The text in italics shows information from operating systems available when this blog was first posted. This post was originally published on the CompWALK Blog.
With the growing popularity of Bring Your Own Device (BYOD) and similar company-wide policies integrating mobile devices into the work day, a question arises about security. Often times, these devices are collecting confidential and sometimes sensitive information, so it is important to be aware of the security of various OS’ available.
If you are looking to implement a new solution that includes a mobile application, it’s important to know the security features of each mobile operating system.
We’re not the first to debate this question, and it is ongoing as operating systems grow their number of users. We consulted with our network services director, Larry, who has extensive experience in enterprise security and mobile device security, to weigh in. We also utilized articles published by Mikko Hypponen, the Chief Research Officer of F-Secure, an online security and privacy company based in Helsinki, Finland – he’s a big deal in the mobile security realm.
iOS is a proprietary operating system that Apple controls, running solely on Apple’s own devices. This plays in iOS’ favor compared to Android’s operating system that lives on multiple manufacturer’s devices (Samsung, HTC, Google), each with their own standards and approach to security. Apple also has strict requirements to include an app in their store. They check if you are a legitimate business, the fee is much higher than Android or Windows, and they have humans testing each application before it is submitted.
- Improvements on MDM (Mobile Device Management) that allows businesses to “bake-in” their policies on devices that were not possible on iOS before. This allows businesses to set up accounts from the get-go (through MDM providers or internet service providers) and manage them even if the person were to leave the company.
- Improving on an already secure app submission process, Apple requires that apps are signed by certificates that are checked using Apple’s servers. This allows revocation if malicious content is found. Apps are also required to be updated/submitted through encrypted channels.
- Since the release of iOS 10 in September, there has been a security flaw found already. Apple added an alternative password verification to iOS 10, which weakened the security of local backups in iTunes. This compromise of local backups opened the door for keychain (Apple’s password manager) to be decrypted.
- Like Android, a large number of mobile users also own Apple devices. This alone poses a risk as it is more susceptible to being a target for attackers.
With the release of iOS 9 came better management tools for IT teams. Admins can prompt users to update any device enrolled in the Device Enrollment Program, initiating the download and installation of software updates separately. IT teams can install and update managed apps while restricting general access to the app store and manage apps even after users install them without reinstalling the app or losing any user-data. Also included in iOS 9 are new network policies. Admins can specify how managed apps use networks by restricting the app’s ability to connect over cellular when roaming on other networks.
The ability to further manage company-issued devices gives IT teams the power to set parameters and force updates that include important security releases to better protect corporate data. Per-app VPN ensures separate network pathways for personal and corporate data, while managed open-in prevents corporate attachments from being saved to personal apps or cloud services. Finally, touch ID and device passcodes further promote security of an organization’s system, apps, and data.
Here’s the whole kit and caboodle on Apple iOS security.
Android operates with an open source code, meaning malware is much more common. Compared to Apple and Windows, it is much easier to submit and get your app accepted into the Google Play Store. There are lower submission fees, no human testing your app, and no checks if you are a legitimate business. Google developed Google Bouncer, a malware scanner, to watch over and scan applications available in the Google Play Store, but businesses were still weary of the Android OS.
- Direct Boot/File-based Encryption – Direct boot is new to Android and allows apps to start up in the background before you unlock your device, and does not expose any personal information. Encryption now happens at a more granular level (file-based) than before.
- After the stagefreight attack surfaced last Summer (2015), Google/Android has ramped up security enhancements and pushing them out much faster than in years past. Google Play store has also seen some upgrades and monitor apps much more closely, and stop malicious activity before it starts.
- Android holds the majority of smartphone users making them more susceptible to malicious attacks versus other mobile OS’
- Since Android is run on many different devices, not all of them support the newest OS. This is problematic due to security patches/updates being supported on the newest OS, and devices eventually will no longer receive these critical updates.
Android for Work
To combat these malicious attacks for organizations, Android introduced Android for Work in September of 2015, allowing users to separate work and play. Dual personas are used to keep work and personal applications separate and protect corporate data. It is important to note that not all devices are eligible for dual personas, some manufacturers’ devices do not support encryption which is required to run the personas. When looking into Android-supported devices, check out the Top Four Android Tips for Better Mobile Security blog post by Search Mobile Computing.
