During a question-and-answer session at the Gartner Symposium/ITxpo, Google’s executive chairman and former CEO Eric Schmidt declared that Android is more secure than the iPhone (i.e. iOS). The audience of technologists laughed, which probably wasn’t the reaction Schmidt was looking for, and when pressed by Gartner analyst David Willis the search giant’s chairman wouldn’t be drawn into specifics but rather highlighted Android’s billion or so users which means, according to Schmidt, that Android has been tested in the real world and has been proven to be secure.
Towards the end of the interview Willis summed up by saying, “What I heard was Android is more secure than the iPhone,” to which Schmidt replied, “Android is very secure.”
There is a general perception among more technical users that Android is not secure. However if you ask the average user, Android isn’t perceived as being any less or more secure than iOS. It is important to dispel some myths about Android’s security while at the same time being frank about its weaknesses.
At its core Android uses the Linux kernel while at the core of iOS is the Darwin kernel, which is the same kernel used by Mac OS X and is derived from NeXTSTEP and BSD. All software contains security vulnerabilities, it is fact. All the big software companies including Google, Microsoft, Apple and Adobe release regular updates for their products to address these vulnerabilities. Google updates the Chrome web browser frequently and even runs competitions with big cash prizes for hackers who can circumvent the browser’s security. Microsoft releases patches to Windows every month and so on.
In general the Linux kernel and the Darwin kernel are equally vulnerable to bugs which when exploited allow hackers to gain unauthorized access to parts of the system that should be off-limits. All the jail-breaking techniques available for the different versions of iOS are based on exploiting vulnerabilities in the operating system. Vulnerabilities in Android can also be exploited to gain root access. While Linux and Darwin are very mature systems and all the obvious bugs should have been found, both systems are also changing and growing, they are dynamic and as such there will always be security vulnerabilities.
As you move higher up from the central core (the kernel) to the other areas of the operating system, Google has done a tremendous amount of work to add security checks that obstruct apps and outside attackers gaining unauthorized access to the OS. Android 4.3 included five new security features including SELinux, a feature which is seen as an essential on Linux servers running in the enterprise.
But it isn’t only Android 4.3 which has been tweaked. Google recently moved the Verify Apps feature, which scans any apps that are being installed and blocks the harmful ones, from the OS (where it was added as part of Android 4.2) into the Google Play Services. This means all Android 2.3 an up users can sleep easy at night knowing that Google is automatically blocking any known malicious apps from being installed on their device, regardless from where it is installed.
And this is the real key point. Android isn’t tied to just the Google Play Store, unlike iOS which is tied strictly to Apple’s app store. There is a setting in Android which allows for the installation of apps from “untrusted sources.” It isn’t enabled by default but in some countries like China and Russia third party app stores are popular and many say important. The amount of curation that these app stores perform on the apps which are submitted for distribution ranges from little to none. This means that unscrupulous attackers can distribute apps with malicious intentions directly from these stores and if it wasn’t for the Verify Apps service they could be installed without any hindrance.
A lot of this negative press about Android is due in part to the constant mantra of the anti-virus companies that each month there are thousands of new pieces of malware for Android. And it is true in a non-real world sense, however according to Google’s latest research less than 0.001% of all surveyed Android app installations lead to harmful effects to the user. To prevent such exaggerated reports in the future Google plans to share its data with security researchers.
So is Android more secure than the iPhone? From the point of view that it includes technologies like SELinux and Verify apps along with things like Sandboxing, app permissions and Nosuid - maybe yes. From the point of view that you can install software from untrusted sources – maybe no. But remember the use of untrusted sources is a non-default configuration.
What do you think? Was Eric Schmidt going too far by saying Android is more secure that iOS?