Eric Schmidt says Android is more secure than the iPhone, is he right?

October 8, 2013

    Eric Schmidt talking on Moto XDuring a question-and-answer session at the Gartner Symposium/ITxpo, Google’s executive¬†chairman and former CEO Eric Schmidt¬†declared that Android is¬†more secure than the iPhone (i.e. iOS). The audience of technologists laughed, which probably wasn’t the reaction¬†Schmidt was looking for, and when pressed by¬†Gartner analyst David Willis the search giant’s chairman wouldn’t be drawn into specifics but rather highlighted Android’s billion or so users which means, according to Schmidt, that Android has been tested in the real world and has been proven to be secure.

    Towards the end of the interview Willis summed up by saying, “What I heard was Android is more secure than the iPhone,” to which Schmidt replied, “Android is very secure.”

    There is a general perception among more technical users that Android is not secure. However if you ask the average user, Android isn’t perceived as being any less or more secure than iOS. It is important to dispel some myths about Android’s security while at the same time being frank about its weaknesses.

    At its core Android uses the Linux kernel while at the core of iOS is the Darwin kernel, which is the same kernel used by Mac OS X and is derived from¬†NeXTSTEP and BSD. All software contains security vulnerabilities, it is fact. All the big software companies including Google, Microsoft, Apple and Adobe release regular updates for their products to address these vulnerabilities. Google updates the Chrome web browser frequently and even runs competitions with big cash prizes for hackers who can circumvent the browser’s security. Microsoft releases patches to Windows every month and so on.

    In general the Linux kernel and the Darwin kernel are equally vulnerable to bugs which when exploited allow hackers to gain unauthorized access to parts of the system that should be off-limits. All the jail-breaking techniques available for the different versions of iOS are based on exploiting vulnerabilities in the operating system. Vulnerabilities in Android can also be exploited to gain root access. While Linux and Darwin are very mature systems and all the obvious bugs should have been found, both systems are also changing and growing, they are dynamic and as such there will always be security vulnerabilities.

    google verify apps defense (1) Qz

    As you move higher up from the central core (the kernel) to the other areas of the operating system, Google has done a tremendous amount of work to add security checks that obstruct apps and outside attackers gaining unauthorized access to the OS. Android 4.3 included five new security features including SELinux, a feature which is seen as an essential on Linux servers running in the enterprise.

    But it isn’t only Android 4.3 which has been tweaked.¬†Google recently moved the¬†Verify Apps¬†feature, which¬†scans any apps that are being installed and blocks the harmful ones, from the OS (where it was added as part of Android 4.2) into the Google Play Services. This means all Android 2.3 an up users can sleep easy at night knowing that Google is automatically blocking any known malicious apps from being installed on their device, regardless from where it is installed.

    And this is the real key point. Android isn’t tied to just the Google Play Store, unlike iOS which is tied strictly to Apple’s app store. There is a setting in Android which allows for the installation of apps from “untrusted sources.” It isn’t enabled by default but in some countries like China and Russia third party app stores are popular and many say important. The amount of curation that these app stores perform on the apps which are submitted for distribution ranges from little to none. This means that unscrupulous attackers can distribute apps with malicious intentions directly from these stores and if it wasn’t for the Verify¬†Apps service they could be installed without any hindrance.

    A lot of this negative press about Android is due in part to the constant mantra of the anti-virus companies that each month there are thousands of new pieces of malware for Android. And it is true in a non-real world sense, however according to Google’s latest research¬†less than 0.001% of all surveyed Android app installations lead to harmful effects to the user. To prevent such exaggerated reports in the future Google plans to share its data with security researchers.

    So is Android more secure than the iPhone? From the point of view that it includes technologies like SELinux and Verify apps along with things like Sandboxing, app permissions and Nosuid - maybe yes. From the point of view that you can install software from untrusted sources Рmaybe no. But remember the use of untrusted sources is a non-default configuration.

    What do you think? Was Eric Schmidt going too far by saying Android is more secure that iOS?

    Comments

    • Bone

      Of course he’s right, many security comparisons showed us that.

    • Armando Ferrero Rocher

      Android is secure. The Play Store isn’t.

      • M. Clark

        I’d say the Play Store is pretty secure too, dependent on the user. It’s really installing 3rd party apps from unscrupulous sources that introduces risk. Anyone with a security based perspective can keep either OS free from malware with little or no effort.

        • Armando Ferrero Rocher

          One example: fake BBM apps on the Play Store.

    • Vern

      If you’re not going to change the default security settings and root it. Yes, I believe it is secure.

    • spejside

      Google and Apple will both hand over all your data to the NSA, so they’re equally insecure.

      • Daryl Tang

        You forgot to add that google can use your data as they like for their or their client’s services

        • Lil bit

          …. Regardless of you using android or iOS.

        • APai

          sounds like thats the same deal with EVERY one of those cloudy services. some are upfront, others are concealed.

        • NeedName

          yeah, apple never uses any of their users’ data for anything. . .

          /s

          all companies will always leverage their customers to make more money. . . any and every way possible.

          • CactusCat

            Perfect example? iTunes (aka Looney Tunes)…. that is Apple’s cash cow and its on every device they sell. They want to get you tied into it and once in, it’s hard to get your stuff and get out of it.

        • http://worldofwarlow.wordpress.com John Warlow

          I can’t remember where I saw this but “if you don’t pay for a product, you are the product.” Google using your data is probably way down in the TOS you sign up to but hardly anyone reads.

      • joser116

        I hate all these posts. Its not like Google really hands over their data.

