Mobile operating system wars: Android vs. iOS
by Catalin Cosoi - Chief Security Strategist, Bitdefender - Tuesday, 16 July 2013.
When we introduced Clueful for Android, we thought mobile users should know what the applications on their devices were doing. One year and a couple hundred thousand analyzed applications later, Clueful intelligence has picked up an interesting trend: applications are equally invasive and curious on iOS as on Android, even though one may argue that one of the operating systems is safer.

For roughly a year, we have been collecting applications from the Play Store and iTunes to analyze both statically and dynamically. For the Android version of Clueful, we’re aggregating 314,474 free applications, while the iOS version of Clueful holds references for 207,843 free apps. These applications are broken down into clues which give the user a transparent and comprehensive overview of what the application tries to access, what privileges it requires and how it is going to handle the data it has access to when sending it over the web.

Before digging further, we need to mention that application permissions differ from one operating system to another. For instance, while Android permissions are declared at install and cannot be altered later, iOS permissions are granted at runtime, when device owners have to allow or deny access to various resources, such as current location. Regardless, both applications for Android and iOS can perform a range of interactions with the user’s device, but also with third-party internet services.

Our analysis focuses on the most intrusive behaviors that the application developer may have included in their software products. We have also taken into account behaviors that are very similar in both Android and iOS:

1. Tracking location

Location tracking is a major concern for both Android and iOS platforms. Its implementation and use are similar in both platforms and is often requested by advertisers via framework APIs to track users’ habits. The Clueful test reveals that 45.41% of the iOS apps have location-tracking capabilities, even if they don’t explicitly do that, as opposed to only 34.55% of the Android applications.

Applications that track location:
  • Android - Latest Nail Fashon Trends (v. 3.1) – - with an estimated user base of between 100,000 and 500,000.
  • iOS - PokerStars TV (v. - uses geolocation to track users’ exact location
  • iOS - Cheezburger (v. 1.2.2 ) - uses geolocation to track users’ exact location.
2. Reading contact list

While only 7.69% of Android applications could read the contact list, iOS applications are much snoopier – 18.92% of applications designed for iOS are technically able to looking into the contact list.

Android applications that read the contact list:
  • Longman Contemporary English (v. 1.81) -, currently removed from the Play Store
  • Cambridge American Idiom (v. 1.81) - com.flexidict.data2.cambridgeamericanidioms – currently removed from the Play Store.
Some iOS applications that read the contact list:
  • OLJ (v. 1.1) - reads contact names and contacts’ email addresses and send them to a remote server.
  • 3D Badminton II (v. 2.026) - reads contacts’ emails and sends them to a server in Hong Kong.
3. Leaks your email address/ device ID

Among the most interesting pieces of information for an advertising network are e-mail addresses and unique device IDs / IMEI. This data also may be shared with third parties to, for example, send consumers behaviorally targeted advertisements, according to a recent Federal Trade Commission report.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th