6 SEP 2016 2173
The debate about iOS and Android security is one that rumbles on in the mobile app development community, but is either of them really secure? After all, both have had their problems - just look at the Stagefright bug discovered on Android, and the XcodeGhost malware that affected iOS. Which operating system, then, is most secure?
Let's compare all cons and pros for each platform
The Walled Garden
The iOS and Android official app stores work in very different ways. The Apple App Store is described by many mobile app developers and security experts as being a walled garden. In other words, all apps have to go through strict vetting before they are released.
Google has improved its measures for removing malicious apps and malware from the Google Play Store, but it will always be more vulnerable because of its open approach.
The Fragmentation Effect
Both Apple and Google put security high on their priority list, releasing updates and new security features regularly. In general, these are all positive, and in some cases significantly improve the security of the operating system.
The way Apple operates gives it significant advantages, however. When Apple releases an update or a patch, it is applied to most devices in the market – about 90 percent of iOS device users are on one of the latest version of the operating system (iOS 8 or iOS 9). Compare this to Android, where only 7,5 percent of users are on the latest version of its operating system.
The Encryption Debate
Encryption is another security concern. This is about protecting users’ data and the popular belief at the moment is iOS is more secure. Apple is even in the process of beefing up its encryption rules and protocols through App Transport Security, a privacy feature of its operating system first introduced in iOS 9. The feature forces apps on Apple devices to use encrypted HTTPS connections – mobile app developers have to implement this feature on all their apps by the end of 2016.
Does that tell you the whole story, however? Some security experts and mobile app developers are starting to question whether the Apple model will work in the longer term. This is because it is an in-house Apple system that can't be fully stress tested and checked by industry experts. Essentially Apple is asking everyone to trust its encryption and security without third-party validation.
The Android platform, on the other hand, is in the open market. It has already been discussed how that presents challenges, but when it comes to encryption it could actually be a benefit. It is possible that developers, operating in a competitive market worth billions, will create more advanced and secure encryption and privacy protection controls on Android than currently exists on iOS. But it's just a theory. In practice, open source harms security.
Quality of Code
Apple and Google are in a race to make their respective operating systems and app platforms as secure as possible, but despite their efforts vulnerabilities can still appear because of the code written by mobile app developers.
Research by the app security company Checkmarx highlighted the security risks. They tested both iOS and Android apps looking for vulnerabilities. They graded those vulnerabilities as low, medium, high, or critical risk. Forty percent of the iOS apps tested and 36 percent of Android apps had high or critical risk vulnerabilities.
This shows the security of applications, as well as the security of the operating system, plays a role in overall security.
Who's the Winner?
The question of mobile operating system and app security is a complex and changing one for those involved in mobile software development. Despite this, most security experts believe that, currently, iOS has the advantage because of its more restrictive and controlled business model.