Symantec highlights iOS and Android flaws

Symantec highlights iOS and Android flaws

Summary: Employers should be aware of the security risks in iOS and Android when deciding whether to allow employees to bring consumer devices into the company, according to Symantec

SHARE:
TOPICS: Security
0

Businesses should take iOS and Android flaws into account when allowing employees to use their personal phones for work, according to Symantec.

iOS 5 screen

Symantec has warned businesses to take iOS and Android flaws into account when allowing employees to use their personal phones for work use. Photo credit: Apple

With Apple's mobile operating system, a determined attacker with physical access to a device can bypass encryption, the security company said in a white paper published on Tuesday (PDF). In addition, remote network-based attacks against Safari on iPhones and iPads can cause damage, even though iOS isolates each application on the system from each other.

"iOS's isolation approach has thus far provided a great deal of protection against network-based attacks," Symantec said in the white paper. "However, attacks against specific apps like the web browser, while being self-contained and blocked from impacting other apps, can still cause significant harm to a device."

With Android, Google relies on traditional access control (such as passwords), application isolation and permissions-based access control to secure the device from malware, the security company said. However, the permissions on Google's mobile operating system are ultimately user controlled, opening up employees to scams, according to Symantec's UK security strategist Siân John.

"People are open to social engineering," she told ZDNet UK.

For security, software makers can restrict their applications to only using the resources on an Android phone that they need to work, Symantec pointed out. However, when such third-party applications are being installed, they call on the user to decide whether it is safe to go ahead and grant the permissions for those resources, which can include such things as email contacts, network subsystems and device identifiers.

"Unfortunately, in the vast majority of cases, users are not technically equipped to make these security decisions," Symantec said in its paper.

Read this

Google gives Android music, movies and gadgets

At Google I/O 2011, the web giant announced its Android roadmap and tools for integrating with devices and the home

Read more+

In addition, the certification process for apps in Android's store is more open to abuse, according to the security vendor.

"Google has a less rigorous certification model [than Apple]," John said. "It's more open to bad people, but because it's more open you can get more security apps on there."

Android and iOS devices potentially increase productivity, but could lead to company data being exposed as employees interact with cloud services, she added.

"Corporate data could end up in the cloud without people realising it," she said. "One of the biggest challenges customers have is getting the right policy and control."

Too much control can frustrate users and have an impact on productivity, while too little control can increase the risk of data compromise to an unacceptable level, she said. Companies have to decide whether to allow users to sync up desktop or corporate PCs to mobile devices that more than likely interact with cloud services.


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion