[David Strom's Web Informant] Is iOS more secure than Android

David Strom david at strom.com
Thu Aug 10 10:37:52 EDT 2017

Web Informant, August 10, 2017: Is iOS more secure than Android?

I was giving a speech last week, talking about mobile device security
and one member of my audience asked me this question. I gave the typical IT
answer, "it depends," and then realized I needed a little bit more of an
explanation. Hence this post.


Yes, in general, Android is less secure than All The iThings, but there are
circumstances where Apple has its issues too. A recent article in ITworld
lays out the specifics. There are six major points to evaluate:

   1. *How old is your device's OS?* The problem with both worlds is when
   their owners stick with older OS versions and don't upgrade. As
   vulnerabilities are discovered, Google and Apple come out with updates and
   patches -- the trick is in actually installing them. Let's look at the
   behavior of users between the two worlds: The most up-to-date Android
   version, Nougat, has less than 1% market share. On the other hand, more
   than 90% of iOS users have moved to iOS v10
   <https://data.apteligent.com/ios/>. Now, maybe in your household or
   corporation you have different profiles. But as long as you use the most
   recent OS and keep it updated, right now both are pretty solid.
   2. *Who are the hackers targeting for their malware?* Security
   researchers have seen a notable increase in malware targeting all mobile
   devices lately (see the timeline above), but it seems there are more
   Android-based exploits. It is hard to really say, because there isn't any
   consistent way to count. And a new effort into targeting CEO "whale"
   phishing attacks or specific companies for infection isn't really helping:
   if a criminal is trying to worm their way into your company, all the
   statistics and trends in the universe don't really matter. I've seen
   reports of infections that "only" resulted in a few dozen devices being
   compromised, yet because they were all from one enterprise, the business
   impact was huge.
   3. *Where do the infected apps come from?* Historically, Google Play
   certainly has seen more infected apps than the iTunes Store. Some of these
   Android apps (such as Judy and FalseGuide) have infected millions of
   devices. Apple has had its share of troubled apps, but typically they are
   more quickly discovered and removed from circulation.
   4. *Doesn't Apple do a better job of screening their apps*? That used to
   be the case, but isn't any longer and the two companies are at parity now.
   Google has the Protect service that automatically scans your device to
   detect malware, for example. Still, all it takes is one bad app and your
   network security is toast.
   5. *Who else uses your phone*? If you share your phone with your kids
   and they download their own apps, well, you know where I am going here. The
   best strategy is not to let your kids download anything to your corporate
   devices. Or even your personal ones.
   6. *What about my MDM*, should't that protect me from malicious apps?
   Well, having a corporate mobile device management solution is better than
   not having one. These kinds of tools can implement app whitelisting and
   segregating work and personal apps and data. But an MDM won't handle all
   security issues, such as preventing someone from using your phone to
   escalate privileges, detecting data exfiltrations and running a botnet from
   inside your corporate network. Again, a single phished email and your phone
   can become compromised.

Is Android or iOS inherently more secure? As you can see, it really
depends. Yes, you can construct corner cases where one or the other poses
more of a threat. Just remember, security is a journey, not a destination.

Comments always welcome here:  http://blog.strom.com/wp/?p=6097
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.webinformant.tv/pipermail/webinformant_list.webinformant.tv/attachments/20170810/af241159/attachment.html>

More information about the WebInformant mailing list