You are on page 1of 6

2015 12th International Conference on Information Technology - New Generations

Android vs. iOS Security: A Comparative Study
Ibtisam Mohamed, PhD Candidate
Department of Computer Science
University of Denver
Denver, CO 80208, USA
ibtisammarai@gmail.com
Dhiren Patel, Visiting Professor
dhiren29p@gmail.com

Abstract—The massive adoption of mobile devices by
individuals as well as by organizations has brought forth many
security concerns. Their significant abilities have resulted in
their permeating use while correspondingly increasing their
attractiveness as targets for cybercriminals. Consequently,
mobile device vendors have increasingly focused on security in
their design efforts. However, present security features might
still be insufficient to protect users’ assets. In this paper,
factors that influence security within the two leading mobile
platforms, Android and iOS, are presented and examined to
promote discussion while studying them under one umbrella.
We consider various factors that influence security on both
platforms, such as application provenance, application Figure 1: Mobile Devices Shipped
permissions, application isolation, and encryption mechanisms.

Keywords: Android; iOS; Application store; Mobile
Platform; Security.

I. INTRODUCTION
Mobility and connectivity offered by smartphones and
tablets make them an essential part of our modern life.
Many types of attacks have compromised mobile devices
such as worms and viruses, posting malicious applications
to the application stores, obtaining sensitive information,
modifying data on a device, sending unwanted SMS Figure 2: Apps Downloaded in First Quarter 2013
massages, gaining location information, etc.
According to Canalys [1, 2], the number of smart mobile
devices (notebooks, tablets and smart phones) shipped As of May 2013, there were over 800,000 third-party
worldwide for the first quarter of 2013 reached 308.7 applications in the Apple App Store and about the same
million units, which represents a year-on-year growth of number on Google Play for the Android [4]. The large user
37.4%, and their combined market share is expected to grow base of mobile devices has made them attractive targets for
to 66% by 2016. attackers.
We restrict our study to the two most leading mobile As mobile devices are holding very sensitive
platforms: Android and iOS. It should be noted that these information (such as login credentials), the users’
platforms are updated quite frequently and that strides are confidentiality is at risk of being breached. Cybercriminals
made to improve security. Nevertheless, it has been our have found many sophisticated ways to perform malicious
experience that general trends tend to persist in terms of activities on mobile devices. Cybercrimes such as identity
statistics regarding attacks. It should be noted that this paper theft, information theft, distribution of malwares, and
is not intended to compare and contrast the relative financial fraud have become a real threat to individuals,
vulnerabilities of iOS and Android. It is intended to give a organizations, and service providers. Nevertheless, there are
broad understanding of the present state of mobile security defenses that can be put in place to minimize and mitigate
efforts and the varying concepts that come from the two these threats.
leading platforms. People are continuously attracted to the The continually changing contextual and situation usage
number of applications (apps) available in the application of mobile devices poses a significant challenge on those
stores of the two most popular platforms. Figures 1 and 2 developing mobile security. Devices at home, such as
illustrate some of the statistics regarding their popularity per desktop computers and Blu-ray players are not as frequently
Canalys [1,3]. subjected to public networks, theft risks, and as wide of a
range of situational possibilities for skimming, scanning,
and outright attack. As the growth of use, flexibility, and

978-1-4799-8828-0/15 $31.00 © 2015 IEEE 725
DOI 10.1109/ITNG.2015.123

It is digitally signed with a vendor-issued digital may be placed on developers who may misunderstand or be certificate to make it tamper resistant. Before widened. Apple ensures that those developers become more their apps through Google are asked to pay $25 as a fee responsible in making high quality apps. this linkage cannot be guaranteed since the attackers can use This vetting process deters hackers from writing a stolen credit card to pay the fee [6. any inevitably follow. is the only the hands of more people and the scope of its usage is way for iOS developers to distribute an application. before posting an app on the App Store. app is embedded into the app. thus slowing maturation of applications and Provenance is a method where each third-party encouraging security setbacks. on the digital signature of the app [7]. When Apple knows about its application permissions used by Apple and Google. control. the official Apple marketplace. Android app developers can post signing certificate. Android does not require the Each app needs to be digitally