Smartphone Security at Risk on iPhone, Android Handsets

Apple's iPhone OS and Google's Android are beginning to gain traction in the enterprise mobile device landscape -- but smartphone security issues may limit their usefulness.

The iPhone OS and Android, two smartphone platforms that support a rapidly expanding catalog of apps, differ in many ways, but most noteworthy is that the first is a closed platform and the second is basically open.

Being closed means Apple controls which mobile apps the iPhone can run and what features can be added to the operating system. An Android developer, on the other hand, can legitimately distribute any app as long as it's not illegal or obscene, and any hardware vendor can produce an Android handset, adding proprietary extensions to give it the extra functionality it wants. Put aside any prejudices and it's apparent that both approaches have their advantages.

Since Android is open, there'll be a big range of Android phones to choose from, at many price points, from a wide range of carriers. That's got to be good: with the iPhone you're stuck with two models, a narrow range of call plans, and the dreaded AT&T.

But Apple's forte is the user experience, and having complete control over the iPhone means it can ensure it's a great one. It also means correctly written apps will work as expected. Since Android phones aren't all identical, apps that run on one handset may not work on another. That sucks.

Smartphone Security: Why both mobile operating systems have issues

There's a parallel here with the personal computer market in the '80s, with Apple's closed architecture battling the PC's open one. Apple emerged from that fight with a market share of around 5 percent, while Microsoft bagged about 95 percent. Why was Apple trounced so soundly? Apple's high prices were undoubtedly an issue, but the key reason for the PC's ultimate hegemony was that more software was written for it -- because developers liked the open PC hardware platform.

The good news for Apple is the cards aren't all stacked against it this time round. Its phones may still be expensive and its platform may still be closed, but there are more apps for the iPhone than any other smartphone, and the handheld device already commands a sizable market share.

However, there's an enormous elephant in the room, and it's got "security" written all over it.

Security's not a term that many iPhone fans will be familiar with, as Apple's controlled environment is supposed to ensure that nothing can go wrong -- ever. Apps have to be inspected and approved before they are allowed to be downloaded on any iPhones. And Apple controls the OS, so it can ensure no security holes exist for long by patching them as soon as they are discovered. If only.

The reality is that Apple's security record is actually rather dismal: when security bugs are found in services such as SSL or DNS which affect many different operating systems, Apple is often among the very last to patch them. And its code inspectors can't possibly hope to find all traces of malicious code in every third-party iPhone app they vet. What's worse, Apple's tortuous approval process means developers can't fix code in their own applications when they need to. The latest iPhone OS update, 3.1.3, fixed four security vulnerabilities.

So far, Apple has gotten away with its lax attitude on mobile security because it hasn't been interested in enterprise markets, and because its tiny market share for computers hasn't merited malware writers' attention. But now that the iPhone OS has made significant gains in the enterprise smartphone market, there can be little doubt hackers will targeting it, and there's a big question mark over whether Apple is capable of rising to the challenge.

What about Android then? Sadly, the security it offers is probably no better. Anyone can write a malicious app and make it available to Android users -- and it's already been done. On Windows the solution is endless layers of security software, so it's no surprise that anti-virus apps for Android have already started to appear. Do we really want bloated security suites slowing down our smartphones? I don't think so.

The truth is that security risks from the use of iPhones or Android phones are inevitable. In fact, just recently in a cybersecurity study on 2010 malware trends, mobile devices, including the Apple iPhone and Google's Android-powered handheld computers, were cited as prime targets for exploitation by cyber crooks.

That means that for mobile IT, smartphone security measures need to be implemented, for instance, by locking them down and centrally managing them. In some organizations it may even be necessary to prevent them from running any third-party apps at all. That would be a shame, because it's the productivity gains many of these apps could offer that accounts for much of the appeal of these smartphones in the first place.


Android, iPhone, smartphone security, mobile apps, mobile downloads