When members of my team returned from DistribuTECH 2022, they told me they were stunned to find out how many utility workers are being given consumer-grade mobile devices for use in their vehicles, the field, and warehouses. My colleagues who work with retailers, warehouse operators, manufacturers, healthcare providers, and governments say they’re seeing the same trend unfold in those sectors. Workers are being given consumer-grade devices even though such devices are not inherently built for the type of work they’re doing.
What’s driving these decisions?
Misinformation circulating on the internet may be a key contributor – or perhaps a misinterpretation of the information available. It’s not easy to distinguish when recommendations, reviews and ratings are specific to consumer-grade mobile devices versus enterprise-grade devices.
For example, in recent months, I’ve heard numerous people say, “iOS is more secure than Android™.” What’s interesting is that our conversations were occurring in the context of mobile devices for business use – devices that would be used by those who work for governments, energy companies and utilities. These are people who manage sensitive information and systems and must prioritize data and device security. Why is there a belief that iOS devices – made for consumers – would be more secure than Android devices, especially those built and configured specifically for use in enterprise environments where security is a top priority?
Then I did an internet search, asking “Is Android or iOS more secure?” I got a slew of mixed feedback. What I didn’t get is a clear understanding of how enterprise Android devices are different from consumer iOS devices in terms of security – or Android consumer devices, for that matter.
Yet, details matter.
So, I asked Bruce Willins, an engineering fellow here at Zebra, to dispel some of the rumors out there right now in the business community about mobile device and OS security.
Eric: Bruce, I’ll get right to the point, is Android more secure than iOS?
Bruce: In the early days, I contend that iOS was more secure. But today, Android is – in my opinion – equally or more secure.
Eric: Why do you feel Android is more secure?
Bruce: A key advantage of Android is the ability for device manufacturers such as Zebra to incorporate supplemental security features to the base OS. You cannot do this on iOS. With no flexibility in iOS, you are stuck with what Apple provides, which is typically centered around a consumer user experience.
In 2019, Gartner®* released a 72-page report entitled “Mobile OSs and Device Security: A Comparison of Platforms.” The report graded each OS in 32 security categories. What analysts found was that iOS ranked higher than Android in one category, and Android ranked higher than iOS in nine categories. While the results are open to interpretation, they were generated by a reliable, non-biased third-party. If anything, the findings start a conversation – or a debate – focused first on the advantages of the Android open source platform (AOSP) versus the iOS closed binary platform.
Eric: What are the pros and cons of AOSP and the iOS closed binary platform?
Bruce: With closed binary, you rely on “security by obscurity.” Security pundits do not generally advocate for this strategy. Ever wonder why the U.S. government publishes cryptographic algorithms? Exposing code to public scrutiny ultimately hardens your solution.
Quite often, the conversation transitions to “security updates” in what is now called “patch hygiene,” which is the ability to get timely security patches over an extended period of time. Past Zebra studies have shown that 58% of enterprise customers are looking for a service life of five or more years. Apple devices and iOS updates come from one source, Apple. Android is offered by over 1,300 brands, mainly because it is the #1 mobile OS with over 75% global market share, 2.8 billion active users, and 1 billion units shipped annually.
Now, I want to call out that not all brands operate equally with respect to patch hygiene. So, you can compare the cadence and duration of iOS patches against a lesser Android supplier and say Apple is better. But the result may flip when comparing against a premium enterprise Android vendor against Apple. For example, Apple typically supports iOS updates (inclusive of security) on a device for approximately four years. Zebra Android devices typically have security updates for six to 10 years.
Some years back, Apple contended it was more secure because of hardware-backed protection of crypto algorithms and key material. This was the “secure enclave processor” (SEP), which was first released on iPhone5S in September 2013. A SEP is an isolated environment in which an attacker cannot obtain secure keys or compromise the cryptographic algorithms even if the main operating system (in this case iOS) is compromised.
Though SEP was first to market, Android platforms soon followed with support for a “Trusted Execution Environment” (TEE). The TEE provides an independent execution environment isolated from the Android Rich Execution Environment (REE) in hardware. It runs a small, hardened OS and its memory is isolated from the REE. Thus, today we find that both platforms have key stores that are protected using dedicated hardware.
Eric: Doesn’t Zebra add security features to its Android releases?
Bruce: Yes, we do. A detailed list is beyond the scope of a blog post, though. In general, Zebra security enhancements focus on defense-in-depth (DID), principle-of-least privilege (PoLP), and patch hygiene. DID is the concept of providing multiple layers of security protection, so if one layer is compromised you still have protection. PoLP embraces the concept of minimalization: shut off and/or prevent anything and everything you don’t need. In many instances these are simple on/off controls made available to an enterprise mobility management (EMM) or staging tool. By minimizing functionality, you reduce the “attack surface,” reducing potential attack vectors, or the ways in which you can be attacked.