signed with a digital applications’ developers to register with Google Play and certificate issued by Apple. The number of vulnerabilities and malware affecting Even with the efforts made to improve the security of these platforms are illustrated in section 6. formulates the approval process for third-party apps (as There are examples where a malicious application passed followed by Apple and Google). On the other.” As iOS is placed in App Store. so it is hard to evaluate its efficacy. it is stamped with its author’s more resource drain and consequently financial burdens identity.necessity of mobile devices continues. which adds another defensive measure their apps on any website on the Internet. Section 3 illustrates the the approval process. In fact. Each of the mobile applications [6]. In fact. signed digitally. it is accepted. and a conclusion the App Store.7]. Android differs from Apple. In addition. iOS developers become more security and risk savvy than in the past. malicious apps to be sold in the App Store or even try to One of the biggest security concerns with Android is that attack a published app.8]. They first need to give their Google Play is not the only place for distributing apps to identities in order to register with Apple and acquire a Android users. On the one hand. This step is known as the vetting process and it takes up to B. Android requires apps to be digitally signed. Google uses this process to link a certain app with its app for malicious behavior and violations of Apple's digital certificate generated by the developer. Lack of user awareness of risks involved creates a Nonetheless. After the are more difficult to circumvent the process. The process of digitally signing developers who want to post their apps on Google are able an app aims to guaranty that both the identity of the app's to create as many signing certificates as they want without developer and the app are not modified or tampered with. being monitored by Google [7]. the developers who are willing to distribute process. once the app is reasons for opportunistic security compromise will submitted to the App Store and certified by Apple. according to Symantec. and the identity of the developer have Google-issued signing certificates. Encryption techniques for improving security by Storm8 from the App Store when it discovered that these defenses used by the two platforms are discussed in section applications were collecting users’ personal information [9]. using credit cards and wait for their apps to be certified. Apple removed all applications developed Android. If the application does not violate the licensing Like Apple. policies [6]. lack of details and security. The data security on a device depends on use stolen identities to register with Apple to post harmful the mobile platform that is used. certain circumstances. Additionally. developer is tested for its privacy and security violations. Furthermore. so recedes the age-old aegis A. Section offending behavior. mobile platform vendor validates the double-edged sword. Users usually unaware of what is appropriate behavior for an app in download an app based on its author identity [6]. there are still many tradeoffs. Also. As with most things that application is scrutinized for its intended functionality and Apple does in a proprietary fashion. By making software developers go through the certification However. fact that the vetting process could deter some would-be developers from proceeding with new or improved II. Apple checks each Here. in 2009. In fact.6. The risks may take forms as yet attempt to modify the app would result in breaking the seal unpredicted. users of Apple mobile devices may need to distributing an application via the app store. Apple has a licensing is a consequence of the tradeoff between resources. agreement where each application submitted by a third-party and generality of use. Aside from the is drawn in section 7. Nonetheless. agreement. opportunities and against any malicious activity. A skillful attacker may be able to insert a operating systems has its own security features to mitigate malicious code without being caught during the certification security risks [5]. Before posting an app into the applications potential changes regarding vetting can prove to be a marketplace. where the apps are 726 . hackers can measures in place. Apple does not reveal its vetting The rest of the paper is organized as follows: section 2 process to the public. it removes it from the App Store. as the popularity and market-share of Apple grows. APPLICATION PROVENANCE developments. and published in However. process. iOS Application Provenance: that “no one bothers to attack an Apple. the process of digitally signing an app for the App Store [3. 5. For 4 shows a comparison between isolation systems in iOS and instance. these security challenging environment for vendors to put all the defensive defenses are not absolutely effective. Android Application Provenance: two weeks. application is checked. it ensures that efforts provenance and authenticity of this application. This first need to register with Apple [7].

