Importance of Natural Resources

Mingis on Tech: Android vs IOS – Which is more secure?


hi and welcome back to Mingis on tech
I’m Ken Mingis executive editor Computerworld I’m here with senior
writer at Lucas Marion and Android export expert in guru junior Raphael
whose remote look at what’s going on with Android and iOS and which one’s
most secure food fight get ready okay so Lucas what what caught my eye
was you did this story little earlier this week taking a look at Android and
iOS and which of the mobile operating systems tends to be most secure and I
mean I think there’s long been this expectation that Apple because it kind
of locks things down and has total control over its ecosystem tends to be
more secure but there are some nuances and some things that’s going on now with
Android that I thought were interesting so take it away what you find well as
most people would agree obviously because it’s an open source platform
because it makes up the majority of mobile devices out there and it’s
targeted more often because of that Android does tend to be less secure
everyone I talked to across the board said that all the analysts on Android
makes up 74% of the mobile devices out there Windows only makes up 4% so that
leaves some 20% or a little more for iOS you know so those are the two major
platforms out there and as you said Apple has control of both the hardware
and the software in droid not so much because you have third-party
manufacturers making hardware they can also tweak the open source code which
any tweak to the application to the code is a potential vector for malware
threats so because of that it tends to be at least on the surface seen as less
secure and in fact when you look at the numbers on the most recent Symantec
internet security threat report showed that the vast majority overwhelming
majority of the threats were against Android devices and in fact the but the
good news is that the threat detection is actually doubled last year so they’re
they’re seeing these – these threats more often which means they can also so
the point is being that we’re getting better at finding these things and then
and then theoretically squashing them before they can spread
yep too quickly into far-right yeah and here’s the what I found really
interesting is that there are malware families and then malware variants and
the families remain relatively flat in fact they they increased less than they
did in 2015 so they’re only I think for new families in 2016 the difference
between families and variants is that a family is a similar thread across the
board it’s in a family of our similar group of threats and then a variant is
when a malicious attacker goes out there and he takes a particular malware thread
can he tweaks it he changes it a little so that whatever threat detection
software is out there doesn’t necessarily recognize it and it can get
through so whole point is to basically evade detection exactly they come up
with a slight tweak a little variant to my claim family and then hopefully they
can get around whatever defenses have already been put up right those increase
those doubled last year okay even though the families didn’t the variants doubled
last year but actually it is not as bad because in 2015 they increased by a
hundred and fifty two percent so they’ve only you know in 2016 they only went up
about a hundred and five percent so actually there were even less variants
as well I thought it’s also interesting that one of the points you you came
across was the way Apple tends to lock down apps in the you know the meta app
store because it these things are vetted so so stringently sometimes developers
would say to stringently Apple has a tendency to sort of weed out apps or
malware that might get into the system a little bit better than Google and
Android are doing on the Android side yes
and traditionally Google has not done as well with that but they’re getting
better you know that’s another point that I made in the story is that they’re
canning to lock it down a little better they’re requiring that software
developers go through a vetting process with Google itself so they are getting
better at protecting the software that’s coming out the other thing I think I
want to mention is updates so a be an operating system ratings just an update
okay yeah Apple tends to force them as yeah you can order interesting or
whatever but yeah one way or that not so much with Android you know they put them
out there a lot of interesting administrators will
ignore that because we are talking enterprise here there’s so many variants
of Android mobile that it becomes more difficult to push the updates out okay
all right so Junior let me ask you so that that’s sort of the background that
you know we’re coming at this from I I admit I I have an iPhone I have an iPad
I’m an apple guy but I I also am let’s say Android curious okay because I
really do think that there’s a lot going on in the Android ecosystem here and I
so if I was thinking of maybe making a you know God forbid a switch arm would I
can you make me feel secure or comfortable that that Android is
moderately secure or maybe we’re all wet and it’s totally secure I mean I’d fill
me in on what’s going on on the Android side of things and make me feel better
yeah well first of all I think there’s some important caveats you have to
consider whatever we talk about Android security and a lot of them don’t come up
when you just read the research that comes along there are four things that I
usually tell people to think about whenever we see some shocking headline
about you know 10 million users at risk from this or that whatever thing is
coming up the first one is who is behind the research and what may be driving
their motivation with very rare exception when we see a story about some
big bad Android security threat it’s almost always a company that stands to
benefit from the perception that Android is not secure you look closely and
sometimes it’s an obvious name like Norton or semantic or lookouts you know
someone that produces software for Android specifically sometimes if some
research from you haven’t heard have you started digging around your website you
see wait a minute they do offer security consulting for enterprises about Android
we think that’s important just to know the context you know second I tell
people to look at if the threat is something they’re likely to download and
install or if it revolves around some weird random app no normal person would
ever encounter so a lot of times too you read the fine print of these threads and
it’s either something that you would have to go to some website in China and
manually download it you know ignore every security warning on your phone and
if salt anyway it’s not something you would find in the Play Store the
official App Store on Android which is where you know the vast majority of
normal people are getting their apps you know third on the off chance that you
did some let’s say you go to that Chinese website
you download that you would Norton you install it would your phone
automatically protect you from anything harmful nevertheless Android has
actually a lot of layers of security these days and that’s something that
Google’s really built up over the years and just at this year’s past IO
Developers Conference they announced a whole new thing called Google Play
