Android’s version fragmentation puts Apple ahead in the mobile device security race, claim researchers at Black Hat.
In a session titled ‘Can you trust me now? An exploration into the mobile threat landscape’, Atredis Partner researchers Josh Thomas and Shawn Moyer set out to contextualise the rest of the Black Hat mobile track.
The speakers declared BYOD “pretty much common practice now”, and lamented that although mobile phones have replaced laptops for many when on the road, people don’t think of phones as a laptop replacement and thus “forget how much data is on them and how interesting they are.”
In 2015 Q3, Android had 53% of the US OS market share, but 83% worldwide. “iOS is a first-world platform,” said Moyer, who explained that mobile threats vary according to geography, and singled out Asia as being particularly vulnerable to Android exploits.
Although the researchers declared both Android and iOS as “winning” in terms of growth – in stark contrast to RIM which they labelled “basically irrelevant” – they argued that Android’s version fragmentation leaves Apple ahead in terms of security.
Android, they said, is plagued by version fragmentation often beyond their control. “There are many versions of Android OS released, and so many tweaks by so many developers, but you don’t traditionally see updates from them,” said Moyer. “Android vendors are planning for obsolesce, they expect you to always get the new devices, but not everyone can afford to do that.”
Apple, however, have a better track record of continuing to support older devices on the new iOS. “Almost all of their devices are on the new version or one version back. Apple is really good at getting new updates out fast, and its one reason why people claim that Apple is winning security.”
Vendor patches, note the researchers, are sometimes the only control we have over our own security. “Apple has ensured that most of their consumers are well-trained to click ‘OK’ to update their software.”
Securing the Whole Stack
Security expectations and baselines are decided upon what version of the kernel and operating system are running, Thomas explained, adding that there are many layers to the stack and that the hardware layer of the phone “is a limiting factor on the security you can do, but is the really interesting part of mobile security.”
Thomas and Moyer analyzed and critiqued a few different MDM technologies, including Baseband and TrustZone, but focussed particularly on TrustZone. “Security people got really excited about TrustZone, billions of dollars have been spent, and amazing cryptographers have worked on the development, but all of the effort has been on piracy and securing Netflix, it doesn’t do any of the security things you’d think it would. It’s just about protecting data and none of the other layers.”
“Mobile device management is so far up the stack, it’s not the be all and end all,” cautioned Thornton. “I’m not telling people not to run MDM, but the security industry likes to sell simple solutions to complicated problems, so be wary,” he concluded.