Gartner analyst David Willis, who is chief of research for mobility and communications and who runs Gartner’s Senior Research Board, said to Schmidt: “If you polled many people in this audience they would say Google Android is not their principal platform […] When you say Android, people say, wait a minute, Android is not secure.”
Schmidt didn’t miss a beat, replying, “Not secure? It’s more secure than the iPhone.”
I don’t know if it’s more or less secure – all I do know is that there is no evidence pointing either way. People sometimes pretend that something is evidence, like reports that there are more malware variants targeting Android than there are variants targeting iOS – which has absolutely nothing to do with which of the platforms is more secure. For instance, we had a report from antivirus peddler F-Secure a few months ago, which stated that 79% of malware families targeted Android. Great. Too bad it didn’t actually tell us anything about infection rate, the statistic which would actually tell us something.
Only 1% of malware families might be targeting platform Xyz, but if that 1% of malware managed to infect large numbers of devices, it’s a far bigger deal than the 99% of malware families targeting platform Abc but only managing to infect a small number of devices. This simple fact seems – sadly unsurprisingly – lost on most bloggers and journalists.
So, lots of talk about how Android is supposedly insecure (almost always pointing to reports from… Antivirus companies), yet no proof that actually backs this statement up. Let me just repeat this common mantra: if you install antivirus on your smartphone, be it Android or iOS, you’re wasting space and processor cycles on absolute total pointlessness.
Schmidt saying that Android is more secure than iOS is just as completely and utterly idiotic as saying the reverse. Both are just fine as they are. And in case you still haven’t seen the memo, despite decades of evidence: antivirus companies are scum. Do not trust them. Ever.
Why do people write malware? I presume they do so quite a lot of the time for rational reasons, some I am sure do so for the pleasure of doing harm but almost all malware seems to have been written to make money via a rationally calculated scheme.
So given that Android’s market share advantage is perhaps just two to one at best I presume that the decision of malware writers to put about a hundred times as much effort into targeting Android reflects the rational belief of those malware writers that they will get much better results from targeting the Android ecosystem.
Personally I think it self evident that any mobile ecosystem that is designed in such a way so that without any sort of a technically difficult or awkward hack it allows end users to download and install apps and software that have not been curated and security checked is inherently less secure than those mobile ecosystems that are designed to try make sure all apps and software are curated.
Or, Android’s varied nature requires more different malware families, therefore leading to a larger percentage of malware families targeting Android.
Without actually useful data, we’ll never know. For now, all I know is that there neither Android nor iOS has seen any serious security breach. Both platforms have seen small scale stuff that barely registers, and in both cases that was due to wilfully and knowingly stepping outside of walled gardens.
Let’s stick to facts.
This is partially true. There are quite a few ways to check for whether certain parts of an API calls/objects, methods etc exist and write appropriate work-arounds if need be.
Edited 2013-10-08 19:34 UTC
That would constitute differences in malware families.
Where do you see “hundreds of times”? F-Secure number that Thom quoted is 79%, which matches perfectly Android’s global market share.
That would make sense as an explanation if the distribution of malware by OS basically followed market share. It doesn’t. iOS has an installed base (Apple says is 700 million iOS devices sold) probably somewhere between a quarter to a half of Android’s installed base and yet the iOS share of malware is 0.7 percent. Only 0.3 percent of malware affects Windows Mobile and BlackBerry combined.
BTW I used the word hundred not the plural hundreds. Based on Android having 79% of malware and iOS having 0.7% that means that Android has just about 113 times more malware than iOS and 263 times as much as Windows Mobile and BlackBerry combined (and Blackberry is an attractive target because of it’s enterprise penetration).
I repeat the questions I posed in my original post. Making the reasonable assumption that the bulk of malware is written and distributed for a rational purpose, i.e. to make money illicitly, why would the writers of said malware devote 113 times as much effort in making malware for Android than iOS or 263 times as much as targeting Windows Mobile/BlackBerry?
Even if Thom’s rather speculative claim that the high malware count for Android is the result of a sort of malware inflation caused by the need to write different malware version to cope with Android OS fragmentation is really true (evidence?) is it also true that there over a hundred times more versions of Android in use than iOS?
It seems to me that fans or defenders of the Android mobile OS strategy are in a state of denial about the security repercussions of the openness that they prize so much in Android. It may be that this is really not a big deal, that all that malware is not leading to criminals stealing data and money but the imbalance of malware distribution is real and does not reflect market share. If it is true, as Thom seems to imply, that all that malware circulating in the Android ecosystem is not actually leading to any real world actual security issues than I wonder why the writers of the malware actually bothered to write it and to continue to write it. Malware on Android is increasing and not decreasing as one would assume it would if it was mostly ineffectual.
Variations – yes. But then again, iOS is not a homogenic as you might think. While the HAL and libraries are common, there is a reason why there was/is no jailbreak for A6 and later processors.
Please, please, please… no-one is in denial about the fact that a user is stupid. And having a mechanism to sideload software is a very lucrative attack vector.
