# Study finds that neither iOS nor Android is inherently more secure than the other



## editor (Jun 18, 2014)

So there you have it. No phone is safe.Just in case you didn't already know. 



> According to the company, both mobile operating systems pose risks to the enterprise, for different reasons.
> 
> “Some people believe that iOS is a more secure operating system than Android. This report maintains that neither iOS nor Android is inherently more secure than the other,” the report reads. “That said, Apple controls app distribution and OS version control in a more secure way, which creates a more secure operating environment than Android. However, the risks to enterprises allowing employees to bring in their own devices, whether iOS or Android-based, are not that dissimilar.”
> 
> ...


----------



## Kid_Eternity (Jun 18, 2014)

Well a little obvious in the post Snowden world. You'd have to be an idiot in this day and age to argue any device or online service is secure. Everything can be hacked or tapped.

(Good to see you getting over your hatred of BGR btw, well done!)


----------



## editor (Jun 18, 2014)

Kid_Eternity said:


> (Good to see you getting over your hatred of BGR btw, well done!)


----------



## souljacker (Jun 18, 2014)

Interesting that a company that produces software that provides Mobile Threat Prevention for the Enterprise would publish a report suggesting that that there is a mobile threat to the enterprise.


----------



## editor (Jun 18, 2014)

souljacker said:


> Interesting that a company that produces software that provides Mobile Threat Prevention for the Enterprise would publish a report suggesting that that there is a mobile threat to the enterprise.


It's always good to be cynical about these reports and perhaps exaggerate the risk, but do you find anything inaccurate about their findings?


----------



## souljacker (Jun 18, 2014)

editor said:


> It's always good to be cynical about these reports and perhaps exaggerate the risk, but do you find anything inaccurate about their findings?



No, but all the enterprises with a robust security policy aren't letting these devices on their network.

This a perfectly decent promotion of a quite nifty bit of software but its just MDM really. Nothing to get excited about.


----------



## elbows (Jun 18, 2014)

editor said:


> It's always good to be cynical about these reports and perhaps exaggerate the risk, but do you find anything inaccurate about their findings?



The headline is misleading, and its taken from the original report so I would suggest that is misleading too. Immediately before the offending sentence, the full report says something that I am more inclined to agree with:



> It has been said that iOS (the operating system for iPhone and iPad) is inherently more secure than the Android operating system. There is some merit to these claims, but as this report reveals, there are a great many risks to allowing iOS users unfettered access to corporate resources.



But for reasons other have already mentioned, they have an interest in downplaying the start of that paragraph and playing up the latter point. To an extent its fair enough, as enterprise security is a specific branch but considerations and focus arising from this branch should not be generalised into statements about security as a whole.

For example take a completely different scenario - getting my mum a tablet. As far as her use of the device is concerned, iOS is inherently more secure. Risk vectors remain, but less of them, and she isn't going to jailbreak her device so the emphasis in the report towards that doesn't apply to her.


----------



## 8ball (Jun 18, 2014)

editor said:


> So there you have it. No phone is safe.Just in case you didn't already know.



I think my phone is pretty safe.







It does have Java, mind...


----------



## editor (Jun 18, 2014)

elbows said:


> For example take a completely different scenario - getting my mum a tablet. As far as her use of the device is concerned, iOS is inherently more secure. .


Why is that? She's unlikely to start sideloading Android apps or installing weird dodgy apps, so what extra risk would she be at if she just used the mainstream apps?


----------



## elbows (Jun 18, 2014)

editor said:


> Why is that? She's unlikely to start sideloading Android apps or installing weird dodgy apps, so what extra risk would she be at if she just used the mainstream apps?



Depending on which manufacturers Android device she went for, timely security updates to the OS will be an issue to a greater or lesser extent.

As for apps, the idea that it's just weird, obviously dodgy apps which pose a risk or annoyance is somewhat misleading. Depends what sort of security issues we are talking about. But the example I was thinking of is that several people at work have had to remove intrusive spammy advertising apps from their parents android devices.


----------



## editor (Jun 18, 2014)

elbows said:


> Depending on which manufacturers Android device she went for, timely security updates to the OS will be an issue to a greater or lesser extent.


If she got, say a Nexus, what extra security risk would she be at over an iPad?


----------



## joustmaster (Jun 18, 2014)

editor said:


> If she got, say a Nexus, what extra security risk would she be at over an iPad?


There are a lot more dodgy apps on the Play store than there on Apples app store. Or so it seems to me.

Apple seem a lot more strict about what they let in.

Its no problem for me, but for my baffled-by-technology mother, I'd recommend Apple


----------



## beesonthewhatnow (Jun 18, 2014)

The app that poses the biggest risk for non tech savvy users is still email. "Click this link to reset your account" etc


----------



## editor (Jun 18, 2014)

beesonthewhatnow said:


> The app that poses the biggest risk for non tech savvy users is still email. "Click this link to reset your account" etc


Indeed.


----------



## editor (Jun 18, 2014)

joustmaster said:


> There are a lot more dodgy apps on the Play store than there on Apples app store. Or so it seems to me.