it is hard to ensure that the any time an app needs to access these features [12]. starting an outgoing phone call. i. CAMERA for taking pictures. the user Android platform and its corresponding Google Play store should understand the real intent behind this app.g. explicitly asking the user.not evaluated by Google. thus creating a Trojan horse [6. users parameters. and data A. This may have leave developers full permissions some apps refuse to install.e. while too much freedom leads to potentially. According When an application is downloaded on a device. it will stop installing. Furthermore. access these resources. outbox and SMS systems of the device. they Global Positioning System: acquire the location of the end up choosing the default choices. For example. the then distribute the malicious app into the Internet or into user has to decide whether or not the app actually needs Android's marketplace. exposed to third-party threats and a relatively unrestricted Sometimes. third party applications a limited set of permissions that are Cybercriminals can use this information to make cellular required by the application sandbox. control leads to reduced usefulness and discourages unless the user base is security-aware. which may not be the device) [8. wise choice [14]. emails in the inbox. they attempt to use their social engineering skills to permissions that widely-overreach reasonable security convince users to install their applications. Given that the significant spread use and form of the Android platform. it can to Symantec. Essentially. For example. application's developer will not create an anonymous digital certificate and avoid being caught. in some cases permissions to access some resources have to be given by IV. however without where to place their trust. The user is in-charge of judging whether an app is for making security decisions. But. it is hard to guarantee that concerns being placed into the hands of consumers. permissions until it is deleted. other applications. etc.8]. malicious opportunism. users end with certain legal pitfalls as the lack of mechanisms up giving what the apps are asking for and then their devices preventing certain application behavior may allow will be under the attacker's control [15]. where each app is phone fraud [6]. attackers can launch data loss attacks. Network permissions. Android has about 100 built-in permissions that handle resource access. have led to a balance of the security resource usage and once an app is given permission. Being the application will not abuse the permission provided. Here. and sending an outgoing SMS or email message. More importantly. Basically iOS does not make users responsible users. When a user gives permission to an 727 . iOS Application Permissions: integrity attacks. each application on a device is are asked to give are as follows: accessing location data isolated in a sandbox environment. Android Application Permissions: use famous company names and place them into the Each Android application must explicitly inform the user certificate to trick users. often request In fact. because most users are unaware of all the implications. Then. In fact. using device identifiers. for instance. distributed denial of service attacks. Attackers take advantage of this app to access some resources. Nonetheless. Apple gives the phone number and the device ID number. ISOLATION the user of the device [11]. each application is from the global positioning system (GPS) of the device. Using such permissions. An attacker can insert a malicious code into a application needs is shown to the user.10]. unintentional violations of privacy laws. Typically the user is informed about the Subsystems: access networks. Once the application is installed careful when it comes to their app downloading and usage with a given set of permissions. such as popular games. a list of all permissions that the app. Indeed. most users do not typically have the requisite handles some of the permissions that the app needs without knowledge to make these security decisions correctly [8]. if a calendar All of the factors and concerns as to the dangers of the application requires the Internet access permission. users are not often shown the permissions to application can acquire some sensitive information such as which the application requires access. best from the security point of view. isolated from every other app on the system. the In iOS. However. Android apps. hackers can B. the user is prompted Given this freedom. So. Too much onus of making security decisions is placed on the user. the user needs legitimate app. generate a new anonymous certificate. In fact. these permissions [13]. The iOS isolation policy safe. Furthermore. Messaging Systems: access permissions to which the application requires access. the app can permanently open ecosystem and distribute harmful software [10]. the app is allowed those behaviors. applications can request different levels of access the entire device resources based on the given permissions to access some subsystems (e. executed in its own environment and cannot modify any receiving remote push notifications from the Internet. It is widely known that many Attackers can misuse the permission system in Android. Android users are left with the decision of are willing to get these apps at any cost. Google cannot about what privileges it requires. APPLICATION PERMISSIONS and INTERNET for accessing the Internet. During the installation of totally prevent attackers from tampering with a legitimate an application on a device. The Android permission system does not seem to be iOS blocks access to many of a device’s sensitive effective because the security decisions are made by device subsystems. and to decide if he should continue installing the app. The permissions that iOS's users During execution. Where to place trust is a tradeoff of the wide. this may not be a development. if the user decides not to give permission to an marketplace requires consumers to be more savvy and app. III.