And then look at how this malware is distributed… all reports that we have seen target China, Russia and the likes. iOS install base there is nowhere close to being a quarter of Android’s.
One would assume that if one did not read any of the reports by the same anti-virus companies. Which, based on that statement, you have not.
It’s quite clear that more people write malware for Android than iOS. On iOS the goal for hackers is jailbreak. You could consider jailbreak malware, thus probably evening out the numbers.
If people are claiming rooting apps are non-malicious on Android (a very poor assumption — far easier to inject a malicious rootkit into a seemingly benign or useful rooting tool than it is to add a malicious rootkit payload into a non-rooting app), jailbreaking iOS certainly isn’t malware either.
Edited 2013-10-09 13:47 UTC
Rooting is not the same process as jailbreaking. The goals may be similar, but jailbreaking uses known issues/vulnerabilities to change permissions and overcome restrictions and with untethered jailbreaking installing a rootkit. Rooting involves replacing your whole OS with a different version, without relying on known issues/vulnerabilities.
They are not similar processes and do not rely on same principles.
Correct me if I’m wrong but aren’t there more security exploits out there for Android than iOS? If so then, while we don’t have official figures of successful attacks, what platform are you practically more secure on?
Regardless, even the amount of exploits are identical, the fact that a large part of Android phones are stuck with much older versions of the OS, makes them inherently less secure, right?
An example:
http://www.ibtimes.com/android-malware-44-percent-android-users-vul…
Edited 2013-10-08 18:16 UTC
Thom I was tracking you until the last sentence. How does Schmidt not have access to exactly the statistics you say are required to make these claims? And Schmidt knows the details of android security measures in great depth, almost certainly also knows iOS security in great depth.
*And* it makes sense for him in his role to make statements like that just to combat the false perception of iOS’ security you refer to. Seems like a perfectly sane thing to say and given his knowledge and role it is especially interesting because he knew it would invite debate and rebuttal so it is a pretty strong stance for google to take in general wrt security. Since it can roughly be backed up in discussions of how android’s security model works compared to iOS, his statement immediately changed the tone of the android security conversation. Pretty damn smart if you ask me.
First, both Google and Apple are giving our information to the NSA. Therefore, neither are secure from our point of view.
Second, what would you expect one of the heads of a company to say? Of course he’d say that Android is more secure. I’m sure Tim Cook would say the exact opposite.
Thom’s nailed this one dead on: this statement means absolutely nothing.
The iOS Walled Garden comes to mind as a differentiator, especially when it comes to malware.
Does Google’s lax rules of Play Store submission leave its users more susceptible to malware? I think so.
Its a trade off. Openness in exchange for security. Yes there are permissions, but no one besides the neck beards even give a damn or understand them. You can’t expect a user to really know that.
On iOS if I go and download an app, I have the reasonable expectation that it is by a publisher which isn’t going to turn my device into an annoying spam machine. Is it because of permissions? Not really, its because there’s an upper bound as to what apps can do.
On Android you can replace, customize, or otherwise implant yourself anywhere in the OS. I’ve seen apps with notification shade advertisements you can’t swipe away.
Sometimes less is more.
Pretty much any OS can be secured in the hands of the right user. For example, I’ve been using Windows (in one flavor or another) for about 20 years, and have never had any issues with viruses/malware. If I had an Android phone and was running an outdated, insecure version, I could just flash a custom rom and be done with it.
So really, the only ones you have to worry about is your average, Joe Dumbshit. And in that respect, they’re probably going to be safer overall on iOS, because it’s a lot harder to hurt themselves in the App store than in the Play store. Sure, there isn’t much malware out there, but imagine a few weeks ago if he wanted to download BBM to talk to one of his Blackberry-using friends, installed one of the dozens of fakes that were up at the time, and ignored the permissions (as they always do). Who knows what he would’ve ended up with.
A huge part of the problem is that the Google Play stores walks and quacks like a curated app store, but as numerous incidents have shown, it itself is not a so called “Trusted source”.
And of course we’re talking about the average user who has the expectation that stores are curated.
Too bad they’re the absolute most common class of technology users, by far. So yes, we do indeed have to worry about them. Still, they keep some of us in business.
Right, that was what I meant
In other words, it matters more about which OS is better at keeping the average user from hurting themselves, and that means a closed, curated app store is always going to win out over one where anything goes. Of course, something can be said about freedom vs security, but that’ snot the point of this article.
… that you know of.
(Note: That would be equally valid, irrespective if the OS involved.)
Have you seen the newer permission screen? It addresses the main attack vectors really well. I can’t really leave the blame on Google when people still install apps that have a giant red popup saying – “This costs you money”. It’s like complaining that iOS is insecure when users click OK whenever an app requests access to contacts.
And you think most people using Android have a different one? In that regard, iOS AppStore is no more and no less secure than Google Play.
Say you have an iPhone 3GS on the one hand, and an original Motorola Droid on the other. Both run discontinued operating systems that will never be updated again. Can you still surf the web securely on them?
