Which platform is most secure? Android or iOS?

An iPhone and an Android phone
An iPhone and an Android phone

Sometimes, things just do not work out as planned. Last week’s Truesec Tech Talk was one of those things.

We are sorry that some of our viewers did experience technical difficulties connecting – and that our demos did not play accordingly.

We have investigated the issues and are working closely with the platform provider to ensure that it does not happen again.

One of the consequences of these technical difficulties was that we did not have time to reply to many of your questions during the webinar.

Therefore, we would like to answer them here and clarify a few points from the webinar.

Which platform is the least/most secure? Android or iOS/iPadOS?

We only ran a demo on an Android device during the webinar due to time limitations – it is not an indicator or statement towards Android being more or less secure than any competing platform.

In general, we do not give recommendations for or against any of these – in the same way as we don’t recommend for or against MacOS, Windows, or any particular Linux distribution.

I asked my co-host, and Cyber Security Expert, Alexander Andersson for his views on the question:

“The ‘Android vs iOS’ discussion is a bit of apples and oranges. It would make more sense to compare iOS and for example Samsung Android Galaxy. Security should be viewed in terms of resilience – being able to protect, detect, respond, and recover from attacks. Generally, this is achievable no matter if you have Android or iOS.”

To that I would like to add to additional aspects:

Want your mobile device secure, make them so.

No platform is more secure than we make it and no platform is secure by default. Android have taken significant steps forward with Android Enterprise. Apple has taken a firm stance for privacy with both current and future releases of iOS.

Looking at Truesec, we have a mix of both iOS and various Android-phones, spread across our different competences.

Before choosing an operating system – ensure that your organization understands the challenges and possibilities of it.

Ranging from supply chain and procurement (read our previous post on the topic here) to built-in security measures, MDM capabilities, and your own requirements. If you feel insecure about making this decision, please reach out to us and we are happy to help you.

Misconfigurations and misconceptions

When my colleagues and I perform health checks and other assignments focused on our customer’s mobile platforms we often come across the main security challenge with iOS and Android, misconfigurations.

I’ve found environments with up-to-date Android and iOS devices – but where the configuration of the MDM is leaving them wide-open both for external threats and data compliance issues.

This is often due to misconceptions like:

“Mobile devices are secure and not targeted by attacks.”

“Operating system X is so secure that we don’t need to configure it.”

“This were the recommended configuration when we enrolled out devices, it doesn’t need changing.”

All of the above is of course wrong – and add to that often a lack of understanding of the platform’s eco-system as well as the capabilities and possibilities of both the MDM and the operating system of the devices.

Choosing your eco-system

To summarize this first question.

Choose mobile devices based on which eco-system you have the most confidence in and knowledge about. Security should of course be a priority – but do not look at that alone.

Most organizations choose a platform based on something completely different: price, taste, usability, integrations, apps, etc. Make the Security part of this list and decide based on that.

Again – we are happy to assist you in making that decision for your organization, feel free to reach out with any questions or thoughts.

Further questions and notes from the webinar

Q: Can you perform a similar attack like the one you showed on an iOS device? Doesn’t it need to be jailbroken to side-load apps?

A: You can perform this kind of attack without jailbreak. Below you have an introduction on a high level (1), a technical introduction to the concept (2), and an example on when it was used in a real attack (3). MITRE’s Att&ck Matrix for iOS (4) is a great start to learn more about the attack surface on iOS devices. If you have additional questions in regards to this, reach out to me or Alexander.

  1. https://searchmobilecomputing.techtarget.com/opinion/Did-you-know-how-easy-it-is-to-sideload-iOS-apps-to-your-iPhone
  2. https://www.blackhat.com/docs/asia-16/materials/asia-16-Bashan-Enterprise-Apps-Bypassing-The-iOS-Gatekeeper.pdf
  3. https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/
  4. https://attack.mitre.org/matrices/mobile/ios/ 

Q: The emulated machine in the demo ran Android 7.0, is anyone running versions that old?

A: The demo did not demonstrate a vulnerability in any specific version of Android and the same principle can be applied to any version (and even iOS).

To answer the question literally: Yes, we see that in close to every environment we evaluate. It can be phones and tablets that are being kept, and used, for cost purposes as an example. Also do remember that Android is widely used in other equipment (printers, TVs, booking screens, etc) which may not receive updates.

Q: Isn’t it enough to protect access to cloud services, from mobile devices, by leveraging MFA?

A: It depends, but in general no. We need to ensure that the access is continuously evaluated, and that data access is protected on the device.

MFA is of course always a good option but should be combined with Conditional Access, Application Protection, MDM, and possibly Cloud App Security.

Q: Is Android Enterprise available in China?

A: No, according to https://support.google.com/work/android/answer/6270910?hl=en it is not. China is still a challenge from an MDM perspective, and other Intune features may not work either. For Android, the challenge is centered around the lack of Google services, which blocks management and security features.

Q: How can I prevent users from taking screenshots of sensitive content?

A: Depending on the platform you have different options:

On iOS, you can only prevent screenshots on a per-device basis. This is due to Apple not allowing individual apps to control the screenshot function. The upside is that this function is available on all managed devices. The downside – it is not available when only using MAM.

On Android, you have more extensive options with the ability to both block screenshots of the work profile as well as in the managed apps that are protected by Application Protection Policies.

There could also be extended options based on the available OEMConfig settings that each hardware vendor releases for their devices.

Q: We have moved away from Work Profile due to issues with Android 10 – what can we do to overcome these?

A: There were challenges with Work Profile configurations, especially when upgrading from Android 9, in the first months after release. As far as I’m aware these have all been handled. I’m currently enrolling a few hundred Android devices with work profile (and other profiles) and have had no issues with Android 10.

Depending on what you are configuring now, I would advise you to evaluate Corporate own device with work profile as an option as well.

If you still are having issues, please let us know and we will see if we can assist you.

The last question is a combination of one question and one comment – but it’s a good way of finishing up this post.

Q: How would you manage a roll-out of Microsoft Intune to 10 000 users? What is required in terms of user training and support?

A: We always emphasize that an MDM project is at the most 30 % technical. Most of the time and effort should be spent on learning about the organization and its needs. It’s also vital to inform users about what the MDM will mean for them. And explain how their devices and integrity will be impacted.

We have proven processes for all of this – and based on those we would plan a roll-out plan. The aspect that usually sets the bar for simultaneous onboarding is in general the service desk or similar. Even though Intune works well under pressure, a reset of a phone often creates other challenges. Therefore, always plan ahead. Ensure that it is crystal clear what is in-scope for the rollout and, personally, I always try to have support staff close at hand, physically on each location.

Now with Covid-19, the situation is harder – but in that case, I would recommend allowing users to enroll when needed over a period of time – to spread the load.

Summary

With that, all questions should have been answered. Please feel free to reach out to us at t3@truesec.se with any additional questions or feedback. If you would like to set up a meeting to talk about how you can secure your mobile devices.