The state of mobile device security: Android vs. iOS

Android or iOS is one of the biggest decisions you'll make for your company, especially regarding security. Here are the latest security updates from both ecosystems.
Written by Conner Forrest, Contributor

Major players in the mobile market have been making leaps and bounds over the past few years in order to position themselves as enterprise-ready. But, no matter how many updates the user experience gets, or what cool new features are added, security remains the ultimate battleground for enterprise mobility.

Nowhere is this seen more clearly than in the two leading mobile ecosystems -- Apple's iOS and Google's Android. Both are fresh from their annual developer events, bringing new approaches to security along with a host of new features.

SEE: Mobile device computing policy template (Tech Pro Research)

Let's examine both companies' mobile OS strategies, their recent announcements regarding security, and how they are approaching the enterprise. Is there a clear winner?

The landscape

According to Gartner analyst Dionisio Zumerle, mobile security is in a "relatively good place today." The biggest reason, he said, is that mobile platforms were built from the ground up, with the existing knowledge of the previous few decades of personal computing. Security mechanisms such as app sandboxing, app store distribution, and user permissions are getting stronger.

Still, cyberattackers are getting more sophisticated as well. Zumerle cited the Stagefright vulnerability and xCodeGhost as key examples. However, both Apple and Google have recognized this shift and are taking steps to mitigate the additional risk, said John Pironti, president of IP Architects, LLC.

"They are actively working against motivated and capable adversaries who are attempting to identify and exploit vulnerabilities in their mobile offerings. Both Google and Apple now are accelerating efforts to enhance security, including the integration of third-party offerings and enforced use of leading security practices."

Both parties are addressing security, but their approaches are different.


The biggest mobile security news of the past year concerned the iPhone and Apple's approach to security. When Apple refused to unlock an iPhone 5C for the FBI, the conversation around its encryption practices moved center stage.

Apple's iOS devices are known for their strong security, partly because Apple controls the entire device ecosystem -- hardware, firmware, and software. It also relies on strong encryption practices throughout the platform. In response to the FBI requests to unlock an iPhone, Apple reportedly strengthened its encryption around iCloud and hardware to make it even harder to hack.

"Apple is working hard to ensure it can demonstrate that it's constantly trying to improve security to its global constituency while it's under scrutiny by the US and other Governments to provide methods to circumvent their capabilities," Pironti said.

Recently, at Apple's 2016 WWDC event, the company announced that it would require the use of its App Transport Security (ATS) feature in all apps by January 1, 2017. This would essentially force all app traffic to run through encrypted HTTPS connections from now on.

While these are welcome updates, Zumerle said he would like to see "greater manageability for enterprises." As an example, he said, this could include "more granular controls for iOS managed apps, as well as the possibility to block copy/paste on an enterprise email account on the native email client."


In realizing Android's business potential, Google has also made a plethora of changes to its mobile OS recently to beef up its security. For starters, Zumerle said, Google has worked hard to rid its app stores of harmful apps.

The improved hardware-backed security functionality, which leverages ARM's TrustZone, is one of the most important security-related Android updates. Now, said Zumerle "enterprises will increasingly be able to perform device attestation, device integrity checks, device binding, and other delicate operations with increased assurance."

Google also recently announced automatic security updates for Android, which makes it quicker and easier to patch applications. Android N will also be getting a new update system, similar to Chrome OS, where apps will be patched in the background. Changes have also been made to its app permissions model, making it more granular.

"An app that asks for a specific permission at the point when it needs that permission to perform a user-invoked action is more likely to be trusted by the user. Also, the user may by that time have been using the app for a while, and might have started to trust it," Zumerle said.

Of course, Samsung also opened up its Knox security system to be used by Google on Android devices as well. But Knox was found to be suffering from a host of security problems, itself, in early 2016.

As Pironti notes, Android will always be limited in its capabilities because of a lack of control of its potential integrations. That, and the additional issue of fragmentation, can make it difficult for users to access the newest updates.


Fragmentation is far more of a problem for Android than it is for iOS, which is totally under Apple's control.

Image: Statista

SEE: BYOD (Bring Your Own Device) Policy Template (TechRepublic)

The winner

So, the big question is: who takes the gold? While Android has made significant progress, iOS remains more prevalent in the enterprise, Zumerle said, with the consistency of experience being a major factor.

"The majority of enterprises still feel it is easier for them to secure their enterprise data on the iOS platform," Zumerle said.

That may be the case now, but it could change over the next year or two, depending on the trajectory of the two companies' mobile strategies.The real winners in all this are the users, who will continue to benefit from enhanced security as Apple and Google seek to stay ahead of continuing threats.

Also see

Editorial standards