Hold the phone: Is my mobile device secure? (Images: Thinkstock/Apple/Android, modified by Yahoo Tech)
A few weeks ago, researchers found a gaping vulnerability in a component of Android, called Stagefright, that allows a hacker to take complete control of an Android phone or tablet. The bug threatens nearly a billion devices and has prompted Google and hardware makers such as Samsung and LG to rethink how they provide software updates to Android devices.
Apple’s mobile devices aren’t immune to security threats, either. Last year, security researchers found a vulnerability that could — albeit under rare conditions — allow fake, spyware versions of apps like Facebook and Skype to get onto iOS devices. (More about that in a bit.)
Historically, PCs and Macs have been far bigger targets for hackers and cyber crooks than mobile devices like iOS and Android smartphones. One reason is that PCs and Macs are inherently less secure, by design. “Historically they were totally open platforms … that’s what made the PC so popular,” said Guillaume Ross, senior consultant at security company Rapid7. (And by “PC,” he means Windows, OS X or Linux computers). “So few restraints were placed on what application you could use.” PCs evolved before online security was a major concern, and we’ve been trying to retrofit them with security measures ever since.
Smartphones and tablets, on the other hand, emerged after security had become a major issue, and they were designed accordingly with that in mind. “Nowadays, you install an application on Android and iOS, and it asks, ‘Do you want to allow this application?’” Ross said.
But Ross acknowledges that mobile threats will probably keep growing as people shift more of their digital lives to handhelds. So in addition to looking at things like the selection of emoji and your options for selfies when comparing one mobile platform to another, it’s time to also start paying close attention to how they compare for security.
Open vs. closed
One of the key differences between iOS and Android is that the latter is built on an “open” philosophy: Phone makers, wireless carriers and individuals can custom-configure the OS. App makers have many ways to get their products onto the platform, and apps have more access to the inner workings of the operating system than they do on Apple’s iOS.
This is not to say that iOS doesn’t have its own security vulnerabilities. Morey Haber, VP at corporate security software maker BeyondTrust, calculates that iOS had a whopping 127 discovered flaws in 2014. That compares to, well, nobody knows how many security vulnerabilities on Android in the same year.
How could we not know? Because Android device makers like HTC and Samsung are free to customize the OS — changing default applications and even the interface — as they see fit. Wireless carriers can also tweak Android and add apps. All of these changes can add vulnerabilities (although, to be fair, some could also remove risks).
This Samsung Galaxy S6 runs Google Android, but it gets software updates from Samsung. (Photo: CNET)
Because of all these different points of control, Android updates can be released at the whim of Samsung, Motorola, AT&T or whoever else has responsibility for crafting them. You might wait for months, years or forever. “If you have [a] device that’s older than a couple of years, you might never get [an update],” said Patrick Nielsen, senior security researcher at antivirus company Kaspersky.
According to Google, just 12.4 percent of Android devices are running the latest 5.0 and 5.1 versions of the OS (aka Lollipop). Eight other versions, dating back to 2011, are still in wide circulation — and most of those older editions are unpatched against security vulnerabilities that have emerged since their heyday. The major exceptions are Google’s Nexus-brand phones and tablets; they get updates immediately from the source, like iPhones and iPads do.
The newly discovered Stagefright exploit appears to have scared the Android side of the industry into a response. On August 5, Google sent out the first of what will be monthly security patches to its Nexus phones and tablets sold in the previous three years. That means even people with devices running older versions of the operating system — going back to Android 4.4 KitKat — will get security fixes, even if they don’t upgrade to the latest version of the OS (similar to how people running Windows 7 on their PCs don’t have to upgrade to Windows 10 to stay protected).
LG and Samsung have also announced their intention to provide monthly security updates, though that requires coordinating with wireless service providers, which might complicate the matter.
The winner: iOS
Android is making progress fixing security bugs promptly (especially on Nexus devices), but Apple has been doing it longer and trying hard to make security patches and stable OS updates work on all its products.
Guarding against bogus apps
While the operating system is the main target on mobile devices, malicious apps can also be vectors for attack.
Apple seems to have an advantage because of its tight restrictions on app distribution. It’s notoriously difficult to get an app through Apple’s rigorous App Store approval process, and it’s notoriously onerous for iPhone or iPad owners to get apps any other way. Their only real alternative to the App Store is to hack (i.e., jailbreak) their own phone to install apps from other sources. Doing so opens all kinds of security holes and could void warranty coverage.
So, for example, hackers have found a method — called Masque Attack — that tricks iOS into thinking that booby-trapped versions of popular apps such as Facebook are the real thing. These apps can then intercept information (such as audio from a Viber call or video from Skype) and send it to a spy’s servers.
Two non-jailbroken iPhones. (Photo: CNET)
But those booby-trapped apps can’t get into the App Store. To get infected, the victim would have to either jailbreak the phone or work for a corporation or government agency that installs custom apps on employees’ devices and is a target for espionage. That company or agency itself would need to have been hacked for the booby-trapped apps to get in there in the first place. “Not impossible but very difficult to say the least,” Haber wrote in an email to us. “Stagefright represents a larger risk than the Masque Attack for the average user.”
(Security firm Zimperium, which discovered the Stagefright vulnerability, has released an app for checking your Android system.)
Android has its own store, called Google Play, where programs undergo safety evaluation. But that evaluation has traditionally been an automated process, said Guillaume Ross, whereas Apple has always had people involved. “That is changing,” said Ross, who believes that Google is getting better about policing its app store. In fact, Google claims that just 0.15 percent of Android gadgets that get their apps from Google Play are infected with malicious programs.
But it’s much easier for Android phone owners to skip the official route and get apps from other, smaller stores — no hacking required. These non-Google app stores —including Mumayi, AnZhi, Baidu, eoeMarket, and liqucn — are often teeming in fraudulent, malware-laden apps.
The winner: iOS
Both Apple and Google are diligent in policing the software available in their stores, but Apple has traditionally been more thorough about it and about making it hard to shop elsewhere.
What apps can do
Traditionally, apps on Android devices have had more power to interact with one another and the operating system. That gives those apps a flexibility and a customizability that Android fans love. Apple is more conservative, sometimes infuriatingly so. For example, Android users had been enjoying alternative keyboards for years before iPhone owners got them.
Swiftkey on an iPhone. Took’m long enough. (Image: macstories.net)
Starting with Android 5.0 Lollipop, in October 2015, Google has been putting tighter restrictions on apps, a process called sandboxing, said Ross. (Android has had sandboxing for a while, but Lollipop strengthened it significantly.) Apple has had strong sandboxing practices since the beginning with iOS, so Android still has some catching up to do. And if you have an older Android phone, you may not be able to update to 5.0 or later to take advantage of better sandboxing.
The winner: iOS
Apple’s been reining in apps since the beginning, while Android is playing catch-up.
How to stay safe
Given all that, there are some things you can (and should) do to keep your mobile device secure.
Get an iPhone or iPad: If security is a top concern (as it should be), but you don’t want to worry about it all the time (as you shouldn’t have to), get an iPhone or iPad. Apple’s iOS is still inherently safer than Android (especially older versions of Android), and security updates come regularly to all devices.
Get a Nexus phone or tablet: If you prefer Android to iOS, buy a Google Nexus device. They get updated more quickly than any other Android products, and now those updates include security patches for older versions of the OS. Other phone makers like Samsung have also pledged to provide such regular updates, but the details are still vague.
Install security software for Android: Since most Android devices don’t get prompt updates, security software may catch attacks on unpatched vulnerabilities. To decide on an Android AV package, check the frequently updated results on independent research site AV-Test.org.
There’s no point running AV on iOS devices, says Ross. The sandboxing restraints are so strong that security software isn’t able to do much to further protect the system; and only App Store-approved apps can run.
The bottom line: The mobile security situation is looking up. First, mobiles are still much less likely than computers to get attacked. Second, Android is finally catching up to the kinds of strict security measures that Apple has had for years. But it’s not there yet. So for the utmost in safety, Apple gadgets remain the best choices.