Better Keep It Open or Closed?

Here is a nice debate we can have until the cows come home. The battle for security supremacy has been raging for years between “open” and “closed” approaches for software development.

Can we name a winner?

First, lets define the terminology. A software-based ecosystem has 3 main characteristics: how the software is developed, maintained and distributed. An ecosystem openness is determined by the way it treats these aspects. Windows, Android and iOS are good examples of different approaches.

Microsoft Windows source code is private and so is bug fixing. It is considered a closed system by these two tests. Yet, 3rd party software development and distribution is wide open. Anyone can develop a Windows application put it on any web site and have users download it. If that sounds to you like a malware delivery system – you are probably right.

Google’s Android has a different mix of attributes. Its source code is available, but the code is centrally maintained by Google. Android applications, like Windows applications, can be downloaded from numerous Internet-based marketplaces which are not centrally controlled.

Apple iOS is the most closed system of all. Apple exerts full control over the entire software-based ecosystem for iOS. iOS source code is closed, it is maintained by Apple, and each 3rd party applications must be vetted by Apple and delivered from the one and only Apple App Store. The exception to that rule are jail broken phones (phones that had their security controls removed by users and are exposed to a wide variety of threats).

Historically, open source advocates claimed that open source approaches to software enables crowd sourcing of bug fixing power that will make the code more scrutinized on one hand, and faster to fix on the other hand. The claim was that even a large company like Microsoft can run out of developers to secure its code and fix bugs. In the Windows/Linux battle, this claim was never tested – most attacks are on endpoints, and Linux market share of endpoints had been negligible.

Recently, a more plausible comparison is possible: Android vs. iOS. It is a matter of fact, that the vast majority of malware is targeting the Android system. How does the openness of Android impacts its security? Let’s walk through 3 relevant aspects: APIs and Permissions, Application Distribution, Attack Surface.

First, Application Programming Interfaces (APIs) and Permissions.

Each API is designed to provide a service to an application running on the platform. At the same time, it also offers a possible point of attack. Hackers and malware often tap into system APIs which were intended “to do good”. The less APIs you expose the less vulnerable you are. Another aspect is permissions. If a user is asked to grant an application certain permissions, they may not consider why the application needs these permissions. Excessive permissions are a key source of risk for users. Android provides an extensive set of APIs and permissions that applications can leverage. Apple is notorious for restricting the number of APIs it offers. It also cleverly asks the user to authorize access to sensitive data when access occurs and not when the app is installed. This reduces security risk.

Second, Application Distribution.

Google allows third party marketplaces to distribute apps while Apple allows distribution only through its App store. Simply put, the more scrutiny is applied to apps before distribution, the less attacks the users are exposed too. The open marketplace approach means that Google can’t enforce its standards of security on the Android apps ecosystem, resulting in an explosion of malware targeting Android. The App store success in stopping malware is well publicized. Most iOS attacks resort to installing developer editions of apps that bypass the app store. However, this method raises quite a few red flags and often requires user consent to actually work. Even when attacks do go through, the mobile OS application sandbox architecture limits the damage.

Third, Attack surface.

Windows was designed to maximize interoperability. So each application can access any other application given the right permissions. This makes the OS and applications processes present a substantial attack surface. Mobile OSes addressed that risk with application sandboxing. Each application is fundamentally restricted from accessing any other application on the device or the underlying OS. This makes the attack surface much narrower and restricts the ability of malware to take over the entire device or even get out of the scope of the compromised application runtime environment. Generally speaking, both Android and iOS are doing a good job here. But the availability of Android source code may expand the attack surface because it allows hacker to more easily examine the way the operating system works and craft an attack against vulnerabilities they are able to identify.

Open systems, and especially Linux based servers, had transformed the enterprise. But their impact was mostly felt in reducing the cost of doing business, not achieving better security. While no system is bulletproof, it seems that closed systems that rely on tightly controlled code development, maintenance and application distribution models seem less vulnerable to attacks. In the enterprise, distribution exposure isn’t just about app stores. It is about the supply chain of hardware and software, partners and resellers and ultimately customer sites. There are ample opportunities to capture end products, reverse engineer them and design an attack against identified vulnerabilities.

Cloud-based platforms are closed in nature. They can reduce the exposure of enterprises by reducing the overall points of attack: there are less APIs, permissions, supply chain touch points and overall access to the platform. A Cloud provider can also build a formidable defense-in dept- architecture to secure their environment in a way that a single enterprise will be hard pressed to meet, because the cost and efforts are shared across many organizations.

Contrary to the view that the move to the Cloud increases risks for enterprise data, the closed system approach of Cloud providers, is more likely to boost security. And the huge business implications of a breach for the provider will make the investment in security a matter of utmost urgency. It may be a coincidence, but all major breaches of the last few years occurred in enterprise environments. Despite holding business critical data, Cloud providers had done a good job protecting the data. They may just prove to be the solution to address a bulk of the enterprises security woes.