With millions of new iOS and Android devices pouring into the enterprise every quarter, it's important to know just how much risk these devices bring — and if one mobile operating system has an edge over another when it comes to securing enterprise applications and data.
When just looking at malware trends, the easy assumption may be that iOS is the safer platform. A US Department of Homeland Security and US Department of Justice report published last year, for example, found that only 0.7% of all mobile malware targeted iOS, compared to the 79% that took aim at Android.
But there's much more to securing mobile devices than straightforward malware tallies. In addition to standard-grade spyware and other forms of malware, enterprises need be concerned about attacks specifically targeting their users, partners, as well as staying compliant to numerous industry and government regulations.
That's quite the challenge, but when it comes down to actually protecting enterprise users, is one mobile operating system – Android or iOS – more secure than another?
Android makes headway
Many contend Apple's mobile operating system is more secure, but Brian Katz, director, head of mobility engineering at Sanofi doesn't agree. Not completely, anyway. "It's a misnomer to say that iOS is more secure than Android," Katz says. "There are great aspects of iOS security that are built-in, but you still have to take steps to enable those secure features," he says. "You can't just start letting people use iPhones to access enterprise assets and think they are more secure because it's iOS."
Jay Leek, SVP and chief information security officer at The Blackstone Group would agree — somewhat. For a number of years now, the $250 billion (assets under management) private equity firm has supported only iOS for their enterprise mobile devices.
That decision was largely driven because of security concerns with the other mobile operating systems, as well as the high level of popularity of iOS with Blackstone's employees. Soon, however, Blackstone's IT team will be initiating support for Android. Not all Android based devices, but those that have been identified as securable, such as Samsung's secure mobile OS, Samsung KNOX.
"Whether iOS is more secure than Android is tough to answer. First, it depends on the Android hardware you're comparing it to. Samsung has done the most for Android when it comes to their hardware integrating with some of the Android security hooks. That's why, while we will support Android, we're not going to support Android broadly, we're going to support Android on certain devices," says Leek.
And it's this type of tight hardware integration that gives Apple the advantage, for now. "It only has one hardware platform that's married with the operating system. It's optimized," says Leek.
"There just doesn't exist that level of control with Android manufacturers, and it's something we're very concerned about. Whether it's the integration of the operating system with the hardware, or the applications in the application stores. The concern is about data being siphoned off, having the microphone turned on remotely, or any number of other things that might transpire that the user is not aware is happening," Leek explains.
When it comes to security controls, both Android and iOS have made strides recently in the native security capabilities within their operating systems. For starters, iOS 7 enables enterprises to choose which apps must connect through the corporate VPN to gain access, provides enhanced MDM support, encrypts data held within third party apps, accepts single sign-on and provides built-in biometric authentication.
With Android 4.4 (aka KitKat), there is tighter access control built into the Linux kernel, increased support for digital certificate security warnings, Elliptic Curve Cryptography support, and automated help at identifying buffer overflows. Additionally, built on top of the Android operating system, are hardware vendor supported security capabilities, such as Samsung KNOX. KNOX purports to provide a more secure booting process, creates a trusted zone for enterprise-only applications, and has a security-enhanced kernel. KNOX also limits what features can run within the KNOX protected area of the device.
"The difference with Android devices is that each manufacturer has their own APIs and they're all managed differently," says Katz. "So there are different calls to get to these unique API's, which means you actually have to work with the different management vendors to make the APIs useful," Katz explains.
This can cause some levels of confusion among the different devices, as well as supporting complex APIs and security controls, says Katz.
The number of security controls, and their granularity, within KNOX is both a pro, as well as a con. They've done a very, very good job of building controls. But with more than 400 controls and more than 1,000 APIs supporting them, these options can very easily introduce more complexity," he says.
Securing devices going forward
By mid-year Leek hopes to have a mobile device management system in place that will help to enforce security policies on their incoming Android devices. "We will be evaluating mobile applications and taking an inventory of apps on peoples' phones," Leek explains. "We will be testing those apps, and if we find things that are not desirable, or we feel that something is potentially exposing Blackstone, we will take remediative actions until the issue is fixed," Leek explains.
That secure application vetting won't just be for Android devices, either, but for iOS devices as well. "The same principals need to be applied to iOS. I believe we are less likely to have problems with iPhones, but I wouldn't be surprised if we uncovered a fair amount of security challenges with iOS apps," he says.
Katz would largely agree, and argues that when it comes to allowing mobile devices on the network, it has to be something discerned device by device, or "managed" BYOD. "Certain devices get full access to the environment because of the controls you can have in place, while others would be given limited, or even no, access. That decision would be based on the basic security controls that can be placed on the device," says Katz. "This way people can choose whatever they want, but their access will be limited based upon what device they do choose," he says.
That's the ideal outcome for enterprises and end users alike: optimal security for enterprise apps and data and optimal choice in personal devices and applications for users. And with the recent security challenges that surfaced around consumer apps like Starbucks and Snapchat — it's a wall that's necessary before things get too much further out of hand.
George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.