When it comes to mobile malware, Android dominates the conversation, and for good reason. An April 2014 study conducted by F-Secure Labs found that, in the first quarter of this year, 99 percent of new threats targeted the open source operating system. Of the 277 malware strains that were examined, all were Android-specific except for two – one for iOS and one for Nokia's defunct Symbian OS.
Android's inherent weaknesses are not hard to grasp. For starters, it is highly fragmented, with many devices running an OS version that is not the latest (in contrast, at least three-fourths of iOS users are on iOS 7). Fragmentation has wide-reaching consequences. For example, not long after the Heartbleed flaw in the OpenSSL cryptographic library was made public, Trend Micro discovered that devices running Android 4.1.1 (released in 2012) were vulnerable to the exploit, opening up the possibility of an attack on any app that depended on OpenSSL.
Considering the size of the Android user base and the platform's relatively loose stewardship by Google, OEMs and telecommunications providers ensure that it will remain a leading target of attackers for years to come. Google seems to be gradually assuming more control over Android – its rumored Android Silver initiative may succeed the Nexus brand and result in an increase in the number of "stock" devices running unmodified Android – but it may be a while, if ever, before the effects are felt on the Android population at large.
Android versus iOS: The imbalance of cybersecurity attention
What of iOS, though, which as far as cybersecurity matters go is playing the mostly secure Mac to Android's continually vulnerable PC? Apple's platform is rarely even targeted by malware, largely because of its many built-in advantages over open OSes. Most importantly, iOS apps can only be downloaded from the official Apple App Store, eliminating the problem of third-party app stores that may host software that has not been properly vetted.
That said, iOS is not impervious to security flaws. The recent gotofail issue, while quickly patched, put millions of devices at risk from compromised secure sessions. Similarly, it's possible for an iPhone, iPad or iPod to be infected with malware under the right circumstances.
Far and away the easiest way for this to happen is via jailbreaking, the practice of using a software utility to free a device from restrictions placed on it by the manufacturer. While jailbreaking makes the endpoint much more customizable (similar to "rooting" an Android phone or tablet to remove bloatware), it also exposes it new risks from unauthorized apps.
It's hard to know how many iOS devices have been jailbroken, but the number is likely large enough to make iOS security – a frequently overlooked issue – a real concern. A year ago, a security researcher estimated that more than 14 million unique endpoints had been spotted running the popular Cydia jailbreak app on iOS 6.x. For all iOS versions, the figure was 23 million.
In early 2013, the evasi0n tool hit the market and accelerated the pace of iOS jailbreaking. Within just four days of its release, evasi0n helped free 7 million iOS devices from Apple's control. These numbers, while impressive, are a drop in the bucket compared to the hundreds of millions of pieces of hardware out there running Android, but they hint at how iOS jailbreaking could, over the long run, expose many users to harm.
New malware can steal passwords from jailbroken iPhones
Jailbroken devices are at much greater risk than normal ones. In fact, the lone piece of iOS-specific malware identified in the F-Secure study was designed to take advantage of jailbreaking. Likewise, several reddit users recently identified a crashing issue that may be caused by iOS malware.
The malware in question is called unflod and it demonstrates the perils of having access to software that is now sold through an official channel. The jailbreaking community has, for the most part, coalesced around the Cydia app store, but some users still explore custom features from other sources, and these options sometimes contain malware
The problematic devices identified by the reddit users were eventually screened by a security researcher, who found that unflod exploited their SSLWrite function. It is unknown exactly how unflod is installed, but once present, it begins scanning for strings that are associated with the user's Apple ID. For now, the only way to rid the infected iPhone of unflod is to restore it
"That is why we recommend to restore the device," Stefan Esser, the security researcher, told Ars Technica. "However, that means people will lose their jailbreak until a new one is released, and the majority of jailbreak users will not do that."
The bigger picture: iOS and Android security in the enterprise
Many mobile end users will never be exposed to malware, and their overall risk is reduced by the fact that most of them don't jailbreak their devices and also frequently upgrade their hardware and software. For enterprises, however, the strengths and weaknesses of OSes such as Android and iOS merit closer attention since business endpoints regularly handle sensitive assets at scale.
In this organizational context, comparisons between iOS and Android security are not so cut and dried as they are with consumers. For example, iOS has many security features, but they have to be enabled and carefully managed. With Android, security and enterprise viability vary from one device to the next – while the platform's macro vulnerabilities may prevent it from becoming the go-to OS for businesses, it can be effectively deployed in certain instances.
"Whether iOS is more secure than Android is tough to answer," Blackstone Group senior vice president Jay Leek told CSO. "First, it depends on the Android hardware you're comparing it to. Samsung has done the most for Android when it comes to their hardware integrating with some of the Android security hooks. That's why, while we will support Android, we're not going to support Android broadly, we're going to support Android on certain devices."
Overall, picking the right platform for business will depend on the organization's particular needs. There is certainly a security gap between iOS and Android among consumers, but companies can take steps to make either (or both) OS work in their environments.