If iOS is Less Secure, Why Does Android Get Attacked?

ios-vs-androidSoftware vulnerabilities are the food that keeps viruses, malware and other attacks alive, right? If that’s the case, you’d expect that the software with the most vulnerabilities would also be the software facing, proportionally, the most attacks.

But data on mobile malware released this week by the security firm Symantec throws those assumptions on their head, and raises important questions about the conditions that contribute to malicious activity.

Symantec Corp.’s Internet Security Threat Report (ISTR) for 2012 was released on Tuesday. Buried among the data on targeted attacks and data breaches is some very interesting data on mobile vulnerabilities and malware. Of 108 new malicious programs for mobile devices identified in 2012, Symantec found, 103 – more than 95%)- targeted Android devices. Just one mobile threat targeted Apple’s iOS operating system during the same period.

If you assumed that was because Android was the operating system with the most exploitable vulnerabilities, you would be wrong. In fact, just the opposite is true. It’s Apple’s iOS that was the source of almost all the documented mobile application vulnerabilities among the mobile platforms Symantec monitored, including Android, iOS, Blackberry, Windows Mobile and the like. iOS accounted for 387 of 415 documented vulnerabilities across all mobile platforms – a bit more than 93 percent, found.

How can that be? How does the more secure operating system end up being the target of the lion’s share of attacks and malware? Symantec merely notes that most mobile attacks don’t rely on operating system vulnerabilities, therefore there’s no necessary correlation between attacks and exploitable security vulnerabilities.

That’s true, as far as it goes, but I think the folks in Cupertino are missing a bigger point. I think the answer is that cyber “crime” (broadly defined) is at least as complex as real world crime, and its root causes are equally complex. The Symantec data on mobile vulnerabilities and mobile malware suggests that the “broken windows theory” – an oft-cited theory of the causes of criminal and anti social behavior – may be at work in the mobile device space.

That theory, which was spelled out in a 1982 article in the magazine The Atlantic by social scientists James Q. Wilson and George Kelling. Kelling was later hired by The New York City Transit Authority in 1985, where it inspired future NYTA head William Bratton. He was also hired by the Boston and Los Angeles Police Departments who were interested in his ideas about stemming crime by ratcheting up policing of “quality of life” crimes like graffiti, fare dodging and – famously – unsolicited “window washing.” Crime rates started going down – and have kept going down ever since.

Now Google is making the mistakes of urban police forces and politicians in the 1960s and 70s, when crime rates took off: turning a blind eye to small security incidents, infractions and abuses. That lax security is attracting the attention of those inclined to do ill, but wary of getting caught.

We’ve already talked about this same principle in the context of the Google Chrome store, but the problem is orders of magnitude worse with Android. For one thing, there are hundreds of millions of individuals around the globe using Android devices. Beyond that, Android devices are likely to hold more sensitive data and applications than you’ll find on the Chrome Web store. Mobile banking and e-commerce applications provide access to bank and credit card accounts, SMS provides a way to siphon money from a user by way of dodgy premium texting services, and then there are the reams of data: e-mail, photos and documents that many smart phone power users are storing.

Google has done a superlative job building a secure operating system to manage all those sensitive applications. Symantec noted only 13 documented security vulnerabilities affecting Android in all of 2012 – a far cry from the 387 found and documented in iOS. The problem for the company is that the company made a (bad) decision years ago to cede control over Android to its business partners: the carriers and handset makers that sell mobile phones. That was all in the interest of fostering growth. That strategy surely worked. Around 70 percent of new smart phones shipped globally run Android, compared to 21 percent for iOS. (http://techland.time.com/2013/04/16/ios-vs-android/)

That has meant putting security in the hands of those same business partners, even though they don’t bear any of the costs or reputation damage from hacked or compromised devices. You don’t, after all, read headlines saying that “malware spreading on Verizon phones,” or “malicious apps targets AT&T phones.” You hear about attacks on Android. The carrier and handset maker, except in rare cases, don’t warrant mention.

Those partners have turned a blind eye to the kind of basic “policing” that needs to be done to keep the mobile ecosystem safe. While Google reliably pushes out operating system updates, handset makers and carriers drag their feet distributing those updates to vulnerable customers – worried, perhaps, about service disruptions or other support issues that might result. The latest data from Google highlights the challenge facing the company, with just over 16% of Android users running Versions 4.1 or 4.2 the latest versions of the OS, dubbed “Jelly Bean” more than six months after its release. In contrast, 44% of Android users are still running the “Gingerbread” release – Versions 2.3.3 through 2.3.7, a two year-old version of the operating system that has known security vulnerabilities. Add to that the proliferation of third party Android application stores, which operate with little or no oversight, and you have a mobile environment with lots of “broken windows.”