Windows mobile OS is similar to iOS in that a human reviews and approves all apps submitted to the store, helping prevent malicious applications gaining access to the Windows Store. Unlike Android, there’s no need to consider dedicated anti-virus and anti-malware software.
With Windows 10 for desktops/laptops being released last year, Microsoft was smart to update their mobile OS to follow suit. The biggest advancements were related to security.
- Device encryption for local content now exists, improving on Windows 8 mobile that only worked through some kind of MDM solution.
- With its small market share, Windows Mobile 10 has a lower probability of being attacked. That alone does not make it secure, but integration with its flagship desktop/server OS architecture definitely does.
- Businesses can implement secure access to resources much easier than before using Microsoft Passport. This allows strong authentication with multi-factor credentials used with Active Directory, Azure, and Microsoft Account service for single sign-on.
- With the new feature Device Guard, only signed and trusted applications can run on the device which blocks any potentially harmful applications.
- A lot of Windows mobile 10’s shortcomings are due to lack of features and not from a security standpoint. As more users adapt to this OS, there would likely be more vulnerabilities that are found.
Microsoft Enterprise Mobility
Windows OS for organizations is supported by Microsoft Enterprise Mobility. Microsoft Enterprise Mobility protects Microsoft Office email, files and apps, stating on their website that they are the only solution designed to do so. Microsoft’s solution helps minimize the complexity of BYOD by offering mobile device management (MDM) and mobile application management (MAM) both on-premises and in the cloud, all from a single console. Desktop Virtualization allows users to run windows desktops and applications anywhere and meet changing business needs while safeguarding sensitive corporate resources.
Security is a focus of Microsoft Enterprise Mobility. Advanced Threat Analytics (ATA) helps identify breaches and threats using behavioral analysis and provides a clear, actionable report on a simple attack timeline. ATA continuously learns from the behavior of organizational entities, and adjusts itself to reflect the changes in rapidly-evolving enterprises. As attacker tactics get more sophisticated, ATA helps companies adapt to the changing nature of cybersecurity attacks with continuously-learning behavioral analytics.
And the Winner is…
Windows! It must be noted that currently Windows is the least utilized mobile OS of the three, which definitely plays in its favor as it is less of a target. Mikko stated that Microsoft’s Windows Phone platform is the safest mobile operating system available to businesses while Android remains a haven for cyber criminals.
“Windows Phone’s security model inside is quite restrictive, I think it’s going to take a while before we see Windows Phone being seriously targeted. I could be wrong, but my hunch says it will stay the safest,” said Hypponen.
With its Advanced Threat Analytics model continuously learning the patterns and habits of organizations, the system only gets better with time.
They have built on the Windows 8 infrastructure which was already secure, and brought improvements that were made popular by their desktop OS Windows 10 to the mobile environment. Apple has made several security improvements on their OS with the release of iOS 10, and Android has improved on security flaws that have plagued them in the past. With Apple and Android being the main target for attackers, it is a safer bet at this time to side with a mobile OS platform that makes up about 2% of market share.
Android’s heightened vulnerability is contributed to Google’s policy of letting third-party stores run on the OS, a popular system for criminals across the world to trick users into installing malware. In 2012, F-Square saw a 10-fold increase in malicious Android installations files jumping from 5,000 malicious installation files in quarter two to 51,000 installation files in quarter three.
iOS continues to be the most utilized mobile OS which makes it the primary target for malware and potential threats.
Larry prefers the Windows store when submitting our applications compared to the Google Play Store and the Apple App Store. Windows still verifies the security of applications with real people testing it, unlike Android, but it is a much quicker process compared to Apple’s, which can take up to two weeks for updates to go live. This can become problematic when we issue new security updates and bug fixes. Windows also conducts random quality control checks of all applications live in the store.
While all three OS’ offer the ability for IT teams to control applications and wipe information when a device is lost or an employee terminated, we are in favor of Windows and its comprehensive Microsoft Enterprise Mobility platform. With the ability to protect and manage iOS, Android, Windows, and Windows 10 apps, this is also the most attractive platform for companies implementing BYOD policies.