The outdated iOS version on the 3GS probably contains numerous vulnerabilities in it’s WebKit component, which is used by Safari and ANY OTHER third party browser you may install! You install Firefox, but Apple required Mozilla to use WebKit to render any website, thus inheriting all those security flaws in the outdated component.
The Droid? Well, go install Firefox and be fine. It is allowed to use it’s own code to render the web, and does!
So, to anwer the question above: The iPhone is a brick, while Droid does(!) surf the web securely. To be fair though, you could still use something like Opera mini on the 3GS, but with all the limits it brings with it.
To recap, while I see iOS as pretty robust and relatively long supported, this advantage I’ve outline above is still a pretty big pro for Android, IMHO.
Edited 2013-10-08 18:50 UTC
The original Droid can run Android 4.x with unofficial ROMs, too.
Just for the record, what you’ve said does not invalidate my argument
My Galaxy Apollo had three (that I counted) security flaws. Samsung did not care to ship the 2.2 upgrade in Brazil that fixed one of those.
The other two? Who cares about someone with an old device?
Maybe you were unaware of this, but the security of an operating system (in the form of resilience against known attacks) can be quantified.
Here are two older articles which compare the security of Linux distributions:
http://labs.mwrinfosecurity.com/blog/2010/06/29/assessing-the-tux-s…
http://labs.mwrinfosecurity.com/blog/2010/09/02/assessing-the-tux-s…
I’m surprised you didn’t post this story:
http://qz.com/131436/contrary-to-what-youve-heard-android-is-almost…
Android has a very layered and well thought out security model. Security isn’t just about what you can get installed, it’s about what that software can do.
The problem is not so much lack of security in Android (the os is secure enough) but the lack of proper application screening in the Google Play store.I bet 99% of malware on Android are not exploiting security holes but simply working within confines of the permissions granted to them by users during the installation.
Initiall Android security problems come from the fact that many established and peer reviewed low level system components of the OS have been replaced by Google by their software that while being OSS as well have been much shorter on the market and is not being actively developed/checked by the community.
Other source of Android’s insecurity is the lax update policy of manufacturers / telecoms over which Google has little influence.
Over time the situation should improve but standard Linux level of security should not be taken for granted on Android.
Edited 2013-10-08 20:52 UTC
Yes Android does have security mechanisms and sandboxing in the OS, but how secure can you make a phone OS when it allows users to swap out to third party keyboards at will? I actually think that there are more programming exploits that could occur running native code on Android than iOS after just finishing reading an Android programming book.
I hate to bring this up, but no one mentions that Windows Phone 8 is considered more secure than both of them since WP8 just passed FIPs certification. It’s now being adopted by businesses and governments just because of this cert. Most new programs on WP8 are written in managed code and the OS has strong security policies set from the get go by MS.
That must be the first time I saw anybody touting this stupid limitation of WP8 as an advantage. Of course you can make 3rd party keyboards secure if you disallow keyboard apps from talking with the Internet or leaking information to other apps.
Reducing security to FIPS certification is disingenuous at best.
You know what other operating system was FIPS certified? Windows NT 4.0 (I kid you not!).
And if you followed the FIPs guidelines, NT 4.0 was very secure. The defense department used it in these configurations regularly.
Limiting the keyboard and other mechanisms from third parties is the reason why MS and Apple both do it.
The Swype keyboard will not even function without access to higher system functions.
By allowing third party keyboards, programming calls are also being sent to the keyboard, and who knows besides the third party how those calls are being handled. I know that programming for WP8, the XML code is limited to the keyboard modes that are natively available only.
Edited 2013-10-08 22:38 UTC
Third party keyboards, otherwise known as keyloggers. APIs are powerful things.
I think Microsoft knows better than anyone else that APIs can be used for things other than what they’re intended for.
That’s why you have to run through some hoops to actually enable 3rd party keyboards. A source of endless rants on Play comment section.
Don’t spect security from an OS that was designed from the beginning to track you.
Edited 2013-10-08 21:27 UTC
Yes, that’s why I use Android and not IOS.
For instance, we had a report from antivirus peddler F-Secure a few months ago, which stated that 79% of malware families targeted Android. Great. Too bad it didn’t actually tell us anything about infection rate, the statistic which would actually tell us something.
Of course, you can take a pretty good guess at what that statistic looks like, based on the fact that the company selling antivirus software has chosen not to mention such a relevant piece of information…
And that its CEO is chairman of Nokia who signed MS sale deal. Yea, I know, just a coincidence.
Nice to see people still love to argue about cellphone security, and still try to convince people their <ios/android> penis is bigger.
All the blah blah blah and spinned numbers aside, I wonder if anyone here has ever actually experienced malware on their cellphone. I haven’t, and I don’t know anyone who has. My guess is most people haven’t. It’s funny to hear people argue about <ios/android> being more secure than <ios/android> when most people using either haven’t had a problem with it. How exactly is 0% malware success better than 0% malware success in real life experience?