protect it’s really not new which is basically rebranded because there were
all these little pieces that people didn’t know about they were hard to see
but in essence what it’s doing is scanning for apps automatically on the
Play Store even if you download something from a remote location or
someone emails you an app again not very common but let’s say you do it’s still
going to scan it when you install it on your phone and it continually scans apps
on your phone over time so let’s say I handed my phone off to a friend he
downloaded something really shady and I didn’t know I get my phone back and you
know whatever warning it gave him I didn’t see still in the future my phone
will warn me again it’s going to keep scanning and again that’s something you
don’t really hear about when we talked about these threats that with all this
considered they’re kind of more theoretical more often than not they’re
not really real-world practical impact that brings me to the fourth thing I
asked people to consider is has any normal user actually been affected by
this in the real world because you know you hear about whatever Windows malware
scare is a moment want to cry or whatever it is and you see hard numbers
of these dis many enterprises are affected these many consumers you hear
actual stories of people who are affected when it comes to Android
security threats you really don’t because I mean the fact of the matter is
nine times out of ten a mean even more than that the vast majority of the time
they’re just theoretical things that work either a demonstration of some
theoretical security hole or perhaps something that’s just not going to
impact you in the real world the way most of us use their devices so I mean
sure there are ways that operating systems Android / io s can be insecure
but thus far at least from my perspective having seen a lot of real
need for worry from a user’s perspective okay yeah it’s interesting that you
mentioned that because one of the things that Lucas had come up in his story was
that you know even iOS can be attacked and there were some some attacks I think
was it last year then had targeted Apple even with all of its layers of security
take it what’s a Texas my exactly you know
Pegasus and so I mean and you know you make a very good point jr. which you
know step one is to just be smart about what you’re doing when it comes to
downloading apps and software and this is true anywhere I mean isn’t I do get
that the the biggest problem with tech not technology security is the human
factor you know and if your so what you’re saying is you know you’ve got
your Android phone you’ve updated to the latest OS that you can at least three or
three or carrier and you’re being smart about getting the the software that
you’re running on the phone you know 99 times out of a hundred you’re unlikely
to run into some of these these scare scary kinds of malware attacks that are
that are popping up yeah I mean I’ve done a fair amount of debunking of these
over time or kind of reality checking of these over time where you know
regardless of what the on paper we can say this might happen here are the
reasons why of what would happen to you unless you go in and actively disable
every layer of security on your phone which you know no one would recommend
doing of course it’s going to be pretty hard for most of these things to get
through to you you know that being said that the point about upgrades is a very
valid point a Android upgrade to something we’ve covered a lot on
computer over the years going way back to the beginning and of course what you
know every year more and more Android devices coming online and more
manufacturers creating more variant carriers doing their own there is a lot
of variability for instance right now we’re waiting for the Android oh release
to come out any day any week now and Ken and I were – in fact talking before this
taping about how long it would take to reach different phones and the short
answer is there’s no good answer because it’s up to each manufacturer to send it
out Google provides the software but Samsung HTC LG they’re all able because
of the open source model to put their own stamp on it and so the software goes
to them they have to you know tweak it the way they like then send it out and
you know technical factors aside there’s the just plain reality that LG doesn’t
have a heck of a lot of motivation to rush out an update they’re not getting
any financial gain from sending you the Android L update they’re getting a
financial gain if you go buy a new phone into here so you know we can think about
what they’re saying behind the scenes but the reality is most manufacturers
tend to be pokey about it and that’s been very
consistent unfortunately over time you know the one exception to that which is
worth noting is Google itself obviously Google has an incentive to keep your
phone running the best possible software to keep you using the software to keep
you going online that’s seeing ads I’m going to go back to the whole Google
business model but because of that it ends up providing the best and most
secure user experience and that’s why for people who really place a priority
on upgrades which I would argue most people should Google zone Nexus and now
pixel those are the really only ones I wholeheartedly recommend for folks to
buy you know even if we’re talking my own friends and family or you know
readers who are reaching out well that’s yeah and in fact I was going to ask you
about that specifically because I mean I do understand that you know
fragmentation on the Android side has been a problem and it’s in it’s a
problem really related to the carrier’s you know you make the point that once
once you’ve got the phone they’ve got the money and they’ve done what they
want to do to sell you a phone and if they’re worried that it’s going to be
insecure or something and you want to do phone well boom you know the carrier’s
would love for you to they’ll be happy to sell you a new a new device whereas
with with you know on the iOS side the way Apple rolls out its updates every
year every fall you know very quickly within a month or two or three the
majority of people on Apple devices have been updated to the latest version of
the operating system which will have you know the latest security flaws corrected
theoretically so if um and you did you just touched on this if I was going to
you know I’m coming I don’t have a phone or I’m coming from Apple and I wanted to
get into the the Android ecosystem and be sure that I was getting the best
experience and you know the quickest updates really the answer is is a pixel
or you know something from Google in terms of yeah and at this point pixel
Nexus was their previous branding and as of last year for the moment at least
pixel is the only branding so yeah I mean pixel is the only viable option
quite honestly I’ll be looking at of course any one Android out comes out how
things go but with every release leading up to this no matter what steps Google
is taken to try to kind of gently nudge manufacturers and carriers into sending
us out a little quicker we see the same thing Google’s own phones get the
updates within a matter of days you know they usually do a staged
rollout so you might not get it day one but you’re gonna get within a couple of
