Blondes vs brunettes, Kirk or Picard, and the Oxford comma... these are some of the most burning issues that people just can't agree on. And another is whether iPhones are better than Android phones. Both sides have their fervent fans and supporters, and are capable of making convincing arguments to back their point of view. But now a new study (registration required) argues that when it comes to one aspect of security at least, iOS is trailing behind its Android rival. That's an interesting finding because, in my personal experience, many corporations are more comfortable supporting workers using iPhones and iPads than one of the many Android devices out there. In fact, I don't think I've ever come across a firm which says they have an Android-only policy, whereas I have encountered companies who insist upon their users using an iPhone if they want to connect a smartphone to the network or access corporate information. The study by Checkmarx and AppSec Labs specifically looked at the security of hundreds of the most popular apps found in the respective platforms' app stores, testing them for security risks and vulnerabilities.
It is a common myth that the iOS development platform is more secure than the Android equivalent for several legitimate reasons:Yet, in the field of pure application security where vulnerabilities are built in the code or into the application logic the story is quite different.
- iOS has more restrictive controls over what developers can do and tight application sandboxing.
- iOS Applications are fully vetted before being released to customers – preventing malware from entering the Apple App Store.
I'm pleased that Checkmarx and AppSec Labs looked at the security of the applications rather than just the operating systems, as I've often felt *the* big security issue on smartphones are the apps. An app can be poorly coded and might store information insecurely, exhibit weaknesses in its encryption algorithms, send your username and password insecurely in plaintext to a server, or could be designed to scoop up your personal information in order to make it easier for third-party companies to target you with advertising. Even if an app is coded competently, that's no guarantee that any data it shares with its manufacturer is handled competently or isn't shared with corporate partners who are more careless. And, according to the report, 40 percent of the iOS apps tested were found to have vulnerabilities rated as "critical" or "high severity." Android apps fared marginally better at a still disappointing 36 percent.
Yes, Apple is doing a better job than Google at vetting apps for malicious code before they are allowed into their official app store, and it appears that iPhone and iPad users are much more likely to be running an up-to-date version of their operating system than their often abandoned Android-loving cousins. And there's no argument that there is a thriving culture of undesirable Android adware and malware that simply doesn't exist in large numbers for iOS. But that's not the whole picture when it comes to security. You also have to consider the safety of the apps themselves. The message seems clear – smartphone developers need to raise their game and write code which respects users' security and privacy. Apps need to be tested more thoroughly to confirm that they do not have flaws, rather than rushed out of the door. Security and privacy cannot be an afterthought, it needs to be built in from the start – and apps can't rest on their laurels, delegating responsibility for safety to those who police the app store. Do you have an opinion on whether Android or iOS devices pose a bigger security risk? Leave a comment below with your thoughts. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
