Primer: Why are Androids less secure than iPhones?

In September, Google counted 1.4 billion mobile devices running its Android operating system. With more than 80 percent of the global market share, Android is everywhere. In a popularity contest, Androids would beat iPhones. But are they as secure?

The simple answer is no. There is no single reason Android is less secure than Apple’s iOS, but security researchers point to factors such as its diversity of versions and infrequent security updates.

“Hackers are rational attackers,” says Kevin Mahaffey, co-founder and chief technology officer of Lookout, a mobile security company. They tend to target the most popular software. “If you really care about security, find an Android [hardware maker] that has a commitment to security patches.”

Over the years, people have been able to buy only several hundred different combinations of iOS running on iPhones and iPads (such as the iPhone 6S running iOS 9.2.1 on AT&T), and Apple has retained strict control of security updates. Apple’s path to success is easier than Google’s: The company makes its own hardware and has historically kept tighter reins its carrier partners.

For Android, those pairings are in the hundreds of thousands. About 135,000 different Android pairings, ranging from Samsung’s Galaxy S6 running Android 5.0 Lollipop on Verizon, to LG’s G3 D850 running KitKat 4.4.2 on AT&T, actively run Lookout’s security software, Mahaffey said.

Security updates may not seem like much, but they can be critical to ensuring device security, says Mike Hanley, program manager for research and development at Duo Security. “In addition to larger security exploits like Stagefright, you’re talking about patching 40 or more bugs on every release.”

Without regular security updates, users of the open-source Android are often left in an insecure no man’s land, where they must wait for new security features, as well as fixes to old features. While Android’s fragmented ecosystem of devices, carriers, and versions has driven its popularity, it has also has weakened its security.

IDC: Smartphone OS Market Share 2015, 2014, 2013, and 2012 Chart

In September, Google launched a public effort to push its Android hardware partners and phone carriers, which both have a say in device updates, to push out regular security fixes. And although the company declined to comment for this story, it has committed to monthly security updates on its Nexus line of phones—hardly the most popular Androids out there—in an attempt to improve device security and show manufacturers that users want regular security updates.

Still, some major Android manufacturers, including HTC, have not committed to regular security updates. And it isn’t clear how many carriers are actually releasing them or how many of their Android users are actually installing them.

Bloatware, insecure apps, and other vulnerabilities

There’s more to Android’s security woes than just fragmentation, says Zach Lanier, a director of research at computer security company Cylance and a co-author of the Android Hacker’s Handbook, published in 2014. While the Nexus line of Androids ships as Google intended, many carriers and manufacturers add their own services and third-party apps.

“If I wanted to play ‘Angry Birds: Malware Edition,’ all I’d have to do is check the [Unknown Sources] box, and it’ll run.” — Zach Lanier, co-author of the Android Hacker’s Handbook

These extra services, often derisively referred to as bloatware, increase the ways in which hackers can get into your phone, Lanier says. “How can you trust the supply chain? How do you know that there aren’t backdoors or vulnerable drivers?” he asks. And will carriers push out updates when security problems are found?

Another way Android users unwittingly put themselves at risk is checking a box in their Google Play security settings to allow apps from “Unknown Sources,” Lanier says.

“If I wanted to play Angry Birds: Malware Edition, all I’d have to do is check the box, and it’ll run,” he says.

Duo Security’s Hanley points to problems caused by businesses who want their employees to use their own phones for work. They like not having to pay for employee phones, but they rarely know which phones are running the latest security updates, he says.

“The average IT guy has no idea that these vulnerabilities are in their environment,” he says. And from a corporate perspective, there’s not much that they can do to get phones updated. That may be why Duo sees iPhones used in business environments 2 to 1 over Android: they’re much easier to keep secure.

What you can do you secure your Android device

Although the lack of regular security updates poses the greatest threat to Android users, you can take certain steps to make your Android safer.

• Use a passcode or other screen lock to keep somebody from physically getting at your phone without permission. Choose a passcode that is at least four different numbers, not the same four numbers.
• Turn on full device encryption, so your phone’s contents are protected from spying—currently, it’s activated only by default on the latest devices running Android 6.0 Marshmallow.
• Run an Android security app such as Lookout or Avast Mobile Security and Antivirus. They can sometimes protect against unpatched security holes. (Please note that Avast sponsors this site.)
• Use a virtual private network, or VPN, to protect your phone’s traffic against spying.
• Don’t install apps from Android marketplaces other than the Google Play Store. Don’t  root or jailbreak your phone, either.
• Familiarize yourself with the Android Device Manager, which lets you track your phone if stolen or lost, and wipe it remotely if you can’t retrieve it.

Apple’s control over its closed ecosystem for iPhones and iPads makes it safer in many ways, but that’s changing, says Lookout’s Mahaffey. Malware has gotten through even Apple’s walled garden, he says, and Android security is improving.

Certain Android devices are equivalent to iOS in security, Mahaffey says—”generally the expensive ones: Google Nexus devices, flagship phones from Samsung and Motorola. Basically anybody who’s made a public commitment to patch.”