the UID derives some of the device-specific AES keys. music. Encryption prohibits someone from accessing Each app is isolated from other apps on the iOS private information on a lost or a stolen device. V. apps are not allowed to send SMS small. that has the These keys encrypt keychain items. Furthermore. Perhaps this is just a part of the B. capabilities and behavioral each application is separated from other applications on the improvements will hopefully. depending on the set of permissions given. applications on iOS can still access some resources ever a concern and is one of the primary aspects of access on the system. Of over the device. but also an app cryptographically linked to a specific device. can be and files. Not only that. without the users' involvement. As a limitations and pitfalls. various types of attacks [15]. Android Isolation Mechanisms: maturation process. an attacker can use a malicious limitation and authentication. For instance. For instance. there is always a concern that such password system. the iOS's applications can access and do not need to be stored on the device for usage. and the device's ID [12]. and not observed for proper usage. video camera and files. The public as a whole may not be largely from the kernel does enhance the security. device in the form of residue and can be falsified easily in Separating each application from other applications and certain contexts. First. send email spam. apps cannot modify or abuse are more likely to be forgotten leads to users choosing other apps on the system [16]. Some major aware of the ramifications of using fingerprints for device attacks. As technology developers and user Android isolation system is similar to that of iOS. Moreover. system. not easily lost. has a UID. For instance. using certain permissions. user's downloaded programs. where understanding grows. However. the Secure Digital (SD) card. by identification and authentication to map device to person is default. there are still service (DoS) attack [6]. application processor during manufacturing. a user needs to have a password or a secret key escalating privileges or accessing the kernel of the operating [17]. fundamental outlying architectural and protocol-related aspects yet to be resolved. However. and video files. such as web-based attacks and network-based protection and encryption and might underestimate their attacks. ultimately follow. iOS apps can also they can at times provide a false sense of security. In general. each application is given permissions to A. permission. keys. the key that protects the file system read and modified by an application without any restriction. iOS to prevent any compromised application from gaining uses hardware Advanced Encryption Standard (AES) administrator-level control. they may be stored right on the screen of the connection. Here. the fact that remembered keys and passwords their existence. can check the programming logic of every application [14]. But. so the files cannot be accessed if someone moves Therefore. In addition to isolating the apps from each particular importance to this context is the upcoming other and from the kernel. iOS Isolation Mechanisms: devices. All files are vendors have addressed this issue by encrypting data on encrypted with a unique File Key. each app is isolated from the system's kernel combined hardware and software technologies. Data Protection mobile devices and the data sent and received from these technology protects data while connecting a device to the 728 . The AES accelerator includes both other applications on Android [14].A. the GID is used to add an extra level of protection [18. Thus. an application can ID key (GID). malware attacks can be mitigated and overly-broad trust being placed in their usage. User data loss can be prevented. Apple uses a system called Data Protection. On the access some resources without asking the user for any one hand. relatively cheap. an cryptographic accelerator to encrypt all data kept in the attacker cannot use a malicious application to compromise device’s flash memory. Given that protection. To decrypt operating system. The iOS operating system overly simple ones that may make it into the dictionaries of controls third-party applications and limits their influence certain applications (texting and searching for example). has its unique UID. Mobile platform sensitive data on the device’s flash memory. the iOS operating system also prevalence of on-device fingerprint scanning capabilities. not every application can interact with or secret key may be stored insecurely on the device itself. For example. On the the device calendar. or perform a of making strides on mobile platforms. iOS Encryption Mechanisms: access certain resources. as mentioned before. and the isolation system prevents accessing resources beyond the approved permissions. which lets the data to be such as the map application. The encryption capabilities on iOS use layers of Furthermore. Furthermore. fingerprints are relatively complex. are prevented by the application isolation. During restoration and installation of the system software. the device unique ID key (UID) and the device group However. Apps on a device are prevented from the data. isolates some apps from the in-out email boxes and the SMS As on-device fingerprint technologies are frequently of a device. ENCRYPTION Besides the hardware encryption technologies built into iOS. While fingerprint technologies application to steal private information on the device such as and other biometric solutions along with encryption are the device's unique ID. file system metadata. leading to an overly-large and result of sandboxing. There are AES 256-bit keys built into the get a list of applications that are on the device. which by iOS4 operating systems and beyond to further protect makes them vulnerable to data breaches. every other application on the system or even know about Furthermore.19]. It is used Mobile devices are at risk of being lost or stolen. the Wi-Fi other hand. Each device an application can launch other applications on the system. All app can access some of the device’s subsystems and launch processors in each class of devices have a common GID. an the memory chips from one device to another.

