Is the ios system safe?

Hackers have a much deeper understanding of smartphone security than ordinary mobile phone users. The Symantec report once conducted an in-depth analysis of the inherent problems in Android and iOS systems, and highlighted:

“Today’s operating system environment for mobile phone devices is messy and insecure, and most mobile phones There are no security controls on the corporate network when connected to the corporate network. Many mobile phones synchronize data with third-party cloud services that lack supervision. Some people connect their mobile phones to public computers with unknown security and then connect to the corporate network.”

Don’t think that it has nothing to do with you when you see the word “enterprise”. In fact, mobile phone security is a problem that every mobile phone user faces.

Pillars

First quote Nachenberg in the report:

“The development team has taken this into consideration when designing the latest versions of these two mobile operating systems. Security issues, and try to integrate security into the operating system to reduce security attacks from the outside.”

Nachenberg then tested the security precautions of Android and iOS in the following aspects:

·Traditional access control: Traditional access control technologies include passwords and screen protection locks.

· Permission-based access control: Permission-based access control adds access control capabilities to each program.

· Program origin: Each program will have a postmark, indicating the author of the program, and digital signatures are used to prevent the program from being illegally modified.

· Encryption: Encrypt and hide data on portable devices.

· Isolation: Isolation techniques are used to limit an application's ability to access specific sensitive data or systems.

Performance of operating systems

TechRepublic columnist Francis will first comment on the performance of Android and iOS operating systems for each pillar, and then the author will summarize based on Nachenberg's report.

Pillar One: Traditional Access Control

Francis: In terms of traditional access control, according to my experience, iPhone or Android systems perform very well.

However, if the fingerprint mark on the touch screen is too clear, it may help hackers crack the phone password. In my opinion, most mobile app developers have not added the function of locking the app by unlocking the screen through the operating system.

On Android, I have used App Protector Pro, a software developed by Carrot App. This software allows me to add additional password protection to each program, such as Gmail, Exchange, and Facebook. With this program, if my phone is lost and the other party cracks the lock screen password, I will have some extra time to change the account passwords involved in these programs.

According to my memory, there seems to be no similar security software in the iPhone. I suspect this is because iOS has a more binding sandbox model.

Kassner: Nachenberg believes that the access control function provided by iOS can play a certain security role after the phone is lost. In this regard, Nachenberg believes that the security of iOS and Windows desktop systems is similar.

In the report, Nachenberg was not so polite about Android. He believes that although the Android system can also prevent occasional attacks, the Android system does not support encrypted storage of data in the SD card. Therefore, if the phone is stolen and the data in the SD card is directly read through physical means, Android's Password protection is useless.

Pillar 2: Permission-based access control

Francis: According to my experience, there are very few permission mechanisms on iOS, much less than those on Android.

The only permission mechanism that definitely exists is that when a user accesses other protected subsystems, iOS will prompt the user for the corresponding resources and ask for the user's consent.

On the contrary, there are many such permission mechanisms on Android systems. I think this is successful in theory, but in the real world such a permission system does not work because this permission theoretically relies on the user's understanding of the technology.

Currently, 4 out of 5 hackers are using Android phones. Android phones have gradually become mainstream smartphones, but ordinary users do not know whether a certain program should be allowed to run. , still not allowed.

In fact, I think users should not bear this judgment responsibility. Just like when I go to a dental clinic to have my teeth filled, I don't want the doctor to ask for my opinion on which instrument to use when performing necessary operations. After all, I pay for services and I rely on the resources of the clinic and the experience and skills of the dentist.

Kassner: I have heard many people talk about the licensing system problems in the iOS platform. Nachenberg elaborated on this issue in the report:

“There are four types of system resources in the iOS system that must be confirmed by user permission before programs can access these resources. Other system resources are either explicitly Allowing users to use software to access, or explicitly prohibiting user access, is the built-in isolation strategy of iOS. When the following situations occur, the program may make a confirmation request to the user:

· The mobile phone's global positioning system. When local data is needed

· When receiving notification warning messages from the Internet

· When making outgoing calls

· When sending text messages or e-mail messages

If any program attempts to use the above four categories of functions, the user will first see a permission prompt. After the user gives permission, the program can implement the function if the user allows the GPS system or notification. For the functions of the warning system, the program will be permanently allowed to use the system, and for the functions of making outgoing calls or sending text messages and emails, the user needs to click to confirm each time."

The Android platform uses. Completely different scenario. It is based on the concept of "all or nothing", and I quote a passage from Nachenberg's report to explain this concept:

"Each Android program has integrated within it a list of permissions that allow it to System functions required for the program to work properly. This list will be used to prompt users during the software installation process in a way that ordinary mobile phone users can understand, and users will decide whether to continue installing the software based on the security risks of the software.