    • Balraj

      Even I would have laughed lol
      But every os is secure, if we stop using pirated app, 3rd party app but who would say no to free stuff :-P
      But frankly ios > android when it comes to security…

    • shadow90

      There’s a reason why the Jailbreak team is worth half a million
      Saying android is more secure than iOS is like saying Toyota Prius is better than Pagani Zonda

      • Anders CT

        Well, a Prius is certianly safer and more secure to drive.

        • Jimbo

          And safer for your pocket :-)

    • Anders CT

      Absolutely. Android is a mature, open, and very robust software stack built on the industry leading SE Linux.

      But it is not only the OS security that matters. The Play Store is a lot less secure than the App Store, and the torturous updates path many Android devices depend on, means that vulnerabillities can persist for much longer. So the Android the platform has some insecurities that matters to most enduser. But Android the OS is as secure as it gets, and unlike iOS the security of the system can be verified by inspection.

    • firefly

      Nope, both Android & iOS are insecure.

      But Android is the lesser of two evils in this case. You can modify Android to become more secure, with various tweak, fix, custom rom, etc. It’s up to user how secure his/her Android device would be.

      With iOS, it’s up to Apple how secure their device would be.

      • abazigal

        Considering that most people won’t, won’t the safer device be the one that is more secure right out of the box with minimal tinkering?

        • John Galt

          that is absolutely right

    • Kokusho
    • M. Clark

      For a security minded user, Android is both more secure out of the box AND easier to make more secure. For an average idiot doing stupid stuff, iOS protects the user from themselves better. If you behave in a security minded manner (know what you’re downloading and from whom), it’s very difficult for malware to get onto your mobile device.

      • David Emmerson

        Just a personal anecdote: I have a few friends with Android devices and between them and myself, I have never seen a security compromised device. However, the only two people I know with iPhones have both had security issues, one of them more than once. Bringing it back to what you said, my two iPhone friends are not very technology literate, whereas my Android friends are. Maybe that is where the division should really be placed.

        • NeedName

          I agree with you.

          I’ve never used any “security” software on my Win machines. . . and never have had an issue, because I know how to lock it down pretty tight and what I’m doing online. However, friends and family seem to always have issues and when I talk to them about what happened. . . they were being just plain stupid and ignorant of what they were doing online.

        • John Galt

          Yes, the average samsung user is a technology genius

      • NeedName

        well stated. . .

        if you are a moron then yes, you need to stay inside a well protected “garden.”

    • LiiIiikEaBau5

      Google is secure but not against ads!

      • Jimbo

        Adaway:-)

    • Matt

      I dunno. Based on the OS itself perhaps Android is up a step or two… but for me it’s the SDK and anything built on top of Java, even a version of Java created by Google, is just plain scary.

      • Anders CT

        With Android Java is only a tool the exists on the developers computer. Java is not part of Android.

    • Shermon MK-1

      It’s more secure against hackers/scammers…NSA gets it all anyway though.

      • APai

        NSA gets its way through EVERY damn thing :) they are the ones sitting on top of the data food chain. they filter feed off everything, the whales of the digital ocean.

    • Oli72

      its secure.

    • APai

      Schmidt is right on it, android is pretty good now with security. it’s been the same with any unix systems too – if the user doesn’t care about security and installs software from all over or mucks it – then it surely is his problem. we dont need no stinking anti viruses – the AV industry is simply making noises to attract some business for themselves

    • vosg

      Yes he is.

    • Bryan Z

      As an entrepreneur who owned an app dev company I can say that apps submitted to the play store make android less secure. When you submit an app for the android market it pretty much goes in without revision unlike when you submit an app for itunes where you almost gotta pray that they accept your app as is after your hard work.

    • RR

      I think many of you are missing a key point here. Both OSs will contain vulnerabilities, that is an unavoidable fact. The key differences I see, which cause me to believe iOS is more secure are:
      1. When you buy an Android phone, you’re more than likely stuck on the software version the phone was released with for the life of the phone. Updates to Android that mitigate vulnerabilities are useless if they can’t make their way to the devices that need protection. The only way around this is to root your phone, which opens up another host of potential problems.
      2. The walled garden approach iOS takes actually reviews apps for malicious and/or vulnerable code. While this approach certainly isn’t going to catch 100% of the bad code out there, it’s better than what Android does.
      3. iOS devices are known hardware platforms. The vast number of devices capable of running Andorid make it more difficult to ensure the device implements its security policy as it should, making it more likely for vulnerabilities to exist.

    • John Galt

      This article is collective dung. I’ve read lots of good comments, but the fact is, the average meathead consumer doesn’t root their phone, or have half a wit about good security sense. So all of you geeks who comment that the platform is secure if… Forget it. Android is a mess. IOS is more secure because it accommodates the average person who is too stupid to know how to protect themselves. Any other perspective is just fantasy. I’ll put it this way. Give an Iphone or an android phone to an average 13 year old and tell me whose more secure.

      • Mike592

        I am young and probably know more about phones than you. I left iPhone because I was so limited in what I could do! If you are not a complete idiot you get alot more content and security from Android.

    • arrss

      Even if rooted, android is far more secure than iOS. Remember that the untrusted sources is a switch that you have to manually turn on. Also many other interesting stuff that are a google away for you to find out.

    • Nikita Reva

      Android is a more open ecosystem with dozens of variations based on carrier tweaks and changes, therefore the attack surface is likely larger than with the closed loop iOS.

    • Diane C. Williams

      I loved my Galaxy Android but was constantly getting infected by numerous Virus strains. I switched to an Iphone and Ipad and don’t seem to be having the same difficutly. Although my laptop had about 10 “Highjacketed items” as well as various viruses. What antivirus group would you recommend?

    Popular

    Latest