remote wiping is As explained above. iOS former indicates the number of weaknesses discovered in a keeps a copy of the decryption key always to decrypt data platform that could potentially be used to compromise the needed by the background applications. Department of Homeland Security in protects the encryption key by using a key derived from the June 2013 said that just 0. such as features.18. compromised. even when it is locked. which is a system daemon that uses Unix socket platform.Internet or receiving phone calls. private key material and certificate chains. without the user password. Moreover. In addition. Furthermore.6. here. an attacker can access and steal a user’s data. according to Symantec. Android threats make up 7.1. The most frequently targeted mobile platform in interface. the stored data is prevented. to offer full file-system encryption where all user attacker to take administrator-level control of a device [6]. A user can configure a device to automatically discard the hardware encryption key and render the whole VI. Android has applied a low-level credential of mobile malware are targeting mostly the Android store. integrity. an attacker with physical access to a device could (CVE) claimed that 408 of vulnerabilities were discovered guess the iOS four-digit passcodes in less than 20 minutes in the iOS operating system during 2007-2014 in its various [6. VULNERABILITIES & MALWARE data unreadable if an incorrect passcode is entered more Mobile devices are vulnerable to attacks that can than 10 times [6. In addition to these security Also.000 mobile the stored keys. the level of single encryption key. By wiping a corresponding MDM-system. A user should U. Failing to stolen a user can send a remote wipe command in time to activate the encryption system or choosing a strong the device through Mobile Device Management (MDM) and passcode makes an attack on a stolen device very easy. Android Encryption Mechanisms: days from the time it was reported.S. which are the file.19]. access to targeting iOS operating systems [22]. and writers Version 1. Most of these Android has two encryption systems. and availability of Even with the reasonable level of protection provided by data saved on devices. Moreover. AES128 report by the U. without activating the file-system encryption system. Android’s on a device. Therefore.000 [24]. Statistics from Common system’s security relies on the settings chosen by the user Vulnerabilities and Exposures (CVE) claimed that 30 [20].0 and few of the vulnerabilities were more severe and allow an beyond. while the device is locked. In iOS [23]. a 30% increase in the Android 4. the time that Apple took on average to patch a vulnerability was 12 B. all of the device’s data are rendered complexity and the length of the passcode are influenced by inaccessible. The use of the user Although iOS has a high number of vulnerabilities. the MDM. and the app’s developer. Android uses system during 2009-2013 in its various versions [21]. Also. vulnerabilities were disclosed in the Android operating In addition to the file-system encryption. iOS supports four-digit alphanumeric passcodes storing the credentials unencrypted on the file system. iOS Reported Vulnerabilities Furthermore. For a rapid remote wipe operation. Department of Homeland Security released a report in choose a passcode to lock a device to enforce the security 729 . data is encrypted in the kernel. the time it took Google to patch a the file-system. a hardware support was added to the KeyChain number of attacks targeting the Android operating system Application Programming Interface (API) to better protect was detected. can that unlock the device and protect access to certain data on a adversely affect the device’s security [20]. Background applications run of vulnerabilities and the number of reported malware. and the latter is the number of actual threats that device has a malicious app.18]. in the case of a device being lost or the user choices and the