Is iOS really more secure than Android, and why? What are the pros and cons of biometric authentication? How can you know which apps are safe to use, anyway? In episode 46 of Cyber Security Sauna, we dive into a range of common mobile security issues. Who better to answer our questions than a couple of mobile security experts? F-Secure’s Ken Gannon and Ben Knutson joined the show to discuss app permissions, company mobile device management, mobile hygiene tips, signs your phone’s been hacked and more. Plus, is your Facebook app listening in on you, or not?
Janne: Can you guys briefly talk a little bit about your work in the mobile security realm? Like what do you mainly do?
Ken: I mostly do mobile security at F-Secure for customers. I test applications, devices, really anything that has to do with Android or iOS.
In terms of what I look for, I like to think about mobile security in terms of three different perspectives. The first one is: An application should be able to protect its data from other applications on the device. The second perspective is that an application should be able to protect its data from unauthorized users. And the third perspective is that a device’s software should not be responsible for compromising sensitive information.
If I think about MobSec from those three perspectives, that’s how I usually test my targets, how I go about my day-to-day duties as a mobile security consultant.
Okay. So what about you, Ben?
Ben: I joined the mobile security team with F-Secure around two years ago now. Since then, I’ve been testing apps for all sorts of different clients – mobile applications on iOS and Android, doing device security reviews, reviewing mobile device management solutions and even reviewing some smart devices that pair with smartphone apps.
Throughout that time I’ve learned an awful lot about what goes on under the hood in iOS and Android, and what kinds of common security vulnerabilities can be found in these applications and how they can really ruin your day.
Cool. The first thing I want to get out of the way is there’s a lot of talk about how iOS is secure and Android isn’t. Can you take me through the arguments for both sides?
Ken: So this is something I both love and hate. With Android, it being open sourced and how much it’s been looked into, we have tools, we have techniques, we have methodologies that are tried and tested for the Android operating system itself and those applications. In general, it’s a lot easier to test for Android vulnerabilities. Whereas for iOS, it becomes more of a quote-unquote “hacky solution” where maybe this will work, maybe this won’t work…I might have developed a method of testing X, Y, Z in iOS or their applications….
On top of that, I would say, is also how with the Android operating system itself, we have a very fragmented operating system across different OEM vendors. People, either aren’t buying newer devices, or vendors are not updating the devices with the latest security patches. So unless you’re running the latest Google Pixel or Samsung device, then there’s a chance you’re notContinue reading