Symantec Corp. announced the publication of "A Window Into Mobile Device Security: Examining the security approaches employed in Apple’s iOS and Google’s Android." This whitepaper conducts an in-depth, technical evaluation of the two predominant mobile platforms, Apple’s iOS and Google’s Android, in an effort to help corporations understand the security risks of deploying these devices in the enterprise.

1. Mobile Device Security:
A summary of the security
approaches employed in
Apple’s iOS and Google’s
Android

2. Introduction
• Today’s popular mobile platforms were designed with security
in mind, but these provisions are not always sufficient in
protecting enterprise assets
• In this presentation:
– Today’s major mobile threats
– Mobile device security models
– Analysis of Apple’s iOS
– Analysis of Google’s Android
– The mobile device ecosystem
– Mobile security solutions
2

3. Today’s Major Mobile Threats
• Web-based and network-based attacks:
– Typically launched by malicious websites or compromised legitimate sites
• Malware:
– Three high-level categories: viruses,
worms and Trojan horse programs
3

4. Today’s Major Mobile Threats
• Social engineering attacks:
– Leverage social engineering to trick users into disclosing sensitive
information; can also be used to entice a users to install malware
• Resource abuse attacks:
– Misuse network, computing or identity resources of a device; two most
common such abuses are sending spam and launching DoS attacks
4

5. Today’s Major Mobile Threats
• Data loss:
– Employee or hacker exfiltrates sensitive information from protected
device or network; loss can be unintentional or malicious.
• Data integrity threats:
– Corrupt or modify data without permission of the data’s owner;
motivations may include disrupting enterprise operations and financial
gain (data ransom fee)
5

6. Mobile Device Security Models
• Traditional access control:
– Protects devices by using techniques such as passwords and idle-time
screen locking
• Application provenance:
– Each app is stamped with identity of author and made tamper resistant;
enables user to decide whether or not to use app based on identity of
author
• Encryption:
– Conceals data at rest on the device to address device loss or theft
6

7. Mobile Device Security Models
• Isolation:
– Limits app’s ability to access sensitive data or systems on device
• Permissions-based access control:
– Grants set of permissions to each app and then limits each app to
accessing device data/systems within the scope of permissions
7

8. High Level Analysis of Apple’s iOS
• iOS security model well designed and thus has far proven
largely resistant to attack
• iOS’s security model offers strong protection against traditional
malware, primarily due to Apple’s rigorous app certification
process and their developer certification process, which vets
the identity of each software author and weeds out attackers.
8

9. High Level Analysis of Google’s Android
• Android’s security model a major improvement over traditional
computing platforms; ultimately relies on users to make
important security decisions and most users are unequipped to
do this:
• Google has opted for a less rigorous certification model,
permitting any software developer to create and release apps
anonymously, without inspection. This lack of certification has
arguably led to today’s increasing volume of Android-specific
malware.
9

10. Mobile Platform Security Summary
10

11. Mobile Device Ecosystem
• iOS and Android devices do not work in a vacuum
– Connect to one or more cloud-based services (enterprise Exchange server,
Gmail, MobileMe, etc.), home or work PC, or all of above
• When properly deployed, both platforms allow users to
simultaneously synchronize devices with private and enterprise
cloud services without risking data exposure
– However, there are several scenarios in which services may be abused by
employees, resulting in exposure of enterprise data
11

12. Mobile Device Ecosystem
• Scenario #1
12

13. Mobile Device Ecosystem
• Scenario #2
13

14. Mobile Device Ecosystem
• Scenario #3
14

15. Mobile Security Solutions
• Mobile antivirus:
– Scanners for Android, but iOS’s isolation model prevents implementing on
iOS devices
– Effective at detecting known threats, but provide little protection against
unknown threats; expect traditional scanners to be replaced by cloud-
enabled, reputation-based protection
– Addresses threats in malware threat category and subset of malware-
based attacks in resource abuse, data loss and data integrity categories
• Secure browser:
– Secure browser apps for iOS and Android checks visited URLs against
blacklist or reputation database and blocks malicious pages
– User must use the third-party secure Web browser to do all surfing
– Secure browsers address Web-based attacks and social engineering
attacks; can also potentially block malware downloaded through browser
15

16. Mobile Security Solutions
• Mobile device management (MDM)
– Enables admins to remotely manage iOS and Android devices
– Admins can set security policies such as password strength, VPN settings,
screen lock duration; can also disable specific device functions, wipe missing
devices and use the device’s GPS to locate missing device
– Doesn’t specifically protect against any one threat category, but helps reduce
risk of attack from many categories
• Enterprise Sandbox
– Aims to provide secure environment where enterprise resources such as
email, calendar, contacts, corporate websites and sensitive documents can be
accessed
– Essentially divides device’s contents into two zones: secure zone for the
enterprise data, and insecure zone for the employee’s personal and private
data.
– Focused on preventing malicious and unintentional data loss; though doesn’t
block other attack categories explicitly, does limit impact of other attacks
16

17. Mobile Security Solutions
• Data loss prevention (DLP)
– Scan publicly accessible storage areas of device for sensitive materials
– Due to iOS’s isolation system, iOS-based DLP tools only inspect calendar
and contact lists
– On Android, could scan external flash storage, email and SMS inboxes, as
well as calendar and contact lists
– Due to isolation models, unable to scan data of other apps
17

18. Thank you!
For more information, please visit:
Podcast - http://bit.ly/ipQUOf
Blog post - http://bit.ly/mk6Ywt
Infographic - http://bit.ly/leQBtV
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
18