When I tell people I test the security of mobile applications one of the most common questions people ask is, “Which platform is more secure: Android or iOS?”
There are many ways to answer this, but each of them have their issues. You can look at malware stats, you can look at marketshare, you can look at lists of vulnerabilities. But at some point you’re comparing apples and, well, not apples.
There are always other factors, one of which being the user bases. Are people buying the cheapest phones available making the same security choices as those buying the more expensive and popular options? And if not, then aren’t we then dealing with poor security choices instead of an insecure platform?
This all being true, there are two reasons iOS will continue to be the more secure platform going forward. Not only will it be more secure, but its position as security lead will actually grow.
Apple fans often try to wiggle out of it, but Android is simply crushing iOS in terms of devices being puchased, activated, etc. In May, IDC showed that Android’s marketshare increased from 59% of all phones sold in the first quarter last year to 75% of all phones sold the same time this year. Staggering.
Unfortunately, this not only doesn’t help security, it actually exponentially harms it. As any good security practitioner knows, a platforms security problems only partially come from it’s own weaknesses. Perhaps even more important is the question of, “Where is the atttention of the worlds most motivated attackers?”
Quite simply, when the goal is to make money, the focus is on the platform with the most users. And this, more than anything, is what makes Android an increasingly insecure platform.
Open vs. Closed
Another key difference between the iOS and Android platforms is a core philosophical difference, which we can link to their marketing strategy. Android is a largely open platform, with lots of freedom for developers and users alike. This makes sense because Google is an advertisement company. Their goal is to get Android on everything possible: phones, T.V.s, toasters, tree leaves, whatever.
Apple’s sales strategy, on the other hand, is all about cultivating an experience of exclusivity and quality. So they control far more about their platform–both for their users and for their developers. This has obvious implications for security, as the platform that is permissive is far more likely to allow mischeif on ther platform than one that is restrictive.
The past/current security of the App Store vs. the Google Play store has shown this to be true. A recent mobile malware study found that 92% of malware was created for Android, and that malware for iOS was “noticably absent”. The study went on to say that attackers favored Android because it was easier to get malware into apps through the Google Play Store.
With just a little over half of the overall marketshare of smartphones, Android already has over 90% of the malware–and their marketshare lead is only going to increase. When Android has 70% of the market, and Google still has its goal of being on every device at all times so they can sell ads–what do you think their malware marketshare will be then?
Again, attackers go where the users are.
One thing few people know outside of the security community is that Windows is actually far more secure than OS X. This has been stated clearly by numerous researchers who break operating systems for a living. It comes down to one of my favorite ways of describing this issue:
“What’s safer, living in the middle of nowhere with your doors unlocked, or living in a bad part of town with bars on your windows?”
Don’t think about it–let the data guide you: it’s generally safer to be where people aren’t attacking.
Even if iOS were less secure as an operating system it’d be a more secure platform simply due to marketshare–especially in coming years. And when you add on top of that the fact that iOS is actually more restrictive with it’s security policy it becomes quite obvious.
If you care about security, iOS is the better place to be.