Wednesday, August 15, 2012

Launching the blog

In our upcoming Mobile App Sec Triathlon, Gunnar and I are going to be presenting a deep dive into the app security worlds for both Google's Android and Apple's iOS platforms. But which is better (in security terms)? Or does that even matter to our consumers?

Well, for one thing, the Triathlon event isn't about one versus the other, but comparisons are inevitable nonetheless. The truth is that both platforms offer consumers--and developers--considerable security features and, at the same time, pitfalls to avoid.

In some ways, the two smart phone / tablet environments offer several similarities. They're both built on top of venerable UNIX / Linux kernels, and their respective lists of features are quite formidable, and have huge areas of overlap. From a security perspective, both environments have implemented sandboxes for their apps, so that a security defect in one app should not impact the rest of the system. Or so the theory goes.

But peel back that onion just a little bit, and the differences start to surface very quickly. For one thing, Android's security foundation differs substantially from iOS's. It is more of a traditional UNIX-like model that relies on file access controls via unique UIDs and GIDs for each app installed. Apple, on the other hand, accomplishes their app sandboxing via a massive hierarchical digital signature chain, coupled with rigorously reviewed and enforced app policies surrounding their app store.

Neither approach is perfect, and both have significant strengths and weaknesses, as you might well expect.

Time (and consumers) will be the ultimate judge of which approach is more effective. As of this writing, however, any objective measure will show that Android leads the pack in active malware samples in its ecosystem. The argument could be made that Apple's policy-heavy approach has thus far served it well, while Android's more open approach has shown some signs of problems.

But one thing is for certain, at no time have consumers had more or better choices in mobile computing devices. As a result, there's been a veritable gold rush of apps hitting both ecosystems.

As pragmatists, Gunnar and I like to focus on how to make the best use of whatever tools we're given. The truth is that a determined app developer can write significantly secure--note I didn't say perfect--software on either platform. But, when you have to cross a minefield, it's always best to know where the mines are.


Ken van Wyk

No comments:

Post a Comment