InfoWorld - In June 2007, Apple released the iPhone, and the device quickly took off to become a major brand in the smartphone market. Yet when the iPhone shipped, security on the mobile operating system was nearly nonexistent. Missing from the initial iOS (then called iPhone OS) were many of the security features that modern-day desktop software has as a matter of course, such as data-execution protection (DEP) and address-space layout randomization (ASLR).
Apple's cachet lured security researchers to test the platform, and in less than a month, a trio had released details on the first vulnerability: an exploitable flaw in the mobile Safari browser.
"It was so insecure, it was bad," says Charlie Miller, a security research consultant for Accuvant and one of the finders of the flaw. "Your Web browser ran as root, and there was no sandboxing, no DEP, and no ASLR. It was a hacker's dream."
[ Learn how to manage iPhones, Androids, BlackBerrys, and other smartphones in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter. ]
How times have changed. Between Apple's harried response to vulnerabilities found by security researchers and the company's own desire for control over the applications running on iPads and iPhones, iOS has become the most secure software platform to date, says Raimund Genes, CTO for software security firm Trend Micro.
"Apple owns the complete ecosystem -- they own the hardware, they own the software, and it makes it quite safe," Genes says. "And thanks to the App Store, they also have a recall switch."
Apple has repeatedly boasted it has an OS that is more secure than the competition. While security experts have frequently debated whether Mac OS X fits the bill, iOS doesn't seem to raise such questions. Miller, for example, does not disagree with the assessment that the iOS may be the current pinnacle of security for a mass-market operating system. "It's in the realm of truth," he says.
In five major areas, Apple's iOS has better security than desktop operating systems and matches or exceeds the security of its smartphone rivals. iOS has a strong set of security features, including:
Better security with every versionAlthough iOS had a rocky start in terms of software security, the platform quickly gained a rounded set of security features.
iOS 4, the latest version of iOS, includes ASLR, DEP, a sandbox, and code signing. By comparison, Mac OS X has limited application-dependent sandboxing and no code signing, and it only partially implements ASLR. Microsoft's Windows 7 has DEP and ASLR, but code signing is limited to drivers and sandboxing is dependent on the application.
iOS also compares well against its competitors in the mobile space. Google's Android does not have DEP or ASLR, but it does have a strong sandbox and code signing, says Kevin Mahaffey, CTO for mobile security firm Lookout. Research in Motion's BlackBerry OS lacks all but sandboxing. "They all have really good sandboxes in terms on what limits are put on what code can do," Mahaffey says.
Although the inclusion of ASLR and DEP seemingly puts Apple ahead in design, it lacks an advanced feature that helps lock down both Google's Android and RIM's BlackBerry: granular privilege controls. Requiring applications to get specific permissions to access data on the phone can bolster security significantly, Mahaffey says.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
