The two most used mobile operating systems in the world, Android and iOS, have a lot of similar features. But there is a huge gap when it comes to security, or so the World believes.Adrian Ludwig, the Director of Security at Android, says otherwise.
This is what he had to say about the two operating systems in an interview with Motherboard:
“For almost all threat models, they are nearly identical in terms of their platform-level capabilities.”
Interestingly, he claimed that a Google Pixel and an iPhone are now equally secure, and that Android's security will improve in the near future. While speaking at the O’Reilly Security Conference, he said that Google's Safety Net scanner, scans 400 million devices a day, and checks 6 billion apps per day for malware. He also bashed rumours which associate Android with malware, explaining that less than 1% of Android devices are infected with malware, and highlighted that the most critically known bugs, Stagefright, was never found, to have actually been exploited to hack an Android device in real time. What he was talking about is that mass exploitation in Android does not exist, which Google seems to have a good control over. But even Ludwig admitted that OEMS and carriers need to improve their update cycles, to push system updates for their devices. This is exactly what the problem with Android is, fragmentation. And as long as that exists, I don't think Ludwig's claim of Android is secure, is true at all. In his own words, it is only the Pixel which is equally secure as the iPhone.
Let me explain this with an example.
When Apple releases an update for its iPhones, all of the devices regardless of the carrier or region, get the update. So the company is able to patch bugs or security flaws in a wide manner. There is no iPhone which cannot get the update (unless Apple decides not to release it because of hardware constraints).
When Google releases an update for its Pixel or Nexus devices on a monthly basis, only those devices get the update. Google does push the patches to the Android Open Source Project, (AOSP) for custom ROM developers and OEMs to patch their firmware. But how many manufacturers actually update their phone accordingly?
The majority of non-Google Android phones, are not updated to a newer version of the operating system immediately. It takes a few months for the OEM to do so, but you could say that they only got the source code from Google after it had been pushed to a Nexus/Pixel. Some manufacturers take their own sweet time to provide the update for the device, for example, the recent ASUS Padfone S Marshmallow update (which while welcome), comes a year after the operating system was released. In fact Android 7.0 Nougat was released in September, so you get just how badly the fragmentation is. Xiaomi while notorious at handling OS updates, does patch its devices to the latest security bulletin every month. The same can be said about OnePlus, but it does update its phones to newer versions of Android a bit faster than Xiaomi does.
Most Android OEMs only provide updates for 18 months (post which devices may get only security updates), and this includes Nexus and Pixel devices. Apple on the other hand, provides iOS updates for 5 years, so even the iPhone 4s from 2011 had latest updates until August 2016 (when the company stopped updating the device due to hardware limitations).
The bigger problem when it comes to updates, is that many Android OEMs do not update their devices at all, despite the hardware supporting the latest version of the operating system, and some devices don’t even get a single security patch. So, any security flaws in the version of Android which the device runs on, remains unpatched. Another thing which plays a role in security is the way how Apple and Google handle their app store. The iTunes app store is very strict and only lets developers publish their apps, after a team at the Cupertino's company has reviewed the app. Google Play does not have such restrictions, and lets app developers publish their app without a review process. Despite Google's best efforts there are chances of a malicious app slipping past its scanner, and devices which download such an app could potentially be infected. People who install apps from Google Play are safer than those who install apps form third party sources. When you sideload apps from websites, you should be aware that these APKs could be modified and contain malware. This is especially the case when you pirate paid Android apps.
So, while a Pixel device maybe secure as the iPhone, I’m afraid that the argument is not the same when it comes to the rest of Android devices, and this is a very serious problem that Google needs to fix.