In Part 2 we covered the four main security features that are common to these 4 smartphone OSs (iOS by Apple, Android by Google, Blackberry by RIM, and Symbian by Nokia). In this post, we’ll dig a little deeper on the classification of smartphone software installation models.
There are three generic software installation models, depending on the level of control that the OS or the vendor has over software installation management.
- The Walled-Garden model: the vendor basically has full control. Only approved software can be installed and only such software is made available through the marketplace. Apps can be unilaterally removed or killed remotely. Code signing is an essential part of such a structure. Security and testing are in the hands of the vendor, giving non-technical users as close to a worry-free experience as possible. Given the amount of control, this model is considered controversial by many. This is the model used by Apple with iOS, although not entirely because some applications do ask users for example whether they can use geolocation data.
- The Guardian model: security decisions are delegated to a knowledgeable third party. The guardian role can be played by the OS vendor (similar to the Walled-Garden), the smartphone mobile carrier, an expert who represents less knowledgeable users, or an enterprise system administrator. The Guardian decides which apps can be installed and which services they are allowed to access, as well as which apps might conform with corporate policy. This is the model used by Blackberry and, slightly less, by Symbian.
- The User Control model: the user is pretty much responsible for everything. Third party apps are distributed with minimal involvement of the OS vendor or mobile carrier. There is essentially no app vetting and users need to understand the risks. This model’s security issues could be palliated slightly by enforcing stronger OS security features such as application isolation. The drawback is that this would require users being more knowledgeable about security and being able to answer security questions that to some would appear arcane. This is the model used by Android, although when the carrier gets more involved in security or Google applies a kill-switch, this becomes more of a Guardian model.
It should come as no surprise when studying these models, that an admin making a decision comes up against the classic trade-off of security vs usability (or flexibility). It is up to an admin to educate themselves on the technologies and the given context and to choose appropriately where their security/usability operating point will lie.
In the next post in this series we’ll cover app marketplaces and application vetting processes.
Smartphone security series (4 articles):
- Smartphone security: an overview of security frameworks and controlled app marketplaces Part 1 of 4
- Smartphone security: an overview of security frameworks and controlled app marketplaces Part 2 of 4
- Smartphone security: an overview of security frameworks and controlled app marketplaces Part 3 of 4
- Smartphone security: an overview of security frameworks and controlled app marketplaces Part 4 of 4
(This series is based on an article in IEEE Security and Privacy Magazine, May 2011, by Dave Barrera and Paul Van Oorschot – http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5674007)