In the battle for mobile supremacy, there are two main contenders: iOS and Android. They’re the most popular, but which is the most secure?
Mobile security – often ignored
According to a survey from Motorola, only 12% of buyers take security into account when they’re buying a phone. People prefer to look at things like applications availability, usability and superficial aspects such as the style of the icons or the fluidity of the animations.
We forget that a phone is no longer just a device to make calls: we use them to store emails, passwords, pictures and more. Smartphones effectively store the most important details of our lives – and not just our personal lives. We connect to corporate networks, read confidential documents and fill out job applications – all on our smartphones.
What’s worse, we use our phones while ignoring the most basic security principles. Between 30 and 60% of people don’t use locking systems, like PINs or an unlock pattern, on their phone. More complex and powerful options such as data encryption are almost universally ignored.
The NSA scandal has put data privacy in the spotlight, and has urged software authors and phone manufacturers to put more emphasis on security in each update.
Android 4.3 vs. iOS 7
iOS and Android are the quintessential high-quality devices and they contain a lot of personal data. In each of their most recent updates, both Apple (iOS) and Google (Android) strive to improve system security through new security options, patching vulnerabilities and installing system improvements.
But sometimes things go wrong, as happened in the case of iOS 7, users discovered that calls could be made from the lock screen. This sort of slip-ups show the complexity inherent in ensuring mobile security and the balancing act of combining security and speed of use: you want to protect data, but not at the expense of usability.
If we were to ask Google and Apple, they would each say that their system is the most secure. And that’s exactly what’s happening. Eric Schmidt, CEO of Google, says that “Android is more secure.” On the other hand, Tim Cook, Apple’s CEO, emphasized the negative consequences of Android fragmentation, which carries with it the need to plug holes. Putting aside opinions and advertising, though, which of these platforms is safer for users? In this comparison, we put both systems, iOS 7.0.2 and Android 4.3, to the test.
The 5 levels of mobile security
We’ve come up with five levels of progressively more complex security which encompass safety issues ranging from the basics, such as the lock screen, to the more advanced, such as encryption or the number of vulnerabilities.
For the vast majority of users, Level 1 is the only one they know about and the only thing that matters, while level 5 is only of interest to more advanced users. There are aspects of levels 2-4 that may be of interest to all users, but they generally don’t spring to attention in normal daily use.
Level 1: Locking or identification systems
Accessing your phone or tablet is the basic level of security that concerns all users, regardless of what device they use. Without this level, a device is at the mercy of any opportunistic (or malicious) person.
Android 4.3 has five screen lock systems: swipe, Face Unlock, Pattern, PIN and password. They’re configured from the menu Security > Lock. Meanwhile, iOS provides only two methods: swipe and PIN code.
Swipe offers no security, and it’s only there to prevent accidental inputs. PIN is a numeric code that, if kept to the minimum (four digits), can be guessed in less than a day. While iOS put delays in between incorrect attempts, Android does not. Moreover, in iOS there is an additional option to erase all data after ten failed attempts.
When it comes to the other locking systems offered by Android, facial recognition is the one that even Google says is the least secure, since it can easily be fooled by a photo. The system of patterns (drawing lines between points) is easy to remember and fairly robust, but depends on the complexity of the pattern, and fingerprints on the screen can be clues that undermine reliability.
The safest option is an alphanumeric password, but it is also the most inconvenient to use, and is most effort to set up well (people generally don’t like having to remember complex passwords). iOS 7 running on new devices, offers Touch ID, a fingerprint recognition system which is very easy to use and more robust than almost all alternatives.
Convenience vs. security
So which device offers the safest access systems? If we go on sheer number of options offered, it’s got to be Android, but when you consider the convenience factor and Apple’s new Touch ID, things change. Convenience vs. safety is the most heated debate as far as mobile security is concerned. We’ve prepared this graph to help you get your head around it:
Subjective ratings of safety and convenience. Asterisks indicate that the security depends on the complexity of the password or pattern. Those in green have both.
The two locking systems that are secure AND easy to use are the patterns (Android) and fingerprint (iOS). PINs score low on the security front if they’re left at four digits, which is standard. Passwords can be very safe, but convenience goes down dramatically as their complexity increases. The battle, then, is between the Android pattern system and Touch ID from iOS.
