Studies by Checkmarx and AppSecLabs conclude that iOS devices tend to be more vulnerable than Android. The reason for this has to do with Apple’s advanced controls, which can lead programmers to neglect the security of applications.
The problem may become more serious because cyber-attacks tend to focus on the application layer. The two works reveal that applications developed for iOS devices have more vulnerabilities than those made for Android, 40% of those found on iOS devices were considered critical or severe, compared to 36% of the identified for Android, says Amit Ashbel, manager Checkmarx the product marketing. The researchers tested hundreds of applications of various types, which included banking, utilities, retail, gaming and security. Even in large banking applications were found vulnerabilities in authentication processes and even data leakage.
“We expected that the investments were a little safer, but more of the same,” Ashbel said. The most common vulnerability, responsible for 27% of cases, was the leak of personal or confidential information. Authentication and authorization issues appear in second with 23%, followed by those configuration management (16%). also they have been reported problems with availability, encryption, application logs and authentication handling; 60% of authentication and authorization vulnerabilities were also classified as critical or serious.
There is already widespread assumption that iOS devices are safer than Android devices, said Ashbel. And indeed the iOS platform has stricter controls on what developers can do, and a “sandboxing” powerful. In addition, applications for iOS are examined before being allowed into the App Store and removed quickly if problems are found. Apple can easily perform security updates for all iOS users, while those on the Android platform have to be made by each manufacturer. “But in practice, this can lead to that developers do not worry much about security issues when developing applications for the iOS platform, as they rely on Apple’s controls,” Ashbel said. This attitude cannot be a problem today with cybercriminals focused on other faults, but the future is likely to be different.