The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Android Security Evolves, But Still Trails the iPhone



The Android versus Apple argument has become this decade’s version of the PC versus Mac or Magic versus Bird debates. The people on both sides are entrenched in their positions, and trying to tell an Apple user about the benefits of Android, or vice versa, is likely to start a bar fight. Or a Twitter beef at the very least.

People choose their devices for all kinds of reasons, and for most users security ranks somewhere below looks, ease of use, and emoji support. And while the features, hardware, and functionality of the various devices can and is argued ad nauseum, the thing that hasn’t been open to debate is the security of the two platforms. The security community in general views the iPhone’s hardware and software security as being far superior to that of Android, a view that’s remained unchanged since the first Android phones hit the market a year after the iPhone’s debut. The reasoning behind this view is pretty straightforward, and is based on a core set of facts/beliefs:

  • Apple enforces strict policies on software installation, only allowing apps from its official App Store to be installed on iPhones
  • Apps in the App Store have to be signed by an identified developer, and Apple tracks those developers and the apps they sign meticulously
  • iOS has been built from the ground up to be secure and resistant to common exploitation techniques and Apple has added many new protections over the years, including a sandbox
  • Apple releases updates on a regular basis and pushes them to all iPhone users at the same time
  • Android is open source and built on the Linux kernel
  • Google has security enforcements in place in the Play store but also allows users to install apps from third-party app stores, which are out of its control
  • Carriers are responsible for releasing security updates for Android to their own users, and most of those carriers push them out at highly irregular intervals, if at all

So what you get is a framework that’s heavily weighted in Apple’s favor, and for good reason. Apple started out with a big lead in the security column and has continued to improve its model along the way. But Google has been making strides as well, and has made some adjustments that Apple hasn’t.

The company has added an application sandbox to Android in recent years, making it more difficult for malicious apps to reach the underlying operating system or other apps. That’s a key step in preventing malware from taking over a device if it finds its way onto the phone, and is especially important in the Android ecosystem, where many users install apps from third-party sources. The apps in those stores are unverified by Google and so their safety is questionable at best.

In 2015 Google also began a bug bounty program for Android to entice security researchers to find and submit vulnerabilities in the OS. The program has been a success, paying out more than $500,000 in rewards to researchers in the first year, which saw 250 reports. Google actively engages with the security research community in a number of other ways, too. Google also has an internal security team known as Project Zero that looks for vulnerabilities in the company’s software, as well as in other widely deployed software. The team researches Android vulnerabilities, among other things, adding to the reports from external researchers.

While Apple does some of the community outreach quietly, it does not have a vulnerability reward program for iOS or any of its platforms, for that matter. Researchers still spend a lot of time looking for bugs in iOS, as they’re highly prized, both by third parties who buy bugs and by the jailbreak community, but Apple isn’t involved in that. And the argument can be made that Apple doesn’t necessarily need a bug bounty program, since so many researchers already work on iOS. One look at an iOS security update will show that.

All of Google’s efforts have contributed to an improvement in Android’s security over the years. But the research community still considers iOS to be far superior in that realm. Perhaps the biggest improvement Google has made to Android security recently isn’t in the code itself, but in the way that updates are released. Google now has a monthly release schedule for Android patches and several of the larger handset manufacturers have agreed to do the same, after prodding by the company.

But there are still hundreds of millions of Android devices running old versions of Android with known, unpatched vulnerabilities that leave them open to attack. Not to mention the huge population of devices running even older versions that are no longer supported at all. The carriers are content to let those devices wither until the owners bite the bullet and buy new ones. This is part of the price of opting for the openness and relative freedom of Android. Google is working hard on the security front, but the other pieces of its ecosystem don’t always follow suit, a problem that Apple doesn’t have to worry about.

Image via Geeky Gadgets.
Dennis Fisher

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.