Symantec highlights iOS and Android flaws

Employers should be aware of the security risks in iOS and Android when deciding whether to allow employees to bring consumer devices into the company, according to Symantec
Written by Tom Espiner, Contributor

Businesses should take iOS and Android flaws into account when allowing employees to use their personal phones for work, according to Symantec.

iOS 5 screen

Symantec has warned businesses to take iOS and Android flaws into account when allowing employees to use their personal phones for work use. Photo credit: Apple

With Apple's mobile operating system, a determined attacker with physical access to a device can bypass encryption, the security company said in a white paper published on Tuesday (PDF). In addition, remote network-based attacks against Safari on iPhones and iPads can cause damage, even though iOS isolates each application on the system from each other.

"iOS's isolation approach has thus far provided a great deal of protection against network-based attacks," Symantec said in the white paper. "However, attacks against specific apps like the web browser, while being self-contained and blocked from impacting other apps, can still cause significant harm to a device."

With Android, Google relies on traditional access control (such as passwords), application isolation and permissions-based access control to secure the device from malware, the security company said. However, the permissions on Google's mobile operating system are ultimately user controlled, opening up employees to scams, according to Symantec's UK security strategist Siân John.

"People are open to social engineering," she told ZDNet UK.

For security, software makers can restrict their applications to only using the resources on an Android phone that they need to work, Symantec pointed out. However, when such third-party applications are being installed, they call on the user to decide whether it is safe to go ahead and grant the permissions for those resources, which can include such things as email contacts, network subsystems and device identifiers.

"Unfortunately, in the vast majority of cases, users are not technically equipped to make these security decisions," Symantec said in its paper.

In addition, the certification process for apps in Android's store is more open to abuse, according to the security vendor.

"Google has a less rigorous certification model [than Apple]," John said. "It's more open to bad people, but because it's more open you can get more security apps on there."

Android and iOS devices potentially increase productivity, but could lead to company data being exposed as employees interact with cloud services, she added.

"Corporate data could end up in the cloud without people realising it," she said. "One of the biggest challenges customers have is getting the right policy and control."

Too much control can frustrate users and have an impact on productivity, while too little control can increase the risk of data compromise to an unacceptable level, she said. Companies have to decide whether to allow users to sync up desktop or corporate PCs to mobile devices that more than likely interact with cloud services.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards