ios和android安全对比

http://palizine.plynt.com/issues/2011Oct/android-vs-ios/

Specific Concern Areas

The key security concerns and risks that surround you if you do not adequately secure your device against theft or unauthorized usage are:

手机里面存储各类敏感信息，比如微信、网银账户、通信录、短信、办公信息、女神照片、激情视屏等等。手机安全就是确保这些信息的安全。

Access to email and social networking accounts set up on your phone.
Access to personal and confidential files, documents, emails, etc. that are stored on your device.
Access to your personal messages and phone book.
Sending messages to or calling premium numbers.
Access to stored passwords.

Comparing the Security of the Android and the iOS

Approval Process

Description: Users of the Android and the iOS can download applications from a common repository called “App Stores”. App Stores refers to a collection of variousonline distribution platforms. A proper approval process has to be set in place in order to make sure that an application uploaded onto the App Store is safe for download and usage.

虽然都是app store，Google和Apple的就差远了，apple的一个app审核两个月，android 自动扫描就上线。入口是手机安全的最核心，google的机制决定了他一直在安全方面会落后与苹果，难道这就是自由的代价？

Android: Android users can download applications from a common infrastructure, which hosts all the Android applications in a centralized place called “Android Market” and maintains various versions and updates. Any application can be uploaded to the Android Market and Google does not seem to evaluate whether the application does more than what it says it can do. It follows what is known as aCapability-Based Security Model.

除了不审核，android的市场鱼目混杂！大家任意开店！google虽然有个扫描工具（专门开专题介绍），经过测试很傻瓜！

When the application is installed on a mobile device, the user is shown a list of all the permissions that the application needs access for in order to run and the user has to decide whether to continue with the installation process or not. It is left to the user to decide whether the application actually requires those capabilities or not.

google的极客精神，把终端的决定权交给用户，权限控制主要在安装时控制（新版本有了部分的运行时控制入sms）。虽然很开放，但用户哪知道是否同意，谁有空仔细阅读权限。况且屌丝一看到软件名是《征服女神的108计.apk》，哪顾得上多看，直接同意！！

For example: If an internet-based messenger application requests for internet permissions, it should not be an issue. But if a calendar application requests for similar internet permissions, then it may create suspicion in the user’s mind. The model does not provide the user with the understanding to choose to install or abort this installation. On the other hand, if an application has been reported to contain a malware or said to perform any kind of malicious activity, the application is wiped by Google’s remote wipe feature.

什么软件申请什么样的权限其实不好说，不能歧视计算器，计算器就不能有一颗移动互联网的心？他就不能申请internet权限吗？？他申请了你就说他是邪恶的吗？

针对这一点，学术上有文献深入介绍（后续再表）。

google还有个kill switch的功能，有点邪恶。这东西是长连接的。。。可以用来远程控制终端。。。还好GMS已经在中国大部分终端上阉割了！

iOS: Apple has their own App Store, which hosts all the applications centrally for the entire iOS community. Unlike Android, Apple follows a strict approach for selecting an application. According toapple.com, the review process is not limited to tests for vulnerabilities such as software bugs, instability on the iOS platform, and the use of unauthorized protocols, but also tries to protect privacy issues, safeguard children from exposure to inappropriate content, and avoid applications that degrade the core experience of the iOS.

说了android，ios除了入口控制严格，99$啊，屌丝伤不起，玩邪恶的很难过审核，另外也很难邪恶，ios把大部分权限cut了!除了位置和通信录，还搞个运行时提醒。

这两个可不能禁止啊，通过位置找女神可是移动互联网的核心啊。

Application Permissions

Description: Once an application has been installed in your device, it has access to all the device resources and can perform any kind of malicious operation using the permissions provided. It will be possible for the user to know which access permissions have been provided to the application so as to decide whether the application actually requires it or not.

Android: As discussed earlier, Android follows the Capability-Based Security Model. Each Android application must tell the Operating System what capabilities it requires. These capabilities are measured in terms of permissions. When the application is installed on a mobile device, the user is shown a list of all the permissions that the application requires access for in order to function and the user has to decide whether to continue with the installation process or not. Once the application has been provided with the appropriate permissions, there is no way of ensuring that the application would not perform any malicious activity using the specified permissions. The user thus chooses a fixed list of capabilities that the application should have. The application does not have the permission to perform any kind of action outside the scope of the explicitly specified permissions.

