Android may dominate mobile market share, but it also comes with a host of ills like fragmentation and, more potently, malware. While the mobile malware threat has been surprisingly light to date, that's starting to change. For now, Android is the malware capital of mobile in part because of its popularity and in part because of its more open approach to engineering.
iOS, for its part, is both harder to crack and harder to fix, precisely because it's closed. But according to security expert Eugene Kaspersky, that's bound to change. And when it does, iOS is going to fall hard.
Really, really hard.
Android: Land Of The Free ... And Infected
According to a Juniper Networks report, up to 92% of mobile malware targets Android devices. The FBI and Department of Homeland Security put the number at 79%. Either way, it's a big number, especially as the same FBI/DHS report notes that iOS is a target just 0.7% of the time.
And while malware reports have yet to rock the industry in the same way that the Chernobyl virus (CIH) pounced on Windows 95 back in 1998, it's just a matter of time until mobile malware goes big. According to Kaspersky, founder of a leading security company, "sooner or later we will see a serious problem with security for Android."
Samsung apparently agrees. According to a report in The Wall Street Journal, the leading Android distributor plans to bundle enterprise-grade antivirus software from Lookout with all of its Android devices. This could help resolve some of the issues that Ted Wise calls out:
@mjasay Android doesn’t have malware problems because its less secure. It’s because its not curated and allows side loads.— Charles (Ted) Wise (@ctwise) September 5, 2013
Not everyone agrees that there's an issue. Adrian Ludwig, Android's lead security engineer, insists that "There's not really a significant amount of risk that users are being exposed to" by using Android, and certainly less than they encounter in their day-to-day lives.
Maybe. But Trustwave Holdings, a cybersecurity company, uncovered 200,000 pieces of malware for Google's Android system in 2012, up from 50,000 the year before.
A Free Pass For iOS?
Not that Apple's iOS is in the clear. While Apple's closed approach to development makes it a harder target to crack, this same secretive approach makes it dramatically more vulnerable once iOS' security is hacked.
And it will be, according to Kaspersky, as he told The Wall Street Journal:
[T]he most dangerous scenario, I am afraid, is with iPhones. It's less probable because it is very difficult to develop malware for iPhones, because the [operating] system is closed [for outside programmers]. But every system has a vulnerability. If it happens—in the worst case scenario, if millions of the devices are infected—there is no antivirus, because antivirus companies don't have any rights to develop true end-point security [for Apple].
In other words, there's no problem until there's a problem. And then the problem is huge.
Security By Obscurity ... Discredited?
For years Microsoft and others have touted "security by obscurity" as the ideal way to ensure that systems aren't compromised. But along came open source and Linux and demonstrated that a better way to tackle security is through community response. It's not that Linux is necessarily more secure than Windows (though there is plenty of evidence to suggest this is the case), but rather that when flaws are found, the open-source community responds faster than any one company can, or will.
Android is mobile malware's biggest target, and likely will be for some time. Google has been more open than Apple in allowing third-party developers access to its code. Even so, Android is hardly 100% open, and some of the benefits of an open-source community response to malware threats won't be realized unless Google opens up the process around Android even more.
Apple, similarly, needs to find ways to open its development to antivirus companies, so that they can help the company avoid catastrophic exploits of CIH magnitude. Ultimately, security is a community affair, and both Apple and Google need to invite their respective communities into their security processes.
Image courtesy of Shutterstock