If the user still chooses to install the software, the program will gain access to the corresponding system resources. If the user abandons the installation of the software, the program will be completely prohibited from running. "

Pillar Three: Program Origin

Francis: In Android and iOS systems, the origin of identity and the mechanism for judging authenticity are obviously different. People have never concluded the advantages and disadvantages of these two mechanisms, but currently, there are more malware targeting Android systems than iOS.

I don’t think Google’s Android system has failed in terms of security, but a series of weak security points make the Android system more vulnerable to security threats. For hackers, there is not much obstacle to developing and distributing malware on Android systems, especially when the software is classified as free or free, it spreads faster.

Google does not have a review mechanism for previously submitted applications. Developers are not required to prove that they are the ones with the authority to develop and modify the program. There is also no centralized developer authorization. There are currently a variety of channels for publishing and distributing software on Android systems, and the number of channels is constantly increasing. The biggest loophole in the entire process is that hackers can effortlessly obtain software from software stores, restore it to source code through reverse engineering, modify it, add malicious code and package it, and then release it as normal software. .

Although iPhone application software can also be tampered with through this series of work, the iPhone's programming language is not public. This non-public programming language is much more difficult than the Java language disassembly of the Google platform. .

Kassner: In this regard, Nachenberg's views are consistent with Francis's. iOS is better than Android in this part.

Pillar Four: Encryption

Francis: I once participated in a cross-platform mobile phone software project, which had clear privacy protection requirements, and at the end there would be an independent A team of third-party engineers review the source code.

At the beginning of this project, I discovered that the user setting data of iOS will be encrypted and stored in a certain location by default, while the Android system puts the user setting data directly in the location of the corresponding program.

This does not mean that sensitive data on Android is not encrypted, or that the encryption technology used by Android is inferior to that of iPhone. This just means that Android will leave more of the encryption work to the applications themselves, rather than through the operating system. There are advantages and disadvantages to this.

If you are a software developer on the Android platform, the data security of your software may not be as good as that of software on iOS. But if you set a special encryption method for your software, the data security of your software may be higher than that of the iSO system, because hackers have to crack the encryption algorithm of the program.

But as a mobile phone user, you don’t know whether the software you download has an encryption mechanism. If the software does not have an encryption mechanism, then since most users' applications are installed on the SD card, and the SD card can be easily removed (such as inserting it into a computer to transfer data), its security cannot be guaranteed.

Kassner: Francis’s views are consistent with Nachenberg’s on encryption. But I still want to say what I think about these two platforms.

First of all, iOS uses an encryption mechanism, but this has limitations. Many programs running in the background (even when the user is not logged in) need to access stored data. To function properly, iOS requires a local copy of the unencrypted key. This means that for jailbroken phones, hackers do not need the user's password to access stored data.

As Francis said, all versions of Android, except version 3.0, do not support encrypted data. This means that any data on the phone can be viewed through jailbreaking or by anyone with administrative access.

Pillar Five: Isolation

Francis: I personally believe that both Apple and Google’s isolation sandbox models are safe and reliable. Compared with the two, the isolation mechanism of Android system is slightly more complex, but it is also more flexible. Compared with iOS system, Android can truly cope with multi-tasking working mode.

As a mobile application developer, I can see the advantages of this mechanism. This requires us to consider security issues during program development and throughout the entire development process. In the development of desktop system software, security issues can be considered at the final stage.

Kassner: Nachenberg and Francis have the same views again. The isolation mechanism allows different programs to work separately, without affecting other running programs due to a program being exploited by hackers.

Weaknesses of both

I am deeply impressed by the security performance of iOS and Android platforms. But it has to be said that both still have "weaknesses". Whether you believe it or not, I believe it anyway.

Nachenberg once mentioned to me that only a few serious vulnerabilities have been discovered in iOS, most of which are related to jailbreaking technology. But I haven’t heard of any malware intrusions yet.

Android also has only a few serious vulnerabilities.

But Nachenberg said one of the vulnerabilities could allow a third-party program to gain control of the phone. And this vulnerability has been known to many hackers, and one of the malware is called Android.Rootcager.

Android.Rootcager is a piece of malware that embarrasses Google. Nachenberg explained: "What's more interesting and controversial is that the fix tool launched by Google for this malware also uses the same system vulnerability to bypass Android's isolation system and delete the malware that poses a threat to the device. Malware part. ”

Summary

It can be summarized as follows: two heavyweight players, two different security protection philosophies. The task of this article is to explain these two security protection mechanisms. difference.