iOS vs Android: Which is more of a security threat for the enterprise?

iOS vs Android: Which is more of a security threat for the enterprise?

Summary: Apple has kept malware out of its App Store but iOS devices, like their Android rivals, are still susceptible to all sorts of attacks.

SHARE:
52
Apple or Android: Which poses a greater threat to your security?
Apple or Android: Which poses a greater threat to your security? Image: James Martin/CNET

iOS might not be the magnet for malware that Android has become, but that doesn't make it inherently more secure than the Google OS in the enterprise.

Apple CEO Tim Cook has poked fun at Google for Android's fragmentation turning devices into a "toxic hellstew of vulnerabilities", but in a new report from Marble Security, the company contends that "neither iOS nor Android is inherently more secure than the other".

Apple's tighter control over app distribution has pretty much kept it free of malware, while the same can't be said for Google Play despite its Bouncer technology, though most Android malware still originates from third-party app stores.

Also, Apple's OS update practices mean that five months after releasing iOS 7, 80 percent of its users' devices were running the most recent version. By contrast, KitKat, the latest version of Android, currently runs on 13.6 percent of Android devices.

Despite the differences, when it comes to bring your own device (BYOD), both Android or iOS carry similar risks to the enterprise.

"The major security differences between iOS and Android are largely that Android is a much more open operating environment, more easily allowing users to download apps from app stores that have poor or non-existent app analysis and vetting procedures," it said.

The attack surfaces of iOS and Android are basically the same, the company added, including malicious apps, SMS or through compromised wi-fi hotspots.

While Android apps can be installed from dozens of stores, the company also points out that non-jailbroken devices can escape Apple's walled garden — and do so to access enterprise app stores — via third-party testing apps such as TestFlight. Notably, Apple acquired that app earlier this year.

Some of the main threats common to both platforms come in the form of phishing attacks, especially in an enterprise environment where an attacker had gained access to the corporate directory and then sent SMS messages or email to targets.

The company also points out a risk that can be introduced through mobile device management profiles, which can be delivered to an iOS device via a website.

"This attack strategy requires a user to visit a web page on their iPhone or iPad. If that user installs a hostile configuration profile, then the enterprise is at risk for intercepted traffic, fake app installation, sophisticated phishing, and APTs," it said.

Read more on mobile security

Topics: Mobility, Android, iOS, Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

52 comments
Log in or register to join the discussion
  • Google's recipe for "Hellstew"

    Add a heaping mess of fragmented Android to any mobile phone and your automatically asking for trouble. Android is inherently insecure and vulnerable. Fragmentation and malware are the Android gifts that keep on giving.
    Delvardo
    • @delvardo Sir explain to me the relationship between

      my Nexus 5 phone, fragmentation and security.

      Its is a stock android phone, with pure android as it is by design.
      Fragmentation has nothing to do with the fundamental design of the android OS with regards to security.
      Fragmentation is related to a particular OEM and phone.

      I am an android developer and a general statement like yours is hogwash. Android IS inherently secure by design, with the usual caveat that no system is perfect, even iOS as is mentioned. It does not have tacked-on, after the fact security like windows.

      If enterprise is so gung ho on windows, I don't see why there would be any concern whatsoever with android and iOS. Two OSs light-years ahead in secure design.

      Any problems with "android" stem from the ability to install package files (like exe's on windows). That has nothing to do with the OS architecture of android. Its a choice offered by design in android.
      You are simply a google hater looking to pick a fight.
      drwong
      • Android is insecure by design.

        Because Google rushed out the deployment model with little to no thought into system updates, the very foundation of how Android works on the vast majority of devices is inherently insecure.

        There is very little to argue here. By design, Android is hard to push out critical fixes for.
        Bruizer
        • No. It isn't.

          Just because the telcos are slow is not a fault of Android or Google.
          jessepollard
          • Yes, It IS in the Design

            The issue is with Android allowing cross-application communication. A piece of malware running on an Android device has complete access to all of the other apps running on the device. In the case of IOS, an app running cannot communicate with another application. Of course, some people will think of this as a "feature' while others know it is a representative for malware privacy issues.
            hforman@...
        • Spoken like someone who has been told what to think

          Research has already shown that in the US 0.0009% of android phones have any form of malware on them, and that includes a lot of things that don't even qualify as malware on a real computer.
          If you aren't running around getting pirated apps from the russians, you don't get malware.

          Now let us discuss real mobile security. If you aren't stupid, chances are you will never attempt to install a piece of malware on your device. A more likely occurrence is somebody accessing your phone through its wifi. If you care to look at the results from pwn2own mobile from the last 3 years, android has fared far better than iOS every time. Blackberry has fared far better than iOS. Windows phone fared better than iOS.

          Apple has never had to fight a credible security threat, and because of that when they finally come across a real piece of malware, they choke. Go ahead and see how long it took them to issue a fix for the flashback trojan. That is the epitome of security incompetence.
          blarelli
          • IOS is intrisically unsafe

            every other month for the past year an issue appears.

            Some that come to mind.

            -IOS account through ebay got hacked
            -IOS phones got kidnapped and hackers demanded
            -ISO SSL GOTO FAIL security .. now how foolish can that be!

            Currently IOS has 335 vulnerabilities a few serious (source: CVE Details).

            So, in contrast, Android had one attack in the past three years. .. Their is simply no comparison.
            Uralbas
          • FYI.. Android vulerabilites 36

            Same source, thats 1/10th of IOS.

            Simply no contest.
            Uralbas
          • IOS has 9-10x more vulnerabilites than Android

            This is not speculation or perception, its a fact.