appropriate MDM rules. A use of the user password is required by Android 3. An app’s developer decides whether to use malware. the encryption system needs to be manually activated by the embedded encryption accelerators are used for block-level user or determined by the requirement set of the encryption on the system and data partitions. if a platform. A developer is able to use KeyChain even vulnerability is eight days from the time it was reported [6]. protect all data on the device. Applications use credential store to keep Wi-Fi 2013 was Android with 79%. out of a total of 8. it is hard to guarantee that the file. A. vulnerabilities were of lower severity. since the severity to higher severity. a password is required by the file-system encryption.S. or email. using available tools. device. Since Mobile malware has significantly increased. Therefore. According to McAfee. However. any bad choices made by the developer. text. Security vulnerabilities in Android range from low system encryption configuration is enabled. The and access the device storage. there are some defects. or if the attacker has physical access to the device.7% of malware attacks were user password. KeyChain to securely store credentials used by an app on According to Symantec. such as the ones that system based encryption and the Android KeyChain. a device security depends on the another level of security that is used by iOS to protect data user. Two indicators of risk are the number iOS. or if a legitimate app is were detected. compromise the confidentiality. such as the jail-breaking Statistics by Common Vulnerabilities and Exposures tool. versions [21]. the the KeyChain to store the credential or not. compared to 0% threats with passwords. Android file-system encryption has to be manually activated by the user or enforced by the B. if applications use them decrypting sensitive data and downloading new information [20]. It prevents features of the KeyChain system. The an attacker exploits to gain control of a single process. Android Reported Vulnerabilities MDM rule.

2014 International Conference on. IEEE.canalys. “Google android: A comprehensive security accounts for 79% of all mobile malware [22].[Online]. mobile security does not yet seem to be a concern of the [19] Apple. http://www.2. “Apple iOS 4 security evaluation.9. “PiOS: Detecting Privacy Leaks in iOS Applications. A. REFERENCES [20] P. pp. 2014. 2010. Kirda. 2012 Federated Conference on.” IEEE security and Privacy.8. “A window into mobile device security.pdf. E. (2014. April). “Attitudes to IT security when using a smartphone. Dmitrienko.time. assessment.edu/~jain/cse571-14/ftp/ios_security.publicintelligence. N. Nachenberg.“ iOS security. Springer.” in Privacy and Security in Mobile Systems (PRISMS).289.4-9. Apple follows a strong “PSiOS: bring your own privacy & security to iOS devices. 2013. (2013. which makes them open to social pp.” IEEE Security and Privacy. (2013.W. 13-24. Available : [21] Common Vulnerabilities and Exposures (CVE). (2013. Krupp. The Android security approach has two major weaknesses. CONCLUSION [9] M. no. Davi. required seems to be one of the primary differences between [18] D. Second. A. (2013. 2011.” IEEE Security and Privacy.Teufl. “Who’s winning.D. Sadeghi. Lange. First. (2013. R. [11] C. 2011. Also.” in Information Technology in Asia (CITA).com/2013/04/16/ios-vs istr_main_report_v19_21291018.35-44. system.” in NDSS. [13] Y. Android’s permission system relies on users to (NGMAST). [15] A.1-15. 2013 to developers. IEEE. Springer International address these concerns. “Securing Android-powered On the other hand.pdf. Dai Zovi. pp. O. Benenson.cse. L. pp. techniques such as application provenance. Hund.” [Online].” [Online]. Kim. (2013. IEEE. pp. May 9).” in signing model that prevents tampering with published apps. with iOS with vetting is more restrictive and less conducive Othman. E. 2013. 