iOS might not be the magnet for malware that Android has become, but that doesn't make it inherently more secure than the Google OS in the enterprise.
Apple CEO Tim Cook has poked fun at Google for Android's fragmentation turning devices into a "toxic hellstew of vulnerabilities", but in a new report from Marble Security, the company contends that "neither iOS nor Android is inherently more secure than the other".
Apple's tighter control over app distribution has pretty much kept it free of malware, while the same can't be said for Google Play despite its Bouncer technology, though most Android malware still originates from third-party app stores.
Also, Apple's OS update practices mean that five months after releasing iOS 7, 80 percent of its users' devices were running the most recent version. By contrast, KitKat, the latest version of Android, currently runs on 13.6 percent of Android devices.
Despite the differences, when it comes to bring your own device (BYOD), both Android or iOS carry similar risks to the enterprise.
"The major security differences between iOS and Android are largely that Android is a much more open operating environment, more easily allowing users to download apps from app stores that have poor or non-existent app analysis and vetting procedures," it said.
The attack surfaces of iOS and Android are basically the same, the company added, including malicious apps, SMS or through compromised wi-fi hotspots.
While Android apps can be installed from dozens of stores, the company also points out that non-jailbroken devices can escape Apple's walled garden — and do so to access enterprise app stores — via third-party testing apps such as TestFlight. Notably, Apple acquired that app earlier this year.
Some of the main threats common to both platforms come in the form of phishing attacks, especially in an enterprise environment where an attacker had gained access to the corporate directory and then sent SMS messages or email to targets.
The company also points out a risk that can be introduced through mobile device management profiles, which can be delivered to an iOS device via a website.
"This attack strategy requires a user to visit a web page on their iPhone or iPad. If that user installs a hostile configuration profile, then the enterprise is at risk for intercepted traffic, fake app installation, sophisticated phishing, and APTs," it said.