To complicate matters, today’s mobile devices are not islands—they are connected to an entire ecosystem of supporting cloud and PC-based services. The typical smart phone synchronizes with at least one public cloud based service that is outside of the administrator’s control. Many users also directly synchronize their mobile device with their home computer to back up key device settings and data. In both scenarios, key corporate assets may be stored in any number of insecure locations outside the direct governance of the enterprise.
In this abridged paper, we will summarize the security models of Google’s Android and Apple’s iOS, the two most popular mobile platforms in use today, to evaluate the security impact these devices will have as their adoption grows within enterprises.
Mobile Security Goals
When it comes to security, the two major mobile platforms share little in common with their traditional desktop and server operating system cousins. While both platforms were built upon existing operating systems (iOS is based on Apple’s OSX operating system and Android is based on Linux), they each use far more elaborate security models which are designed into their core implementation. The goal was likely to make the mobile platforms inherently secure rather than to rely upon third-party security software.
So have Apple and Google been successful in their quest to create secure platforms? To answer this question, we will provide an analysis of each platform’s security model and then analyze each implementation to determine its effectiveness against today’s major threats, including:
Web-based and network-based attacks : These attacks are typically launched by malicious websites or compromised legitimate websites.
Malware : Malware can be broken up into three high-level categories: traditional computer viruses, computer worms, and Trojan horse programs.
Social engineering attacks : These attacks, such as phishing, leverage social engineering to trick the user into disclosing sensitive information or installing malware on a computer.
Resource and service availability abuse : The goal of many attacks is to misuse the network, computing or identity resources of a device for unsanctioned purposes.
Malicious and unintentional data loss.: Data loss occurs when an employee or hacker exfiltrates sensitive information from a protected device or network.
Attacks on the integrity of the device’s data : In a data integrity attack, the attacker attempts to corrupt or modify data without the permission of the data’s owner.