• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Mobility   »   Which Type of Mobile Device is More Secure – iOS or Android?

Which Type of Mobile Device is More Secure – iOS or Android?

  • Posted on:February 15, 2012
  • Posted in:Mobility
  • Posted by:
    Trend Micro
6

Vic Hargrave

By Vic Hargrave

Apple rigorously scrutinizes applications before publishing them on its AppStore site, often rejecting apps that violate the company’s security and usability policies. Given this practice, it’s easy to assume that iOS mobile devices (iPhones, iPads, iTouch) are more secure than their Android counterparts.

But there’s more to this story. Veracode, maker of application risk management software, published a useful infographic that contrasts iOS and Android security. The bottom line is both mobile operating systems have strengths and weaknesses when it comes to security that you should be aware of.

Common Security Features

To a great extent iOS and Android devices are more secure than PCs. For one thing, each application installed on either platform must be granted your permission to access data that resides on your smartphone.

Laptops on the other hand usually require only that you are logged in as a particular user that has been granted permission to install applications and access system wide data. Once granted this permission exists for the lifetime of that user account. Malware that assumes the identity of this privileged user can likewise access data on the laptop without asking for permission to do so.

Applications running on iOS and Android cannot access mobile device hardware directly. Normally malware attacks the operating system, but last year there was a report of next generation malware that attacks the code contained in PC firmware. The attack involved using diagnostic software for PC network cards to install custom code into the firmware that allows a hacker to run malicious code on the PC victim. This sort of breach is much more difficult to do on an iOS or Android device.

More on Android Security, Pro and Con

When installing an Android application, you are prompted to accept the installation. You must give permission to the marketplace you a downloading from to allow the installation. With this scheme, it is not possible to remotely install and run undesirable applications that would have done damage to the device, like auto-erase the files or geo-locate the phone, and you, without your knowledge.

On the minus side, it is well known that Google does not check the security of apps before publishing on the application marketplace, which greatly increases the chance of picking up malware on your Android phone. On several occasions Google has had to scramble to pull malicious apps off the marketplace. It’s safe to say there is a greater likelihood you could pick up a malware laden app from the marketplace.

You can mitigate this risk to a certain degree by checking the legitimacy of the Android app source.

More on iOS Security, Pro and Con

In addition to Apple’s security testing of apps prior to AppStore publication, the iOS has permission-based access control for protected features that is enforced at runtime. For example, when an app wants to track the location of your iPhone, iOS prompts you to allow or deny location tracking.

If one of your iOS devices is lost or stolen, you can find it from another iOS device with the free Find My Phone app. You just register your devices with Apple and then when one of them goes missing you can use Find My iPhone to find it on a map, remotely lock it, or completely erase all the data on the device.

But, it’s not all rosy for iOS, as Apple has had to withdraw malicious apps from the AppStore after allowing them to be published. Last year, security expert Charlie Miller published a proof-of-concept app that exploited a security flaw in the iOS Safari browser, enabling his app to download and run malicious code that could be used to steal data from victims. The scary thing is that Miller’s app passed Apple’s security screening process the first time around. Apple only pulled it from the AppStore AFTER realizing the potential security risks it posed for users.

Every iOS device running a version of the operating system lower than 4.3.5 is susceptible to SSL man-in-the-middle-attack, which is made possible by weak validation of certificates for SSL (secure sockets layer) network connections.

The problem may be all the more serious if you have a device that cannot be upgraded to the latest iOS. Apple simply won’t allow certain categories of devices to be upgraded. You can’t upgrade an older 3G iPhone to the full iOS 4.x, which means these phones are permanently saddled with all the vulnerabilities that came with pre-4.x iOS, including the SSL man-in-the-middle-attack.

In all fairness to iOS and Apple, there are many older Android phones that are orphaned, left behind because their hardware was not compatible with more modern versions of the Android operating system. Not everybody races to upgrade to the latest mobile phone hardware, so users who can’t or don’t want to upgrade their phones every couple of years will eventually be stuck with permanently vulnerable devices.

So What’s the Answer?

For my money, iOS has better security features than Android due to Apple’s pre-publication security testing and the platform’s overall resistance – but not immunity – to malware.

To cover the gaps in Android security, Trend Micro™ Mobile Security Personal Edition provides application scanning, call and texting security, and lost device protection. For iOS protection, you can use Trend Micro™ Smart Surfing for iPhone, which is a free mobile browser that blocks access to malicious websites and provides protection against phishing attacks.

Mobile smartphones are increasingly becoming targets for malware, but if you understand the extent to which your device is vulnerable, keep your mobile operating system up-to-date, and use the right anti-malware tools, you can travel safely on the mobile Internet.

I work for Trend Micro and opinions expressed here are my own.

Related posts:

  1. Android Insecurity – Why you need to secure your device
  2. Back-to-School Time: Is Your Child’s Mobile Device Secure?
  3. Android lends a hand to mobile device managers
  4. The Risks of Tinkering with Your Android Device

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.