
He says mobile devices are insecure in the same ways computers are insecure. “After all, they are just little computers. Some of the problems lie in the fact that it is hard(er) to detect compromise and there is a lack of security tools available for mobile devices. While you wouldn't imagine running a desktop computer in the enterprise without anti-virus, there is not a real good solution for mobile devices at this time.”
On the question of iOS security today, he says Apple has improved its security since the time in which he highlighted security flaws. The original iPhone had major security problems. “The most current version of iOS is pretty darn good,” he says.
However, he notes: “With the Flashback attacks, we've seen Apple isn't immune to attack. In that case, Apple was slow to issue a Java patch and slow to issue a system update to detect the malware. I predict we'll see even more attacks against Apple products in the future.”
When it comes to increasingly popular Android OS, Dr Miller says it is less secure than iOS.
“Android and iOS are designed differently. Android is built to be open while iOS is built to be closed. The place where this is most obvious is with apps and code signing. In iOS (with exceptions for jailbreaking or provisioning), you can only run apps that have come from the App Store.
“If you try to run apps from other places, they will fail to run because they will not be signed by Apple. This has effectively prevented malware from appearing in iOS, because Apple has a chance to review and stop the most obvious malware before it is ever available for download.
“On the other hand, Android apps can be downloaded from anywhere and will run just fine. (There is a configuration that only allows apps to be downloaded from Google Play). Much of the Android malware has come from other, non-official application stores. Until very recently, even those apps in Google Play were not reviewed, but Google has implemented a system called Bouncer, which automatically reviews apps, when submitted, for security purposes. So the open aspects of Android allow for more freedom, but also introduce the easier possibility for malware.
“Android is also slightly more vulnerable to exploitation, since it lacks full address space randomisation. I expect this will be fixed soon, though. Another related problem with Android is that many devices do not receive security updates shortly after they are released. This leaves them open to exploitation.”
Dr Miller says while there have been many instances of Android malware, the number is still fairly small in comparison with attacks on desktops. In iOS, there have been almost no pieces of malware or attacks seen in the wild.
On the question of who should be accountable for fixing these, Dr Miller feels Bouncer is a step in the right direction, but says it is easily circumvented since Android apps can download and run native (unsigned) code. “If you sign a two-year deal with a carrier, I think the carrier should have to supply you updates in a timely fashion for at least that long.”
The annual ITWeb Security Summit will take place from 15 - 17 May 2012, at the Sandton Convention Centre. For more information and to book your seat, go to www.securitysummit.co.za.