Updated for 2016-2017
Some of the information in this blog post is outdated, to view an udpated version visit Which Mobile OS is Most Secure; iOS, Android, or Windows? [Updated 2016-2017] on the NextLOGiK Blog.
With the growing popularity of Bring Your Own Device (BYOD) and similar company-wide policies integrating mobile devices into the work day, a question arises about security. Often times, these devices are collecting confidential and sometimes sensitive information, especially when the data being collected involves compliance and regulatory measures.
If you are looking to implement a new solution that includes a mobile application, it’s important to know the security features of each mobile operating system.
We’re not the first to debate this question, and it is ongoing as operating systems grow their number of users. We consulted with our technical director, Jarred, who has over six years of experience in mobile application development across all three operating systems, to weigh in. We also utilized articles published by Mikko Hypponen, the Chief Research Officer of F-Secure, an online security and privacy company based in Helsinki, Finland – he’s a big deal in the mobile security realm.
iOS
iOS is a proprietary operating system that Apple controls, running solely on Apple’s own devices. This plays in iOS’ favor compared to Android’s operating system that lives on multiple manufacturer’s devices (Samsung, HTC, Google), each with their own standards and approach to security. Apple also has strict requirements to include an app in their store. They check if you are a legitimate business, the fee is much higher than Android or Windows, and they have humans testing each application before it is submitted.
iOS 9
With the release of iOS 9 came better management tools for IT teams. Admins can prompt users to update any device enrolled in the Device Enrollment Program, initiating the download and installation of software updates separately. IT teams can install and update managed apps while restricting general access to the app store and manage apps even after users install them without reinstalling the app or losing any user-data. Also included in iOS 9 are new network policies. Admins can specify how managed apps use networks by restricting the app’s ability to connect over cellular when roaming on other networks.
The ability to further manage company-issued devices gives IT teams the power to set parameters and force updates that include important security releases to better protect corporate data. Per-app VPN ensures separate network pathways for personal and corporate data, while managed open-in prevents corporate attachments from being saved to personal apps or cloud services. Finally, touch ID and device passcodes further promote security of an organization’s system, apps, and data.
Here’s the whole kit and caboodle on Apple iOS security.
Android
Android operates with an open source code, meaning malware is much more common. Compared to Apple and Windows, it is much easier to submit and get your app accepted into the Google Play Store. There are lower submission fees, no human testing your app, and no checks if you are a legitimate business. Google developed Google Bouncer, a malware scanner, to watch over and scan applications available in the Google Play Store, but businesses were still weary of the Android OS.
Android for Work
To combat these malicious attacks for organizations, Android introduced Android for Work in September of 2015, allowing users to separate work and play. Dual personas are used to keep work and personal applications separate and protect corporate data. It is important to note that not all devices are eligible for dual personas, some manufacturers’ devices do not support encryption which is required to run the personas. When looking into Android-supported devices, check out the Top Four Android Tips for Better Mobile Security blog post by Search Mobile Computing.
Windows
Windows mobile OS is similar to iOS in that a human reviews and approves all apps submitted to the store, helping prevent malicious applications gaining access to the Windows Store. Unlike Android, there’s no need to consider dedicated anti-virus and anti-malware software.
Microsoft Enterprise Mobility
Windows OS for organizations is supported by Microsoft Enterprise Mobility. Microsoft Enterprise Mobility protects Microsoft Office email, files and apps, stating on their website that they are the only solution designed to do so. Microsoft’s solution helps minimize the complexity of BYOD by offering mobile device management (MDM) and mobile application management (MAM) both on-premises and in the cloud, all from a single console. Desktop Virtualization allows users to run windows desktops and applications anywhere and meet changing business needs while safeguarding sensitive corporate resources.
Security is a focus of Microsoft Enterprise Mobility. Advanced Threat Analytics (ATA) helps identify breaches and threats using behavioral analysis and provides a clear, actionable report on a simple attack timeline. ATA continuously learns from the behavior of organizational entities, and adjusts itself to reflect the changes in rapidly-evolving enterprises. As attacker tactics get more sophisticated, ATA helps companies adapt to the changing nature of cybersecurity attacks with continuously-learning behavioral analytics.
And the Winner is…
Windows! It must be noted that currently Windows is the least utilized mobile OS of the three, which definitely plays in its favor as it is less of a target. Mikko stated that Microsoft’s Windows Phone platform is the safest mobile operating system available to businesses while Android remains a haven for cyber criminals.
“Windows Phone’s security model inside is quite restrictive, I think it’s going to take a while before we see Windows Phone being seriously targeted. I could be wrong, but my hunch says it will stay the safest,” said Hypponen.
With its Advanced Threat Analytics model continuously learning the patterns and habits of organizations, the system only gets better with time.
Android’s heightened vulnerability is contributed to Google’s policy of letting third-party stores run on the OS, a popular system for criminals across the world to trick users into installing malware. In 2012, F-Square saw a 10-fold increase in malicious Android installations files jumping from 5,000 malicious installation files in quarter two to 51,000 installation files in quarter three.
iOS continues to be the most utilized mobile OS which makes it the primary target for malware and potential threats.
Jarred prefers the Windows store when submitting our applications compared to the Google Play Store and the Apple App Store. Windows still verifies the security of applications with real people testing it, unlike Android, but it is a much quicker process compared to Apple’s, which can take up to two weeks for updates to go live. This can become problematic when we issue new security updates and bug fixes. Windows also conducts random quality control checks of all applications live in the store.
While all three OS’ offer the ability for IT teams to control applications and wipe information when a device is lost or an employee terminated, we are in favor of Windows and its comprehensive Microsoft Enterprise Mobility platform. With the ability to protect and manage iOS, Android, Windows, and Windows 10 apps, this is also the most attractive platform for companies implementing BYOD policies.