Touch ID from Apple in action (photo courtesy of iPhoneWorld)
Android offers more locking options, they can be extended through third party apps and the pattern system is fairly easy to use, but it’s more vulnerable and less convenient than iOS 7’s Touch ID fingerprint reader.
iOS 7 wins for balance between convenience and security (thanks to Touch-ID), and its approach seems to be the best for simplicity and ease of use.
Level 2: application security
After analyzing the access options, we turn our attention to applications: how to obtain, install, authorize and execute them. Users install dozens of apps on their devices, but don’t typically pay much attention to safety. So what do iOS and Android do to ensure that malicious applications won’t cause a disaster?
At first glance, both Android and iOS adopt a similar approach, in the sense that they both rely on applications in their own markets which check (automatically and manually) the safety of the thousands of applications available to the user. Both systems isolate the processes in a sandbox, which prevents an application taking control of the entire system, and they do this very effectively.
Open model vs. closed
The safety of both ecosystems and markets is very good, although there have been cases of malicious applications that have managed to sneak past. For example, researchers at Georgia Tech managed to introduce the Jekyll application on the iOS Store. But malware can also sneak into Android, and it’s already happened on several occasions.
Both of these cases were exceptional situations, but while sources estimate that about 6% of apps on Google Play are malware, for the iTunes Store this figure is virtually nil (partly because Apple doesn’t provide data). Android, which has a 70% market share, has become the favorite target for hackers, 92% of mobile malware can be found there. Does that mean that Android is less secure?
Assuming normal use and that applications are obtained only from Play or Amazon, malware risk is as low as that of iOS. But whereas iOS forces users to install only applications sourced from its store, Android has adopted a much more liberal approach, leaving the door open for installing completely independent applications and even separate stores. And through this door, malware can enter.
Android allows the installation of applications from unknown sources
Being a more open system, Android favors the installation of third party apps. It’s dangerous, but it gives you immense flexibility that iOS users can only dream of – or try to emulate by jailbreaking their devices. This freedom, however, comes at a price, and this price is the possibility of accidentally installing malware disguised as legitimate apps. Incidentally, the risk of malware has led to a flourishing industry of antiviruses for Android.
Managing app permissions
One way to control what applications make it through is via a permit system, which establishes what data and which parts of the device a particular application can access. Both Android and iOS have permit systems, but their style of informing the user differs greatly.
iOS just asks the user when necessary to authorize access to a specific resource. The user can then accept or reject each as he wishes, with the app already installed and working. In Android, it reports from the beginning in great detail about the permissions required by an app, and the decision is “all or nothing”: if the user doesn’t accept the conditions, the application isn’t installed.
In Android 4.3, detailed permissions were introduced, although the feature is hidden: to activate it you have to use apps like App Ops Starter, which make it visible.
iOS wins for its stricter control of apps, in exchange for giving up the freedom to install any application you want…
Level 3: Protection of privacy
The first two levels cover essential security, but what about more subjective aspects such as privacy? Things like how data is displayed on the lock screen or the sending anonymous (or not) data for advertising purposes are hot topics and issues that may bother many users.
Notifications on the lock screen
Being able to read notifications directly from the lock screen is something that Android, for now, does not allow – to achieve this you need to install third party applications. This can be inconvenient, since you need to unlock the screen every time you want to check what’s going on on your phone, but Android does support illuminated notifications via LED (on mobile phones that allow it).
iOS, on the other hand, displays notifications directly on the lock screen, and does so by default. You can read mail or WhatsApp messages without unlocking the terminal, for example. Notifications of this type can be disabled from the Notifications Center, which features custom options for each application that uses this feature.
Both iOS and Android can send data to customize ads. For some people, this feature, far from being helpful, is an unacceptable intrusion into their personal sphere.
With Android, this is controlled from Google Settings > Ads. In iOS, from the settings menu Privacy > Announcements and from the System Services menu – in other words, you have to do quite a bit of navigating to disable it.
Most of the time we’re on our devices we’re browsing the web. The native iOS 7 and Android 4.3 browsers are Safari and Chrome, and they each have abundant privacy settings.
Safari, the default browser for iOS 7, has a Do-Not-Track option to disable cookies and selective cookie blocking.
Chrome, the Android browser, has a whole menu dedicated to privacy, with Do-Not-Track and options to disable bug reports, suggestions and predictions of network shares.
Android wins for the greater control its privacy options for the browser offers, as well as the choice, which in my opinion is correct, not to show notifications on the lock screen, although many Android users look upon this feature with envy.
