Android vs iOS – Which Platform is Better for Mobile Security?

finjanmobileBlog, Mobile Security

Android vs iOS

In a research report issued in March 2016, mobile phone manufacturers Nokia revealed that in terms of malware activity, smartphones have now overtaken laptops and desktop-based computer systems. Infections have plagued devices powered by both Google’s Android and Apple’s iOS operating platforms – although Android continues to be the principal target for the attentions of cyber-criminals. But which system truly has the edge, when it comes to personal or enterprise security?

In this article, we compare Android vs iOS and take a look at important differences, strengths, and weaknesses of each.

Android vs iOS – Open Source vs Proprietary Development

The distinct security architectures of these two leading mobile operating systems are founded on the respective development architectures of the two corporate platforms.

iOS is created under a proprietary or “closed shop” development model, with parent company Apple retaining exclusive rights to the governance of the development process. Only Apple-approved development personnel and technologies are allowed into the process – which should in theory make iOS inherently more secure. But company protocols and business objectives can also influence the development process, resulting in security fixes that are applied in a “top down” manner that may make the release of patched versions of the operating system a lengthy affair.

The “closed shop” description also applies to Apple’s approach to outside scrutiny, with the company’s strong grip on control of all aspects of the system making it difficult for independent forensic investigators to analyze any security breaches that might occur, and allowing independent assessors or developers little access to the underlying code.

In contrast to this, Google’s Android follows an “open source” development model, with its source code available for modification by third parties, which can result in rapid and significant improvements. On balance, this approach also lends itself to enhanced security, as any vulnerabilities that come to light are often quickly dealt with.

But the open nature of Android and the very popularity of the operating system itself leaves the platform vulnerable to the problem of fragmentation, whereby multiple versions of Android are in use across the globe at any given time. These range from older versions of the candy flavored platform (Ice Cream Sandwich, Nougat, Marshmallow, etc.) on new or legacy devices sold at low cost in developing markets, to brand-specific variants of Android licensed to individual equipment manufacturers.

Keeping tabs on security vulnerabilities, patches, and updates for all of these versions all over the world is a logistical nightmare that leaves many systems unprotected and vulnerable to both new and legacy threats.

Android vs iOS – Application Vetting

Malicious software and exploits often find their way onto vulnerable devices by way of tainted mobile applications. Filtering out the “bad eggs” from all the existing and newly developed apps before they get to the approved app stores requires a comprehensive vetting process – and this again is dictated by the different development models adopted by Google and Apple.

Apple exerts strict controls over everything, from its firmware, hardware, and operating system down to the screening of applications and accessories. With the one company owning and governing the entire ecosystem, there’s a strong chance that any software making it to the iOS App Store will be safe – though there have been occasional lapses, as we’ll see.

Google’s “all in” approach to software development makes the vetting of its Android apps that much harder to achieve. And with its massive user base and high profile, it’s more of an attractive target for malware developers. With the fragmentation of the operating system into many variants and the lack of control over who can modify it, it’s little wonder that there have been cases where Android devices ship with malware or fake app stores pre-installed.

Nonetheless, in recent years vetting of the software at Google’s Play Store has received something of a boost with the company’s adoption of SELinux and access control policies that better ensure a secure environment of “least privilege.”

Android vs iOS – Securing Enterprise Applications

As far as ensuring the security of enterprise data, Android and iOS are on pretty much an equal level. Both operating systems allow users to create secure containers within their device storage to house enterprise information and software applications. In effect, this creates a separation between an individual’s user profile data and any corporate information they may be entrusted with.

Data encryption and app-specific Virtual Private Networks (VPNs) may be applied on both systems, to secure data communications over wireless networks. There are also features on both to allow devices to boot directly into “corporate” mode, where only apps specific to an enterprise are made available.

Android vs iOS – Operating System Vulnerabilities

Both systems have also demonstrated that they aren’t immune to core vulnerabilities at the operating system level.

The Stagefright vulnerability which came to light in 2015 for example was a widespread flaw affecting 95% of all devices using variants of Android. Updates to rectify this fault have been issued by Google ever since.

On the other side of the fence, YiSpecter was discovered to have successfully attacked both jailbroken and non-jailbroken iOS devices.

Android vs iOS – App Vulnerabilities

“Jailbreaking”, or forcibly removing Apple’s device-level locking protocols is both a way of giving iOS users increased privileges over their machines (allowing them to download and install a wider range of third-party apps), and of increasing their vulnerability to attack vectors residing in malicious mobile applications. Users who do jailbreak their devices are officially disowned by Apple, which shifts any responsibility for losses or damage suffered due to malicious apps squarely onto the user.

But even the official iOS App Store isn’t completely safe – as seen in the recent successes of the XCodeGhost malware, which introduced malicious code into numerous apps which were officially distributed through Apple’s store.

With Google’s Play Store frequently making the news by playing host to malicious code and/or applications from developers capitalizing on its comparative “open door” policy – and with Android settings allowing users to download and install apps from third-party app stores and web portals – these tales of iOS app and malware vulnerability create less of a stir.

But as iOS gains in popularity beyond the corporate sector and achieves wider distribution among individual mobile device owners, we can expect cyber-criminals to shift their attention and ingenuity to Apple’s platform.

Android vs iOS – So, Who Wins?

From the perspective of privacy and its “ground up” policy of containment and security controls, iOS tends to be the operating system of choice for security professionals. This preference extends to enterprise users, where corporate security policies and device management requirements make iOS a better fit.

At the personal level, the wider range of choice (including devices, operating system variants, and mobile apps) offered by Android continues to account for its huge market share – despite the risks its openness can bring.

Share this Post