View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 13, 2015

Do we have too much faith in Apple’s iOS walled garden?

Analysis: Google and Apple's approaches to mobile security both have their share of flaws.

By Alexander Sword

Although BlackBerry OS is the most secure operating system, most people would put iOS at second, ahead of Android by a wide margin.

Usually this is attributed to Apple’s walled garden approach to security; applications exist within a closed ecosystem that is supervised by Apple.

However, there may be a way into the walled garden that most of the time isn’t considered.

"Apple is very secure for two reasons; one is it is very controlled," says Simon Bryden, Senior Engineer at FortiGuard Labs, a division of Fortinet.

"The other thing is you have this secrecy where we don’t have access to the source code.

"Now that’s a bad thing in a way; it means it’s much more difficult for the good guys to find the vulnerabilities in Apple.

"It’s much more difficult for the bad guys as well but all it takes is for one bad egg within Apple to sell some source code to a cybercriminal and then he has a massive advantage over the good guys."

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The recent xCode Ghost breach also shows that the walled garden approach is not infallible, and should not lead to complacency at Apple.

"The recent hack infected the development environment itself, which automatically infected any application created with the environment," said Bryden. "Because the infection was in one of the standard app libraries, Apple don’t even check that in their standard code reviews; they only check the code of the developer.

"First of all the developers didn’t know they were writing malware. Secondly Apple didn’t check it, and thirdly it was automatically being done by hundreds of developers.

"This is another example of how creative and smart these guys are. You think you’re safe but they are always looking for ways to get through."

It is also possible that the absence of a walled garden is being given too much onus in Android’s lower reputation for security. Bryden suggests that other aspects of Google’s approach could also be improved.

"Android is extremely complex. It’s based on Linux which is already very complex and very much uncontrolled compared to iOS, with more alternative app stores. The CPUs in the phone are very powerful and you have a ton of different sensors and cameras; it’s very much a target.

"Google seem to have gone back a step in terms of security. With what Microsoft and Intel have been doing over the last ten years in improving code and operating systems to stop common attacks, you are still seeing vulnerabilities and attacks but it’s much more difficult now.

"If you look at a hacking website and look at some of the techniques you’ll find 90 percent of them don’t work anymore.

"It would be natural to think Google would take that wholesale and use those techniques in their operating system. They haven’t done that. A lot of those techniques you can’t use on Windows but you can on Android."

In addition, Bryden criticises Google’s update processes.

"The update mechanism of Android is fundamentally flawed from a security perspective because it’s not Google that manages the security updates, it’s the telcos and mobile operators.

"StageFright is a good example; Google issued a patch but now each of the mobile operators has to push that patch to its customers. That slows everything down and gives much bigger windows of opportunity for hackers."

So perhaps the walled garden should not loom so large in our minds as a panacea for security. Other factors are also important for defining how secure a system is.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.