其实最好的权限控制就是大部分禁止，小部分运行时提醒。现在一些软件（LBE）、ROM通过技术手段让用户可以修改权限，也没有多价值。

iOS: In iOS, there is no concept of explicit permissions. Thus, there is no way of restricting the actions that an application can perform. The application does not reveal what permissions the application requests for or accesses to the user. All the applications have equal access to all the iOS device resources and can use them without the permission of the user. Hence, once an application has been installed on the device, it can perform any operation under the pretext of performing an actual action.

要嘛禁止，剩下的运行时提示就是王道！

Programming Language Used

Description: The programming language used for the development of applications not only affects the performance of the application, but the security is also affected by the choice of language and implementation methodology.

Android: Android applications are usually written in Java programming language. As perOWASP, applications written in interpretation languages like Java are immune to buffer overflow, which thus makes the Android platform somewhat resistant to buffer-overflow attacks. Even if buffer overflow takes place, each application runs in its own Virtual Machine and thus the overflow would neither affect any other application nor would lead to information leakage (unless they are shared applications).

jni也不能脱俗！

iOS: iOS applications are written in Objective-C programming language. Applications are linked to C libraries and vulnerabilities in these standard libraries can cause vulnerabilities even in programs written in "safe" languages. The usage of common C string-handling routines like strcat, strcpy, gets, etc. are predominant in iOS applications and this makes these applications susceptible to buffer-overflow attacks.

Openness

Description: The availability model of a source code system affects the security of an application. However, the larger the corporation, the number of bugs reported in a closed source framework application can never match the ones reported in an open source one. There are thousands of security professionals studying the platform daily and trying to discover vulnerabilities as well as helping the makers of the application fix the existing vulnerabilities.

Android: Android is an open source platform and the code base for its underlying platform is available for anyone who needs to read, understand, implement or test the features of the platform. Due to this, the vulnerabilities are detected at a faster pace compared with any other closed platform. Thus, all the users of the platform play an integral role in securing the complete platform as a whole. Due to this open source nature of the Android code, new technologies can be incorporated into the code as and when they advance and thus the entire mobile community can reach new heights due to the openness of the code.

iOS: Compared with Android, the iOS is more of a closed platform with only part of the iOS framework, like a few webkits, being an open source. Thus, the speed at which bugs are found and fixed in an iOS can never be compared with the ones in an Android.

android发现问题是快，可就是没人解决哈！ios发现问题慢，但解决起来快。

Data Protection

Description: Smartphones are small, stylish, smart and expensive, and hence become a prime target for thieves. Thus, it is very important to secure data in order to prevent data leakage due to mobile theft.

Android: In an Android, you can set up an access code PIN, which you would have to enter every time that you want to use the device. Without the access code, the device would be rendered useless. Although this sounds fool-proof, the Auto-lock process for the Android is really buggy and requires the user to enter the PIN Code even after a 1-minute call. This is quite irritating and eventually many users tend to disable the gesture and PIN Unlock feature of the Android. This allows data leakage whenever a stranger gains physical access to the device.

iOS: In contrast to Android’s PIN Unlock feature, iOS has what is called a delayed lock code. This gives the user the freedom to use the device without entering the Passcode for a small interval of time, like a minute or a custom time value specified by the user. This is preferred by users and from the security perspective as well, as a logged-in user need not repeatedly prove that he/she is logged-in.

device pin.安全上有帮助，尤其辅助强口令和全盘加密。可惜输入体验太差，等以后指纹或者面部识别。

Conclusion

After reviewing the security features of the Android and the iOS, we can conclude that there is no clear advantage of the one over the other. The Android has a nice permission model that allows users to know exactly which resources would be used by their application whereas Apple has a good approval process in place. Android applications are somewhat safe against buffer-overflow attacks, but their Auto-lock feature lacks the custom delayed Auto-lock feature that the iOS provides. The open source nature of Android has considerably contributed to the reduction of flaws in the existing operating system.

A few basic security pointers to keep your data on the respective mobile device safe are:

一大堆建议：感觉这么快就完了。这篇文章还是内容欠缺！

Update your Smartphone OS, irrespective of it being an Android or an iOS, whenever any application patches or OS upgrades are released.
Always use a Passcode to lock your device in order to avoid data leakage, if the device is being used by a stranger.
Do not jail-break, root, or modify the OS files.
Install an antivirus and firewall software to detect and stop any infection and intrusion.
Install device-tracking applications to find the phone whenever it is lost or stolen.
Regularly backup or synchronize your settings and other personal information in order to avoid the loss of data due to theft.
Try to learn about the application’s reputation before installing it.