weeks when when enough it comes out and that’s the same for a major OS update if
it’s you know like a seven point one kind of fix or there are also monthly
security patches now which is something that Google came out with a couple years
ago again great in theory if you have an AT&T based Samsung phone you may or may
not get that security pass you know normally not you’re not going to get it
on day one you may get it on day 50 or you may not get it at all not to call
out that right right that’s true of any query I know it’s not just ATT it’s
going to be any character in anybody anytime you’ve got a system where
there’s something between you and the security update or the update that you
want there’s a chance for you know for friction there to slow that slow that
down and I think people you know do understand that so it so it sounds like
basically in terms of the headlines you know Android iOS they’re both secure
relatively secure they’re secure in different ways and for different reasons
always always make sure that you’re downloading stuff from you know
unofficial app store to make sure that it’s at some level of vetting the last
question and then this sort of goes to Android oh do we have any sense whether
the next version of Android has you know have they touted security features that
are going to be included in that do we know yet you know what things they may
have done it mean obviously they’re not going to tell you all the details
because then someone’s going to try to reverse-engineer it but do we know
whether Android I presume each version of the Android operating system gets
more secure is that is that accurate yeah I mean I just think it would be
safe to say in general a none of the big marquee improvements are security
related this this go-round but I think they’ve also pulled a lot of that fat
with the monthly security patches in terms of kind of making that a piecemeal
thing and that’s another interesting point on the Android versus iOS upgrade
discussion I think it’s safe to say there are pros and cons to both
approaches Apple certainly you’re you know it’s streamlined you’re getting it
all from one company what Google is done to kind of counterbalance that over the
years is this really pulled more and more pieces out of the operating system
and made them into standalone apps so for instance there’s an app on your
phone called Google Play services that’s updated through the Play Store no matter
where you are what phone you have what carrier you get the update at the same
time just like if you know Twitter puts out an update to its app everybody gets
it know and that app controls a lot of under-the-hood behind-the-scenes
security stuff and you know it could see an update every month
similarly the web view controller is its own app so when there are web-based
security updates they’re coming out you know anytime they can send them to
everybody so a lot of the security stuff on the broad scale has kind of come out
of the OS and they’re finding ways to update it in a more of a piecemeal
fashion you know there is the typical every OS update you hear on any platform
is faster or more secure etcetera etcetera but there’s not any big
security headline with this one so far okay let me ask ya because so from an
enterprise standpoint you know if I’m in charge of mobile devices in an
enterprise would you recommend that they consider a pixel phone rather than a
third party manufacturer because they’re going to automatically get those updates
I think there’s that way an argument to be made for that I mean the I think the
security updates are probably the more critical ones in that context you know
you may not be as worried about getting the cool new feature out to your users
on day one but you know with security there’s just such variance across the
board what I’ve often told people in terms of Android thinking of it at you
know high phone kind of parameters is that you can have that sort of holistic
all-in-one one company controlling the hardware software all around experience
you just have to make that choice you know on iOS you’ve got this or that
model of iPhone and that’s that’s your choice on Android you’ve got a
million-in-one choices but there is that one that is comparable you know sort of
in theory to the iPhone which is Google’s pixel previously Nexus phones
and those do give you that same kind of hates a safety net sort of that that
knowledge that you’re going to have the latest and greatest software both in
terms of security and features and then of also performance and other things so
yeah I mean if that’s what you want and you want that more holistic controlled
experience where you know where your updates are coming and you don’t have to
think this time is it going to take Samsung six months or eight months you
know which it sounds like a lot of time but that’s pretty realistic without
like sending out up and Elizabeth those are the most most people have chemicals
yeah I mean I I do a report card kind of tracking their progress on sending out
updates and Samsung got a flat F last time which is pretty sad with you know
by far the biggest manufacturer phones certainly those are the ones most people
are using and Google has a lot of work to do and is treading some kind of
touchy ground and educating people about the differences you know it’s now not
only offering its own phones it’s actually manufacturing its own phones as
of last year and in that sense much like with Microsoft it’s competing with the
ecosystem of partners who are creating these so it’s it’s a tricky thing and I
don’t know that there’s a great answer for how they get that message out there
they are marketing a little more at the pixel but you ask an average person on
the street about Android they’ve heard about the you know Galaxy Note Galaxy S
whatever most people don’t know what a pixel phone is still today I think it’s
gotten better but it’s still not the the mainstream whether we’re talking
consumer or enterprise product that people know I want to say one other
thing because this was interesting in my research as well when I was talking to
Forrester and IDC um Android because it’s open so it’s also tends to be more
friendly to enterprise mobility management software which in its own
right can secure the enterprise compartmentalized applications that you
can have access to as an employee so they tend to go across more more vendors
Android that is so when it’s combined with an enterprise mobility management
strategy it can actually be more secure than Apple from that perspective that’s
an interesting plan yeah that’s an interesting point I am but it makes
sense I mean I guess the same way that Samsung can go in and customize the
software in theory as a major enterprise that has the resources to do it could
come up with its own kind of custom version of Android or custom
modification thanks that’s certainly a good point yeah all right great well I
don’t think I can add anything to that maybe solve the problem I think we’ve
solved well you’ve reassured me that if I ever decide to ditch Apple you know
again I realize it’s hard to believe but I would feel comfortable you know in the
Android ecosystem as long as I’m a smart you know smartphone user so Jr thanks
for stopping by and filling us in with the details Lucas but yeah stop and buy
as well for now that’s a wrap