            IOS 335 vulnerabilities
            Andorid 36

            IOS is 9x-10x less secure than Android.
            Uralbas
          • And you get your figures from where?

            Sources, please
            financegozu
          • That Is Rubbish

            Sorry, Uralbas. I have no idea where you are getting your information from or it is all backwards. Please give us some links to real information. The other issue is that updates to the OS on IOS are done on a regular bases. Most Android telephones don't get updated at all because it is left to the telcos.
            hforman@...
          • Cve details,

            Look it up,

            Surprise. I'm right.
            Uralbas
          • Got it, you use IOs and need everything digested.

            Goto your favorite search engine and type:

            Cve Details IOs

            And then

            Cve Details Android.

            If you know anything about IT, this is kindergarten stuff.
            Uralbas
        • EPIC FAIL

          It would be better if you simply didn't comment than reveal your purposeful ignorance. Then again you are just a poster on ZDNET and nobody of any actual reputation...without a reputation to protect.
          DonRupertBitByte
    • iPhones most vulnerable among smartphones

      you are a huge liar, paid?

      keep to the facts and studies, do not lie here:

      Huffington Post: "iPhones, iPads Hacked And Held For Ransom"
      "iOS 7 Security Flaw Leaves Stored Email Attachments Unencrypted"
      "iPhone is most vulnerable, least secure smartphone in the market, security firm finds"
      "iOS apps said to crash more than twice as often as Android apps"
      "Apple iOS Apps Leak More Personal Info Than Android"
      "40% of iOS popular apps invade your privacy without any permission"

      use Google to search the exact phrases
      anywherehome
      • Very much an exaggeration.

        "iPhones most vulnerable among smartphones "

        Very much an exaggeration. You can find flaws in everything, the question really is how viable and widespread they are.

        Huffington Post: "iPhones, iPads Hacked And Held For Ransom"

        Oh look, Android:
        http://www.symantec.com/security_response/writeup.jsp?docid=2014-060610-5533-99

        The problem here is, Android has its own problems. The question isn't really whether the iPhone has security problems, but how they compare to Android.

        "iOS 7 Security Flaw Leaves Stored Email Attachments Unencrypted"

        Limited to IMAP as far as I know. Actually acknowledged by Apple, and when the fix is available, will be available to nearly all iPhone users.

        . . . and actually requires some hacking of the phone with some other vulnerability to access the information.

        A problem? Yes. More of a problem than all of the issues with Android? Arguable. IMO probably not.

        "iPhone is most vulnerable, least secure smartphone in the market, security firm finds"

        Hey, look, it's a report from 2012 (ie outdated) . . .

        https://community.qualys.fr/servlet/JiveServlet/previewBody/1541-102-1-1535/Sourcefire%2025%20Years%20of%20Vulnerabilities%20Research%20Report-%20A4%20%281%29%20-%20copie.pdf

        . . . which actually LIED.

        A quick scan of CVE indicates there were likely far more than the claimed 8 vulnerabilities in Android in 2012.

        https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=android

        "iOS apps said to crash more than twice as often as Android apps"

        Usually because they try to allocate too much memory, and seem to always be immediately closed by iOS. As far as security is concerned, this seems to be meaningless.

        "Apple iOS Apps Leak More Personal Info Than Android"

        Android didn't come out clean here, either, and from reading the article, this seems to be less about OS design and more about how advertising networks work. It is a problem that Apple needs to address, yes.

        "40% of iOS popular apps invade your privacy without any permission"

        ONE result in Google for this exact quote . . . and the article doesn't say anything about how (or even if) apps are bypassing iOS's dialog that pops up when an app needs special permissions for accessing things like location data.

        And it doesn't compare iOS to Android.

        The claims are sketchy at best. There are a few things Apple needs to work on yes, but this whole claim that "it's actually WORSE than Android" is on pretty shaky ground, IMO. Except maybe a bit with advertising, I'll give you that. But that's about it, and arguably that's more about how advertising networks work rather than about vulnerabilities of iOS devices.
        CobraA1
    • @dwong, @anywherehome

      Sorry guys. iOS dominates in enterprise. Why you ask? Android's uncontrollable fragmentation and a big lack of security. Deal with it.
      Delvardo
      • sir, please explain what you mean by

        your statement of android's lack of security and "androids" fragmentation. (I don't know why I'm bothering to argue with you in the first place.)
        Answer this simple question:

        Am I experiencing the effects of "uncontrolled android fragmentation" on my Nexus 5? (yes/no)
        If yes, please explain your reasoning.

        As a developer I will explain to you android's security model which I fully understand, If you wish. I am sure you know absolutely nothing about the subject.
        Also my argument is not about who is dominating in enterprise. If its iOS, congratuations to apple. I don't care.
        The security nightmare of windows PCs is what's really dominating but that doesn't seem to be stopping anyone.
        drwong
      • What fragmentation?

        If you are running an MDM on your mobile endpoints, you control what connects to corporate data. You choose what versions to allow and what to exclude. We have excluded anything older then 4x with regards to Android. We also block any devices with side loading turned on.

        And those are just our BYODs, our company owned Android devices have Samsung KNOX and SAFE enabled and locked down.

        Android is more open then iOS but that does not mean you have to accept everything that Android can be just like you would not accept that with your PCs.
        Rann Xeroxx
        • Not sure of other MDM platforms but....

          We use AirWatch and it seems to be a pretty solid solution, but needs to be side-loaded on an Android device. Strange.
          djmik