SecurityScorecard: Device owner awareness can improve operating system security

There is an ongoing debate as to which popular operating system is more secure. Despite recent claims that Android is more secure than iPhone, any computing device is only as secure as the information security practices maintained by the device owner, according to an expert from SecurityScorecard.

While it is true that Android’s “open-source” operating system allows for a continuously engaged development community, some individuals feel that the proprietary approach taken by Apple is safer, said Alexander Heid, Chief Research Officer at SecurityScorecard. The reason individuals feel this way, according to him, is because “The designs are secret and therefore difficult to examine for vulnerabilities within the core operating system until the code has been released.

(Related: HPE Security Fortify finds security is lacking in DevOps practices)

“There are compelling arguments from the Android community that the proprietary nature of the Apple operating system prevents a comprehensive audit of potential exploitable conditions, and that the open-source Android code allows for vulnerabilities to be identified and fixed before becoming problematic.”

In a Motherboard article by staff writer Lorenzo Franceschi-Bicchierai, he wrote that Adrian Ludwig, the director of security at Android, said the open ecosystem of Android is going to be in a “much better place” long term. This is partially due to Android’s built-in security product called “Safety Net,” which scans 400 million devices per day for vulnerabilities and issues, said the report.

Heid couldn’t speak on the specifics of Android’s built-in security product, but he said a cursory examination of both the iTunes Store and Google Play store reveal that several available applications for both Android and Apple offer “varying level of security checks such as app integrity and firmware version checking.”

Android and iPhone both have capabilities for encryption, and neither recommend “rooting” or “jailbreaking” devices, and both take necessary precautions to avoid the execution of unsigned or unknown applications, said Heid.

“If a user is comfortable with executing an unsigned, unverified, malicious application under the guise of obtaining something ‘free,’ no amount of default protections will secure that individual from eventual compromise,” he said. “On the other side, if a security-conscious user has been duped through a clever ploy into executing a malicious, unverified/unsigned application, then no amount of default protections will secure that individual from eventual compromise, either.”

Ludwig mentioned in Franceschi-Bicchierai’s article that some good news with Android is “It’s almost impossible for someone to target a large number of people at the same time,” and “Mass exploitation is something that I’m not expecting that we’re going to see at any point in the Android ecosystem.”

However, from a researcher’s standpoint, both operating systems are equally as vulnerable as long as there is a global marketplace for zero-day exploits, identify theft, and surveillance technologies, said Heid.

Plus, the public has seen multiple releases of emergency updates for both Android and iOS over the past few years, especially when critical vulnerabilities were exploited by private individuals or organized crime groups. This August, Apple even had to roll out an emergency update for the iPhone after an attempted cyberattack on a human rights lawyer in the United Arab Emirates.

“The security awareness and behavior of the user is what ultimately determines the security of a device,” said Heid.