Symantec said 2012 saw a 58 percent increase in mobile malware families compared to 2011. Fifty nine percent of all mobile malware to-date was discovered in 2012. The number of variants within each family has also increased dramatically, from an average ratio of variants per family of 5:1 in 2011 to 38:1 in 2012. Malware authors, Symantec concluded, are spending more time repackaging or making minor changes to their threats, in order to spread them further and avoid detection. Almost all this malware, it must be noted, is for Android.

The situation has become so pronounced that the American Civil Liberties Union is calling on the FTC to take action against carriers – essentially asking them to force carriers to start patching vulnerable customer devices, or at least allow customers to have a free upgrade to a fully patched device.

Given the FTC’s recent history of rather toothless enforcement, we’re not likely to see multi-billion dollar telecommunications firms and their friends in Congress leap to the task of setting the Android marketplace to rights. Faced with such a diffuse problem, Google may need to take matters into its own hands: fixing the broken windows and cleaning up the virtual abandoned lots in its mobile ecosystem unilaterally to protect its own brand. The company could ban third party application stores, toughen identification requirements for mobile application developers and hammer out agreements with their partners to make sure that operating system updates are available to Android users in a timely manner. Stay tuned.

Sal | April 22, 2013 6:05 pm

The general public is stupid and impressionable. The Cariers are putting so much bloatware on these android devices that I returned my galaxy note and got a unlocked stripped down version. Now I’m back to my ios device. I had an HTC advantage smartphone many years ago. It had a 5 inch screen Wow. People laughed laughed at it then along with the bluetooth headset. I did too Now cell carriers are selling large screen phones like selling a car with rims worth more than the vehicle itself. 5 inch bigger screens have become socially desirable and fashionable due to marketing taking advantage of average consumers displaced senses.

geoff Brunkhorst | April 23, 2013 10:22 am

I find the the entire article somewhat biased to presenting 1 position as fact (the current version of iOS is less protective of information compared to current version of Android), yet, then not pointing out that Android AS AN ECOSYSTEM is less secure because the overall method of upgrades and patching is extremely flawed by the carriers.

to borrow a phrase, It’s the system, stupid. If the brakes of a car are more superior than another cars, but the owner of the car has no ability go replace them (no reminder from the car dealer, no dashboard light, no announcment untill you press on the brakes and nothing happens) as they age, other than to buy a new car (and my car is working fine thank you), eventually you will crash and die… Yet, the company and the car reviewers claim ‘BEST BRAKES EVER’ as a marketing ploy over the BMW class machine that 3 overrides to make sure you replace the brakes regularly (free tuneups, phone call reminders of such, and a dash light reminding you your brake pads and calipers need replacing). Which is a more ‘secure’ braking ‘system?’

In short, this is like saying Windows is the much more secure than Mac OS X (because of Win8 and IE9), but ignoring the fact most of the attacks are directed against Windows (XP and IE6) because that’s what most people ‘in the field’ are still using.

The problem isn’t with the code, it’s with the ‘system’ An unpatched system is less secure than a patched one. If the carriers can’t develop a patching/distribution system as effective as their counterparts (e.g. Apple), then the fact of who’s current code is more secure is not even valid as evidence… the threat is attacking the weak links, and the weak links are the old versions out there.

There’s an old security saying… I don’t have to run faster than the bear…. I just have to run faster than you. Using a currently versioned iOS device (which pretty much patches itself for me), puts me ahead of 100s of millions of Android 1.x, 2.x, and even 3.x devices.

John | May 24, 2013 3:29 pm

@geoff Brunkhorst
Hmmm….if Apple iOS “patches” itself, seems like it wouldn’t have 387 vulnerabilities. Sounds like Apple isn’t doing a good job of protecting it’s customers. Sounds the past is repeating itself again, Apple users don’t have any meaningful data for hackers to go after (i.e Windows vs. OSx)so Apple OS’s are “perceived” to be the most secure ….at least that is my warped impression

Monoculture 2.0: Will Android's Rise Be A Security Nightmare? | The Security Ledger | May 31, 2013 6:24 pm

[...] Malicious activity directed at Android mobile devices doesn’t correlate with Android’s global market share, and it correlated negatively with the availability of exploitable vulnerabilities on Android. In fact, Apple’s iOS was the source of almost all the documented mobile application vulnerabilities among the mobile platforms – 93% or  387 of 415 documented vulnerabilities across all mobile platforms. (I wrote more about this and its implications in a post on Veracode’s blog.) [...]

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

RSS feed for comments on this post