Behavior Comparison Shows Apps Are Snoopier on iOS Than Android

Behavioral comparison shows iOS apps are snoopier than those on Android.

BYOD has turned security, network, and datacenter managers into herders and protectors of mobile devices over which they have little control. It has also pulled them into the debate about which of the two most popular platforms is more secure. Given the volume of sensitive corporate data that travels around on BYOD-enabled smartphones, the issue has a direct impact on enterprise security, though Android and iOS fans generally use it to flog one another’s favorite devices as often as they discuss the technical merits of each.

A new study looking at the behavior of the same apps when installed on iOS and Android may not provide a final answer to the security question, but it does, at least, demonstrate that iOS apps are a lot more snoopy than those running on Android.

The study of more than 1,300 applications that run on both iOS and Android, by research scientist Han Jin at the Institute for Infocomm Research and A*STAR in Singapore, showed that an average app running on iOS asks for more privileges and accesses more sensitive APIs than the same app running on Android.

“We needed to establish a fair baseline for the security comparison between Android and iOS,” Han said.

It turned out that apps installed on Android are also somewhat more forthcoming about security and access than those on iOS. When they’re installed on Android, apps ask for fewer unnecessary privileges than they do when installed on iOS; they also display the privileges they’re requesting, so users have a better idea of what they’re approving, Han wrote.

In all, 73 percent of iOS applications (especially those with advertising or analytical functions) asked for more secure APIs than the same app running on Android. Those APIs tended to be those with access to sensitive personal data such as user contacts.

That doesn’t mean that Android invariably protects users’ privacy more effectively than iOS. Many attacks on Android apps or systems are designed to increase the privilege levels for infected apps, to give their malware payloads the power to do what they want.

It is much more difficult to elevate the privileges of an iOS app after installation, because both the app and the privileges under which it is installed have to be approved by Apple before the app is distributed.

That doesn’t explain why the same app access more secured APIs when it’s running on iOS than on Android, however. The basic problem, Han concluded, is that iOS apps don’t have to tell the user all the privileges they’re requesting, while there are plenty of mechanisms on Android to both discover and limit those privileges.

Transparency to the user and the ability to change or limit the access of third-party applications doesn’t guarantee more privacy or security for Android users, but they do make Android much easier to secure, and for users to know if a particular app is not secure. “Such results may imply that Apple’s vetting process is not as effective as Android’s explicit privilege list mechanism in restricting the privilege,” Han’s research concluded. (PDF full paper)

All Han’s tests were run on iOS 5; iOS 6 “has enhanced its privacy protection so that users will be notified when an app is trying to access their contacts, calendar, photos or reminders,” Han wrote. “This may encourage developers to modify their apps so they access less private data.”

Image: /Palto