2010. IEEE. make security decisions. Available: http://www. iOS or Android? vol.Available: on Windows Phone and BlackBerry. Elovici. R. et al. Lim. May 23). “TASAM-Towards the Smart Devices App-Stores Applications Security Management Related Best Practices. http://www. pp. “Comparison between android and iOS Operating System in terms of security. [24] McAfee. the Apple security approach [17] M. the Android and iOS approach. billion units by 2016. Ahmad.” [3] H. “Mobile device market to reach 2. to download apps is the App Store.” in New Technologies. and M. 68-70. and Y. Egele. Han.” in Computer Science and Information Systems (FedCSIS). Springer. Vigna. A. J. [7] Z. 2013. Hassan. 4.” in Next Generation Mobile Apps. Miller. However. F. 1-5.” in Information Sciences and Systems. not capable of making sound security decisions. February 22). [Online]. “Android security.cvedetails. The devices’ users grant whether or not [14] L.wustl. encryption technique and isolation. permission. the users’ decisions. J. [12] J.” in Information Security. Vila. Winandy. 2012. 2011. et al. 2012. “Mobile attacks and defense. “DroidVulMon- Moreover.June 2013 showing that Google’s Android platform [8] A. pp. and N.com/newsroom/smart-mobile-device-shipments.Available: all the numbers. Department of Homeland Security. R. pp.en-us.19. “Threats to [2] Canalys. “Privilege to give permissions to an app. [22] U. Shabtai. exceed-300-million-q1-2013. Musa.pdf. and J. (2014). Proceedings of the 8th ACM SIGSAC symposium on Information. [6] C. based access control. H. 1179-1183. Holz. for security violations.272.N. Y.” [Online]. Liebergeld and M. Unfortunately. July 23). 2013.net/2013/11/20/mcafee-3rd-quarter-threat-report- http://www. Marcos. million in Q1.”[Online]. April 16). Kazmi. R.com/newsroom/top-ios-and-android-apps-largely. more resistant to attacks. the only place for iOS users no.symantec. 2011. Available: Available: http://www. 1-8. Where trust is placed and user knowledge is 8th International Conference on.net/DHS-FBI-AndroidThreats.36-44. November). http://info. “Top iOS and Android apps largely absent Report.S. Fledel.“Android encryption systems. sign their compromised apps and post them on the Internet. E. Decemper 15). 8. McCracken. Ham.” Symantec Security Response. 2013 7th International Conference on. billion-units-2016. [1] Canalys. Shabtai. Kruegel. “Smart mobile device shipments exceed 300 IEEE. Nadarajah. pp. J. all in one place.S.” in Applied Cryptography and Network Security. (2014.409-417. A.canalys. Regardless of the platform. “McAfee 3rd Quarter 2013 Threat [4] Canalys. IEEE. most users are escalation attacks on android.com/. 2012 5th International Conference on. released/. where each app is tested [16] T.canalys. Available: http://www. mobile platform vendors employ Publishing.” [Online]. pp.346-360. [5] Z. et al. vol.R. vol. attackers can redistribute a legitimate app with a Android based mobile device vulnerability analysis and monitoring new certificate after injecting it with malicious code. Available: http://malwarelist. pp.1-4. Davi.1-29.” [Online]. 2013. attackers can use anonymous digital certificates to party applications. pitfalls and lessons platforms have increased privacy and security concerns. Services and Technologies Second. 2011. and M. pp.3. Kroll-Peters. iOS’s security approach seems to be mobile devices using SELinux. To learned. pp. Werthmann. Toni. no. M.” Black Hat USA. and T. and M. “Launching generic attacks on ios with approved third- First. pp. vol. pp. C. engineering attacks. IEEE. android/#ixzz2tpCMYgwa. “Internet security threat report 2014. Available: past. Sadeghi. VII. A.” [Online]. absent-windows-phone-and-blackberry-10.com/newsroom/mobile-device-market-reach-26. Lee. Mobility and Security (NTMS). the iOS permission model does not completely rely on computer and communications security. The growing popularity and sophistication of mobile [10] S. ACM.26-31. Symantec.com/content/en/us/enterprise/other_resources/b- http://techland. [23] Symantec.6 mobile devices using the Android operating system. IEEE. 730 . and G.