I was giving a speech last week, talking about mobile device security, and one member of my audience asked me this question. I gave the typical IT answer, “it depends,” and then realized I needed a little bit more of an explanation. Hence this post.
Yes, in general, Android is less secure than All The iThings, but there are circumstances where Apple has its issues too. A recent article in ITworld lays out the specifics. There are six major points to evaluate:
- How old is your device’s OS? The problem with both worlds is when their owners stick with older OS versions and don’t upgrade. As vulnerabilities are discovered, Google and Apple come out with updates and patches — the trick is in actually installing them. Let’s look at the behavior of users between the two worlds: The most up-to-date Android version, Nougat, has less than 1% market share. On the other hand, more than 90% of iOS users have moved to iOS v10. Now, maybe in your household or corporation you have different profiles. But as long as you use the most recent OS and keep it updated, right now both are pretty solid.
- Who are the hackers targeting for their malware? Security researchers have seen a notable increase in malware targeting all mobile devices lately (see the timeline above), but it seems there are more Android-based exploits. It is hard to really say, because there isn’t any consistent way to count. And a new effort into targeting CEO “whale” phishing attacks or specific companies for infection isn’t really helping: if a criminal is trying to worm their way into your company, all the statistics and trends in the universe don’t really matter. I’ve seen reports of infections that “only” resulted in a few dozen devices being compromised, yet because they were all from one enterprise, the business impact was huge.
- Where do the infected apps come from? Historically, Google Play certainly has seen more infected apps than the iTunes Store. Some of these Android apps (such as Judy and FalseGuide) have infected millions of devices. Apple has had its share of troubled apps, but typically they are more quickly discovered and removed from circulation.
- Doesn’t Apple do a better job of screening their apps? That used to be the case, but isn’t any longer and the two companies are at parity now. Google has the Protect service that automatically scans your device to detect malware, for example. Still, all it takes is one bad app and your network security is toast.
- Who else uses your phone? If you share your phone with your kids and they download their own apps, well, you know where I am going here. The best strategy is not to let your kids download anything to your corporate devices. Or even your personal ones.
- What about my MDM, should’t that protect me from malicious apps? Well, having a corporate mobile device management solution is better than not having one. These kinds of tools can implement app whitelisting and segregating work and personal apps and data. But an MDM won’t handle all security issues, such as preventing someone from using your phone to escalate privileges, detecting data exfiltrations and running a botnet from inside your corporate network. Again, a single phished email and your phone can become compromised.
Is Android or iOS inherently more secure? As you can see, it really depends. Yes, you can construct corner cases where one or the other poses more of a threat. Just remember, security is a journey, not a destination.
David, great post. So many executives believe that using their mobile device eliminates cybersecurity risk. But as we are seeing, increasingly the ‘bad guys’ are finding new ways to attack and mobile is just as vulnerable as other venues. Interesting to see that some OS are targeted less than others at this point. Do you think all mobile OS are vulnerable today?
Yes, mobile has become a bigger target and is quite vulnerable. Plus, people use less scrutiny on their phones when processing emails, and so the potential for phished emails is greater.
John Cronin, a former executive with IBM, writes:
While one smart phone eco-system is more secure, the security threat is so great BOTH iOS and Android need to be much better. When the threat uses email and website malware both platforms are at risk. Since more mobile and IoT devices are guaranteed to be in our future, we need to focus on the weakness and strengths of all platforms and develop best practices to secure everything.
I agree with you when it comes to patching, and the best practice is to quickly fix any operating system when a flaw is discovered. For many years Microsoft was in the hot seat as Windows had many flaws and was the target of many exploits. As Microsoft improved its operating systems and its ability to patch them, the situation has improved.
The issue for Google is that they cannot upgrade every Android device directly, since updates must go through their OEMs. Some are faster than others, and for some OEMs (such as on some Alcatel phones), their updates simply don’t work. I wish that OEMs were able to patch all devices without having to rely on the OEM, and be able to do so for at least five years.
Here are a few other recommendations. When it comes to app access to OS services and data, I would like to see more of an end-to-end approach. Apps should not require access to device data as a condition of use. Most apps do not need to access my GPS data and know my location. When I am not using my phone I want the ability to completely turn off the app. It should stay off until I restart it. Being able to control what an app can access and being able to turn apps off is the best way to manage power and extend battery life. Good app access can help improve battery life and personal privacy.
But to really make smartphones and their operating systems more secure, we have to improve the security of their Internet access. Indeed, we should apply this practice for all devices.
Years ago I had a house full of kids and constant tech problems. I got on top of the problems with two things:
• A strong “gateway” between my home network and the Internet. I use ClarkConnect, now known as ClearOS. An Internet access device should be able to create custom firewall rules and rigorously control access of the security system to the Internet.
• An alternative DNS service. I use OpenDNS. By resolving DNS requests to only known good sites a lot of problems can be stopped.
One thing I like about some of the newer Internet devices — at start up they do a self check, check in with the OEM, get and install patches from the OEM, etc. If there is a problem with the OS, the device becomes a brick. The OEM has the ability to maintain the integrity of their products. This should be part of all Internet access devices.