Level 4: Remote device security
Okay, so your phone is secure and well configured. But what if it’s lost or stolen? You’ll want to find it, locate it on the map or, at the very least, order the automatic deletion of your data if you give it up for lost.
With the “Find my iPhone” feature, iOS has been the pioneer of locating lost phones. Upon entering iCloud, users can locate their devices and their status (on or off), play a sound and activate the lost mode, which displays a message on screen. In extreme cases, you can enable remote wipe.
Web interface of Find my iPhone (image courtesy of Applediario)
Android introduced something similar with its Device Manager. It supports a wide variety of Android devices, and allows you to locate devices on Google Maps, as well as play a sound, block the terminal or erase data remotely. However, there are no options such as a customizable remote message.
iOS wins for number of options and data supplied through Find my iPhone. The Android Device Manager is more limited.
Level 5: Advanced security
In the last level of security, we look at the more advanced aspects of iOS and Android, such as the encryption of the file system or the ease of obtaining root privileges. If you’re a basic user, these points probably won’t interest you much.
Encrypting user data
Encryption allows you to protect data confidentiality. For example, you can prevent a thief from accessing banking data stored on your phone.
In iOS, encryption is enabled at the factory and carried out via dedicated hardware, which minimizes the performance impact. It is a 256-bit AES encryption which is very secure in most situations.
With Android, encryption is a user choice. As we mentioned above, the variety of Android devices has meant that encryption must be implemented through software, which is much more likely to have an impact on performance.
Superuser (root and jailbreak)
In any operating system, superuser permissions are essential for complete control of the system. In mobile, this allows you to install unofficial applications, uninstall factory apps or customize the system.
Android has chosen to be totally transparent in this regard. Their devices can be “rooted” without too much effort, but this isn’t required to install applications outside of Google Play. The risk of rooting is minimal, and it’s a legal operation and accepted by many manufacturers.
In iOS, obtaining root privileges is part of the jailbreaking process, an operation that is carried out to obtain the freedom to customize. It is legal in many countries, but iOS warns of a large number of dangers and instabilities.
Vulnerabilities and updates
Vulnerabilities are software bugs that can be exploited by malware or attackers to take control of the system, to damage or get information.
According to CVEDetails, the number of vulnerabilities in iOS is much higher than that of Android (regardless of browser vulnerabilities). It can be seen in this chart:
Number of vulnerabilities discovered in Android and iOS by years (source: CVEDetails)
This data doesn’t tell us much: despite the large number of vulnerabilities in iOS, the number of applications that can exploit them are minimal due to the tight control Apple exerts over the application market (control is annulled with the jailbreak, which is why Apple is so resistant).
So it’s not that iOS is less secure, but it’s in no hurry to plug these vulnerabilities. Android, on the other hand, is definitely in a hurry. And there are other factors to consider when it comes to vulnerabilities and patching them. By controlling the devices, Apple can patch vulnerabilities immediately through a new update that will hit devices no matter what. This only occurs in the Android Nexus range: other manufacturers release new versions as they see fit, forcing many users to change the ROM on their device. Fortunately, Android is solving many problems by bypassing the manufacturers and going for updates through Google Play.
iOS wins this one thanks to its superior control over its devices, which allows it to send updates quickly to all users and encrypt data without much effort.
Verdict: iOS is the winner, albeit not on the freedom front
In general, both Android and iOS operating systems are exceptionally secure. Both are committed to security measures enabled by default and do not overload users and developers with requests for decisions. The focus, however, differs on certain points, especially with regard to the control of functions.
Apple says in the iOS Security Guide that its security is transparent to the user, but some features such as data encryption can be configured. It’s a foolproof strategy consistent with its user strategy – simplicity – and its hardware strategy – optimized.
Android, on the other hand, offers the user a greater degree of control not only for ideological reasons but also because of the fragmentation of devices: enabling encryption, for example, has a negative impact on performance by running via software which is the opposite of what Apple does by encrypting via hardware.
iOS is a safer system for all types of users, in exchange for giving up some freedom that some users value, like the ability to move data easily or install unofficial applications. With iOS you give up some freedom in exchange for thinking less about security, while with Android, you’re forced to think about what you’re doing.
Which do you think is the most secure – Android or iOS ?
Note: The author of this comparison article has a Nexus 4 and an iPad 3