You really have to dig very hard to find a 'dodgy app' in the Android store, so it's a bit of a total non-argument given the example of someone's Mum using a Nexus for everyday use.


----------



## joustmaster (Jun 18, 2014)

editor said:


> You really have to dig very hard to find a 'dodgy app' in the Android store, so it's a bit of a total non-argument given the example of someone's Mum using a Nexus for everyday use.


You'd be amazed the rubbish my dad has clogged up his android tablet up with.


----------



## editor (Jun 18, 2014)

joustmaster said:


> You'd be amazed the rubbish my dad has clogged up his android tablet up with.


Has he been hacked yet?


----------



## elbows (Jun 18, 2014)

editor said:


> If she got, say a Nexus, what extra security risk would she be at over an iPad?



Well by picking a Nexus you've removed one barrier to timely OS security updates, i.e. manufacturers who customise the OS and can be tardy with upgrade timeliness or lose interest in updating the product at all.

However this Nexus stuff still includes a sore point for me, and one of the reasons why I will no longer be an android user by the end of the year. Google decided they couldn't make KitKat available for my Galaxy Nexus phone, and their justification for this (chip driver issues) only serves to highlight the advantage Apple has by being an integrated software & hardware company.

Only time will tell how long Google support the original Nexus 7. It would be slightly unfair of me to compare whatever the eventuality of this is to the fact I am running the iOS 8 beta on an iPad 2, since despite its age Apple were still selling new iPad 2's until very recently. 

I believe malware is a bigger issue for Android than you suggest, but I am very cynical about the way the security industry hype threats, so I won't push this point too far. I will enquire at work as to what exactly the malware apps their parent ended up with were and let you know.

As for the email vector, well. Awareness that security is still an issue on Android and that the device is really a computer, and following on from this the wide range of security-related apps that are available for Android, might actually give Android an advantage on this front, I don't know.


----------



## elbows (Jun 19, 2014)

Oh dear me, I've just been reading about an issue I missed at the time, the bad press Google got for removing an experimental feature that had previously led users to believe Google might sort out granular control of app permissions in Android.

It's been a long time since I talked about this issue, and how the iOS implementation of this stuff was one of the remaining areas where iOS had an obvious advantage over Android. It sounded like Google were going in the right direction and would get there eventually, but apparently not, at least not for now.

Some examples of articles covering the mess from late last year:

http://www.citeworld.com/article/2114400/mobile-byod/android-apps-permissions-reversal.html




> Google's bizarre and patronizing reversal on Android app controls
> 
> Google last week gave a master class in how to alienate users and reinforce the kind of negative perceptions about Android that have slowed its adoption in the enterprise.





> “Permissions in Android is completely broken -- it’s shameful on Google that they don’t have this essential security feature as a user facing proposition, and your desperate attempts to break it for users really makes the entire platform worse. Shame on you.”



And this original source of the complaint:

https://www.eff.org/deeplinks/2013/...cy-features-android-shortly-after-adding-them

And finally a fairly balanced article that explains why this feature isn't the easiest thing for Google to pull off. It is a big change of model and their previous poor choice and related 'developer education' as to how these things work on Android means it will take time to evolve, if the will is even there to implement this.

http://www.cnet.com/uk/news/why-android-wont-be-getting-app-ops-anytime-soon/

It sucks. I can't tell you how much I prefer to download apps for iOS without even thinking about this stuff initially, and then be able to go into settings and clearly see which apps want permission to access different aspects of the system, and switch individual ones on or off. A stark contrast to android where I'd have to read a load of stuff and choose whether to even install the app or not as a result. And then be hassled later to manually approve app updates where an apps permissions have changed. Tedious crap that no doubt encourages some users to not even bother 'reading the small print'. I wasn't expecting to be able to still have this rant in mid 2014, but there you go, what a joke.


----------



## editor (Jun 19, 2014)

How many regular users do you think are going to be bothered about a 'hidden permissions toggle' feature being turned off? If it bothers you that much, there's a huge community out there that can provide advanced users with all the features they require.


----------



## Kid_Eternity (Jun 19, 2014)

joustmaster said:


> There are a lot more dodgy apps on the Play store than there on Apples app store. Or so it seems to me.
> 
> Apple seem a lot more strict about what they let in.
> 
> Its no problem for me, but for my baffled-by-technology mother, I'd recommend Apple



Probably true but that doesn't mean the device or the net which they use are any more secure.


----------



## elbows (Jun 19, 2014)

editor said:


> How many regular users do you think are going to be bothered about a 'hidden permissions toggle' feature being turned off? If it bothers you that much, there's a huge community out there that can provide advanced users with all the features they require.



My complaint isn't about what power users can do, its about the default app permissions model on android, and Googles failure to implement that stuff properly. ie In a mainstream way. The 'hidden stuff' was previously taken as an indication that google were moving in the right direction, and this stuff would be implemented in a non-hidden way in a future release, but now people aren't sure if Google actually care about doing this or not.


