Apple iOS Devices: Leakier Than Android

Apple iOS Devices: Leakier Than Android

While conventional wisdom says that Android has laxer security than iOS, research suggests differently: Zscaler found that more Apple iOS mobile devices are leaking information like the exact location of devices and their owners than Android.

Over the past three months, millions of both device types were found to be leaking enterprise data, privacy information and unique mobile device identifications.

“Each quarter, we see more than 45 million transactions related to mobile devices going through our cloud,” Zscaler said, in a blog. “The majority of the privacy-related information we see falls into one of three categories: Device metadata; location; and personally identifiable information (PII).”

Android devices comprise around 20 million of those quarterly transactions, of which approximately 0.3% result in some level of privacy leakage (and 99% of leakage is related to Android app usage).

Of all the leaks, 58% are related to device metadata leakage, in which apps are sending identifying information, such as IMEI, MAC and IMSI numbers, to their servers or ad-servers in clear text. Such data can be leveraged for tracking the device and creating targeted attacks. Another high percentage of leaks—39.3%—are related to the user’s location, including exact latitude and longitude coordinates.

The remaining 3% of transactions result in PII leakages, including the user’s mobile number and email addresses.

In contrast, iOS accounts for 26 million transactions quarterly, and 0.5% result in privacy-related information being sent—5% of which are the result of malicious infections.

About 72.3% of the transactions are related to the user's device information, while an additional 27.5% of transactions are resulting in the user's location being sent, and 0.2% of transactions result in sending PII-related information.

“These statistics demonstrate that significant amounts of personal data can be leaked simply by tapping into any organization’s traffic; in our cloud alone we saw nearly 200,000 examples of such leaks,” Zcaler noted, in a blog. “All that leaking data can be leveraged for more sophisticated attacks.”

For instance, because hardware identifiers like MAC, GSM IMEI, IMSI, and UDID are globally unique and do not change over the lifetime of a device, the collection of such IDs allows for both tracking and physical device association. These identifiers can be exploited by a range of attacks, from mobile privacy to targeted denial-of-service. And of course, the exact location of any person is highly valuable for stalking, spying and spoofing purposes. Phone numbers and email addresses meanwhile can be leveraged for spamming and phishing attacks.

Photo © Bloomicon/

Source: Information Security Magazine