Reader Comments

  1. I have a T-Mobile S8 and I'm currently on the July 1st security patch. Don't think they are that bad as to the patches but they are as to the os version.

  2. when it comes down to choosing a platform of your choice you have to find out which one benefits you the most what are you going to use it for. when it comes to any platform they all can be hacked, it's up to you to do the research and then come to your own conclusions. my friend was an Android user and he switched to Apple and I was an Apple user and I switch to Android.

  3. The more freedom you have, the more responsibility you will get. On Android you can install any APP and even develop you own APPs directly on the device: this freedom is the reason for the success of Android. And for the security there is permissions-management.
    If you Install an APP from dubious sources – it is your fault.
    But it is way better than being patronized by Apple

  4. Sorry to mention it but, I couldn't concentrate on the Video as the chap in the middle was doing a impression of a nodding dog!! Really annoying…!!!!

  5. What in the Hell is "Enterprise Mobility Management Strategy" I sat here like a doofus 20minutes to hear that as a summary?

  6. IOS is a closed box. You need to check it with your programs produced by apple even if your data is sent to any location. So you can't check the apple independently from it. You can never learn whether it is safe or not. IOS always has backdoors but you can't learn them if Apple doesn't let you.

  7. Looks like im changing to apple. :'( uggh makes me feel sick. I hate iphones, love android but the security, perhaps i will grow to love it

  8. Ever wondered if your iPhone has been hacked?? Is Apples privacy really on point?

    We are Certo the only spyware detection tool in the world

    https://www.certosoftware.com/

Leave a Reply

Your email address will not be published. Required fields are marked *