----------



## editor (Jun 19, 2014)

elbows said:


> My complaint isn't about what power users can do, its about the default app permissions model on android, and Googles failure to implement that stuff properly. ie In a mainstream way. The 'hidden stuff' was previously taken as an indication that google were moving in the right direction, and this stuff would be implemented in a non-hidden way in a future release, but now people aren't sure if Google actually care about doing this or not.


I'm pretty confident that none of the above is going to trouble the average user in any meaningful way at all.


----------



## elbows (Jun 19, 2014)

Yeah right, encourage the idea that the average user doesn't care at all about what an app can do, and should not be encouraged to take more control of privacy on their devices.

Googles current 'solution' to app permissions encourages people not to care, giving them only the choice to read a load of stuff and decide whether to install the app at all, or completely ignore this important issue. Not good enough, and reinforcing the idea that only 'power users' should care about this stuff is another nail in the coffin of privacy.

Not to mention that sometimes less savvy users have even more desire to have some control over this stuff than ones who are far more comfortable with the tech world. My mum certainly has concerns about privacy, and when I can eventually afford to get her an iPad I'm confident she will understand and make use of the granular app permissions stuff in iOS.


----------



## sim667 (Jun 19, 2014)

Technology not secure shocker.

Next they'll be reporting that pigs can't actually fly.


----------



## Bernie Gunther (Jul 27, 2014)

Some interesting stuff coming out about deliberate backdoors in iOS, presumably for .gov use.


> ... there are, however, some services running in iOS that shouldn’t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer. I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices. At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy. My hope is that Apple will correct the problem. Nothing less, nothing more. I want these services off my phone. They don’t belong there.


 http://www.zdziarski.com/blog/?p=3441


----------



## elbows (Jul 28, 2014)

Bernie Gunther said:


> Some interesting stuff coming out about deliberate backdoors in iOS, presumably for .gov use.
> http://www.zdziarski.com/blog/?p=3441



I've not had time to spend hours studying the latest on that one, but very soon after the initial headlines it emerged that various journalists had got the wrong end of the stick. How much they were to blame, rather than the choice of words used by the person who discovered the not-backdoors, I will leave to others to argue about.

http://www.zdnet.com/the-apple-backdoor-that-wasnt-7000031781/



> Last weekend, a hacker who's been campaigning to make a point about Apple security by playing fast and loose with the now widely-accepted definition of "backdoor" struck gold when journalists didn't do their homework and erroneously reported a diagnostic mechanism as a nefarious, malfeasant, secret opening to their private data.


----------



## Bernie Gunther (Jul 29, 2014)

Apple's line is that it's just for diagnostics and their PR machine is pushing that line very hard now. Here's what the author of the paper had to say.



> The paper itself was published in a reputable forensics journal, and was peer-reviewed, edited, and accepted as an academic paper. <snip>
> 
> In this context, what I deem backdoors (which Apple claims are for their own use), attack points, and so on become – yes suspicious – but more importantly abuse-prone, and can and have been used by government agencies to acquire data from devices that they otherwise wouldn’t be able to access with forensics software. As this deals with our private data, this should all be very open to public scrutiny – but some of these mechanisms had never been disclosed by Apple until after my talk.


 http://www.zdziarski.com/blog/?p=3506

Quite a reasonable explanation of the issues on his proof of concept video:


----------



## elbows (Mar 29, 2018)

If anyone remembers threads like these where I went through a period of ranting about lack of granular permissions in Android, well I have very much been reminded of the subject this week.

Google did eventually make their system a bit more granular, but their earlier disregard for issues on this front are very much on display with the Facebook revelations about phone records....



> Call and text history has only ever been uploaded from users of Android devices, since Apple’s iOS operating system does not allow app developers to see that sort of private information.
> 
> Every Android user who did see their communication collected by Facebook has still opted in at least once, however, since they need to give the application permission to access their information. But until very recently, Android’s permissions structure has been extremely vague for end users.
> 
> ...



Facebook logged SMS texts and phone calls without explicitly notifying users


----------



## cybershot (Mar 29, 2018)

FWIW, Apple announced today they will also make all their data on users available to download. I fully expect the file to be considerably smaller than the ones offered by Facebook and Google, and that's without me using Android in 6 years.

Apple to Launch Revamped Apple ID Website That Lets Users Download All Their Data


----------



## alex_ (Mar 29, 2018)

cybershot said:


> FWIW, Apple announced today they will also make all their data on users available to download. I fully expect the file to be considerably smaller than the ones offered by Facebook and Google, and that's without me using Android in 6 years.
> 
> Apple to Launch Revamped Apple ID Website That Lets Users Download All Their Data



The gdpr says they have to do this, this is the law not apple being nice.

Alex


----------



## cybershot (Mar 29, 2018)

I know, I read the article!


----------



## elbows (Mar 30, 2018)

> *By Rory Cellan-Jones, Technology correspondent*
> What immediately struck me about this leaked memo was the line about "all the questionable contact importing practices".
> 
> When I downloaded my Facebook data recently, it was the presence of thousands of my phone contacts that startled me. But the company's attitude seemed to be that this was normal and it was up to users to switch off the function if they didn't like it.
> ...



Facebook haunted by 'ugly truth' memo


----------

