With increasingly more and more people opting to use their Android or iOS based smartphones to carry out their day to day activities, a question that comes naturally to them is that which one of the platforms is more secured? Does the Linux flavoured open source nature of Android  ensure that it is least affected from malwares or does the tightly integrated ecosystem of Apple really makes the iOS platform invulnerable? But, as it turns out, none of the above arguments are exactly true and each platform has its weakness that hackers can easily exploit. The rest of the article discusses some of the recently uncovered glitches.

The Apple loophole

Apple phones have often been touted to be more secured than their Android counterparts, thanks to its stringent App-store-quality-checks. This checks ensure that hackers cannot easily insert their malicious code into the App store from where they could infect the systems. But this doesn’t mean that the iOS platform is free from any loopholes. One such loophole was recently reported by Trustwave spiderlabs that was related to the way Apple mobile devices carry out transactions on the secure websites such as Net banks or Shopping portals.

The general Security mechanism of websites

Whenever you communicate with a secured website, the Transport layer security or its predecessor Secured Socket layer ( set of communication protocols) provide the security by encrypting your data. This ensures that the data is shared only between the legitimate websites involved in the transactions and thereby prevents any kind of tampering or eavesdropping attacks. The legitimacy of the targeted website (such as banks or shopping portals) is confirmed by a trusted certificate authority through a mechanism that involves exchange of “certificates”. These certificates have the identity of the website built into it. So whenever you surf the internet, your browser requests these certificates and use them for encryption. In case of any data leaks, the browser is smart enough to report the problem back to you.

The iOS issue

The experts at Trustwave spiderlabs bought an officially issued SSL for a genuine website. From the genuine certificate, they cut out those portions of code that are used for validating the authenticity and pasted it onto a fake certificate of some different website. Normally, these kind of violations are easily caught by the desktop browsers but surprisingly mobile Safari accepted these fake certificates as if it were from a trusted source.

The implications of this weakness could have been disastrous. Just imagine yourself logging into a fake website through your iphone, using a public wi-fi network on which a hacker is present. Taking it to be genuine, you could have provided your credit card details to the trickster. You can now complete the rest of the story.

 The Solution

Having found the weakness, the Trustwave authorities alerted Apple on July 15. The Apple guys wasted no time and within 10 days, they found a fix to the gap and rolled it out for the public all over the world as a part of iOS 4.3.4 release.

The Android story

The same team from Trustwave spend some time with the Android SDK to find a loophole that is more fundamental to the software’s architecture.  Android SDK contains tools and APIs that can be used to build applications on the Android platform using Java programming language.

By combining certain APIs, the team of experts were able to steal credentials and other information  from the most popular apps in the Android application market.  Though they reported the issue to Google, but unlike Apple, Google is confronted with a more trickier situation. The problem is unique because the experts used the legitimate and documented APIs that thousands of other apps use for their functioning. Trustwave experts will provide a technical walkthrough of the steps and proof-of-concept  of the technique at the Defcon hacking conference that starts on August 4.

The upshot

Both IPhone and Android phones have security issues but by taking some simple precautions, you can reduce the potential threat- keep your Apple IPhone’s iOS updated and unjailbroken and don’t install any old App from the Android marketplace without checking its legitimacy.