Apple iOS vs. Google Android: It comes down to security

pple's locked-down approach in iOS has given it something of an edge in the debate

Which is more secure, mobile devices based on Google Android or Apple iOS? It's not just a theoretical question to IT professionals making decisions about the future use of smartphones and tablets in the enterprise.

Read Network World's other tech arguments.

Apple's locked-down approach in iOS has given it something of an edge in the debate, especially since Android's more open platform is being targeted by malware writers. Hardly a week goes by that security vendors hunting Android malware don't remind us of the growing tally, as Trend Micro recently did it claiming that Android malware surged this year from 30,000 specimens in June to almost 175,000 in September.

But on Android's side, security experts point out that the closed, proprietary iOS architecture has some drawbacks, such as when an iOS device is "jailbroken," its security shield is basically broken. Android's inherent openness and flexibility, something missing from iOS, is making it attractive as a platform for organizations considering customization of security the way they want it.

"You can build more security for Android," notes Tom Kellermann, vice president of cybersecurity at Trend Micro, who points out Android's open API model is conducive for that. But he notes that for now, at least, Google Android is also viewed as more vulnerable. In a study that Trend Micro did of security of the three mobile platforms iOS, Android and RIM BlackBerry, BlackBerry actually came out on top in that, he points out.

Android malware exploding, says Trend Micro

Worries about possibly having to cope with Android malware on either corporate-owned devices or Bring Your Own Device (BYOD) situations seems to be swaying a number of information-technology managers to vote 'yes' on iOS, 'no' on Android.

At Los Angeles-based real-estate investment firm Hearthstone, for example, the CTO there, Robert Meltz, says this is one of the main reasons why his company is going with managed BYOD iOS devices. 

New York-based Blackstone Group feels much the same, according to CTO Bill Murphy. And in the healthcare environment, such as hospitals where use of tablets and other mobile devices under BYOD arrangements with healthcare professionals is surging, the same reservations about Android are voiced.

"We tested Android and we think it's more vulnerable than iOS," says Barak Shrefler, the IT and security manager at Hadassah University Hospital in Jerusalem, who said IT staff are concerned that malware or vulnerability issues around Android will simply result in future headaches, at least more than Apple iOS. At the same time, Shrefler acknowledges he's worried about jailbroken iOS devices, too.

Tamir Hardof, director of product marketing at Juniper, admitting he's reluctant to take sides, nevertheless said "data shows there are more security threats on the Android side." But he added that Apple's closed system may not be what's preferred for some enterprise customers with specific security requirements, and he's optimistic in general that "security will improve for Android devices."

Tyler Shields, senior security researcher at Veracode, had this to add to the debate: "One of the primary differences between iOS and Android is the application distribution and vetting models. IOS has a single application store, iTunes, that customers can download applications from. While Apple is not perfect, they have executed better than Google in the application vetting process while attempting to limit malware distribution."

Shields continues, "On the other hand, Android applications can be acquired from both the Google Play store as well as a number of third-party stores. This distribution model lends itself well to repackaged applications that contain malware. It's difficult, if not impossible, for Google to police the security of their application ecosystem because they don't have a single application funnel where all applications must pass."

Chris Astacio, Websense manager of security research, also weighed in. "In the ongoing discussion of whether iOS or Android devices are more secure, the overwhelming majority of evidence helps to support Apple's case for supremacy," says Astacio. Why? "The iOS closed operating system and application vetting process help prevent a vast majority of the successful malicious examples we have seen in Android devices."

But Astacio also includes something of a caveat.

"Apple's vaunted application-screening process will only maintain its current success until the top-notch hackers feel it is profitable to create malware sophisticated enough to hide from their application-screening process. For now, there is significant danger in what we call 'legitimate applications behaving badly.' This is where the information gathered by applications is targeted by hackers through some mode of interception, perhaps most likely by hacking into the application developer's networks. For now, though, if I'm placing a wager on which is more secure, I'm putting my money on Apple."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Apple iOS; Google Android; AppleGoogleNetworkingtrend microsecuritymobile securitywirelesssoftwareVMwareApple

More about AppleApple.BillBlackBerryGoogleIDGJuniperResearch In MotionTrend Micro AustraliaWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts