In the fight against malware, Apple’s iOS outshines Android as a safer environment, but no mobile device is free from risk, says a new report from McAfee (PDF).
Apple has so far done a good job of securing its devices, according to the report, noting that there have been no known cases of malware affecting iPhones, at least those that haven’t been jailbroken. One reason iOS is more secure is because Apple restricts the way users can download apps.
iOS device owners can only download apps through Apple’s App Store or through Mobile Device Management, which gives IT departments control over the Apple devices in their organizations. But even the Mobile Device Management requires approval from Apple.
Apple’s single App Store is also tightly controlled, leading to a safer and more secure environment.
In contrast, Google’s method of distributing software is more open, but with that openness comes risks. Though Google controls its own Android Market, users can download Android apps from third-party sites just as easily, which may not have the necessary security in place.
And even Android Market has proven vulnerable to threats. As just one example, Google had to get rid of a number of malicious apps in March after they were infected by a nasty bit of malware dubbed DroidDream. In total, the company removed 58 malicious apps both from the market and from mobile devices where users had downloaded them.
Further, because Android is a more fragmented operating system, many handset makers tweak Google’s open-source code and often modify certain security-related features, says McAfee. That approach also increases the time it takes for OS updates to reach Android users because some of those updates have to be customized for different devices.
And since almost all mobile malware infections come from app stores, Android has become the riskier environment. Though Nokia’s Symbian is historically still the most popular mobile platform for malware writers, Android took on that dubious role in the second quarter of the year, attracting 63 percent of all malware infections at that time.
Finally, McAfee sees a different approach between Apple and Google in combatting malware.
“Apple’s approach is proactive and focused on prevention,” the report noted. “Google’s plan is apparently to encourage the creation of apps and deal with the problems as they occur, in a reactive fashion. Google’s may be a sensible move to generate a large volume and wide variety of apps, but from the security perspective it creates exactly the kind of environment in which malware gangs feel comfortable.”
Both iOS and Android are based on Unix/Linux, according to McAfee, making them somewhat inherently secure. Instead, the vulnerabilities arise from manufacturers and developers who fail to make security a priority and sometimes rush to the market with new drivers and apps that aren’t fully tested. Updates to the operating system and firmware may also be flawed, undermining the the strength of the core OS.
Virtually all smartphones and mobile devices face security risks now and increasingly so down the road, says McAfee. Most of the malware that threatens PCs is also possible on mobile devices. Plus, the security vendor believes that new kinds of threats not yet seen on PCs may hit smartphones.
Even if the overall number of threats were to decline, mobile devices are more vulnerable simply because they’re always on, usually connected, and often hold some type of personal data.
Citing one example, McAfee pointed to a device’s GPS capability, which can reveal the user’s location. One piece of malware called GPS Spy, or TapSnake, has been found to use a device’s GPS to send a person’s location to a third party.
As another example, malware writers can exploit weaknesses in a mobile OS to control a device’s camera or microphone, letting them spy on the users. McAfee said it has already detected Trojans that were able to record phone conversations and send the recordings to a third party.
On a positive note, McAfee noted that security for mobile operating systems is progressing, making certain types of malware impossible. But the company still expects mobile malware to increase as a result of the difficulties in filtering it. Ultimately, protecting users will require the industry to better secure its mobile platforms along with its mobile devices.