Eric: Recently, my team and I have heard statements like “Android is not secure.” Can you comment?
Bruce: I would probably agree with that if this were 10 years ago, but things have changed tremendously since then. When Android was first released in 2008, it was first and foremost a response to Apple iOS and focused on the consumer market. And, like any successful operating system (OS), it went through growing pains when it comes to security. Quite often, these early security critiques were based on potentially harmful apps (PHAs). This was compounded with a lack of VPN support to protect data in motion (DIM), a lack of encryption of stored data (protecting Data at Rest – or DAR), multiple points of susceptibility to runtime attacks (i.e., buffer overflow) and so on. No one would disagree that Android had security holes.
The 2012 release of Android’s Ice Cream Sandwich OS was the turning point. Additions such as strong password support, Exchange ActiveSync (EAS) policies, VPN support, full device encryption, encrypted key store, SE Linux, and address space layout randomization (ASLR) were just a few of the newly introduced security features. At the same time, Zebra – in collaboration with Google – started adding proprietary security add-ons, many of which came from our experience with Blackberry and Microsoft CE/Windows Mobile. Though proprietary at first, we executed on our original plan, which was to never maintain proprietary features but to work with Google on integrating such features into standard Android.
Since 2012, Google has been diligently strengthening Android security, incorporating Google organically developed features and features from Zebra.”
Learn more about Zebra’s collaboration with Google:
Eric: What specifically has Google done to Android to make it more secure in the last decade?
Bruce: We recently did an analysis of security features added to Android since inception. There are hundreds of them, and even more if you include vulnerability patches – way too many to go through in this conversation. But let’s go through a few examples representative of different types of enhancements:
1. Play Store (2012): Google adds app scanning and analysis to screen out malicious content and later introduces Google Play Protect, which enables device scanning of all apps, even when offline.
2. VPN Support (2012): Full VPN support is added with Android Ice Cream Sandwich (A4.0).
3. SafetyNet/Verify Apps (2012): You can now detect, report, and block potentially harmful apps (PHAs) with Android Jellybean (A4.2).
4. Verified Boot (2013): Added as part of a root-of-trust to assure code integrity in Android Kit Kat (A4.4).
5 Full Enforced SE Linux (2014): Added in Android Lollipop (A5) to prevent privilege escalation and provide more controlled system access controls.
6. TEE Hardware Protected Keystore (2015): In Android Marshmallow (A6), hardware isolated protection of crypto keys and operations becomes available.
7. Address Space Layout Randomization (ASLR) (2011-2017): Runtime attack protection and kernel ASLR are added in Android Nougat (A7).
8. Rollback prevention (2017): It becomes easier to prevent compromising known past vulnerabilities with Android Oreo (A8).
9. Full Disk Encryption/File Based Encryption (2013-2018): Between Android Kit Kat (4.4) and Android Pie (A9), Google enhanced the default encryption of the entire data partition and added independent file encryption (AES-256-XTS).
10. Device Owner (2019): With Android Q (A10), it becomes mandatory to use Device Owner to help ensure secure device policy control and management.
11. Common Criteria Mode (2020): There’s a new operational mode intended to increase security (i.e., Common Criteria certification).
Eric: Has Android received any security certifications?
Bruce: Yes. Certifications and evaluations have been performed by both Android vendors and Google itself. For example, Zebra Android devices have received FIPS 140-2 and Common Criteria certifications. Most recently, Google engaged NCC Group to review the Android 12 (A12) application programming interface (API) against a Google STIG derived from the Common Criteria Protection Profile for Mobile Device Fundamentals (PPMDF). It reviewed approximately 120 controls and found zero critical, high, or medium issues. There are more certifications as well, but I just wanted to give a couple examples of why customers should be confident in Android security.
Eric: How does Android security compare to other mobile operating systems today, then?
Bruce: Since Android and iOS make up over 95% of the worldwide market for handheld mobile computers and smartphones, you primarily mean iOS. Given that both OS’s have been around for 14+ years, it’s not surprising that there has been a great deal of security feature convergence. And this is not the first time I’ve been asked this question. It is a huge topic, and I suspect we’ll have a follow-on conversation to dig deeper into the details. But here’s what I think is worth noting right now: from a pure vulnerability count perspective for 2021, CVE details identified 365 iOS vulnerabilities and 572 on Android.
I don’t typically put much weight on these numbers. A higher number could imply a more vulnerable platform or just that a platform is better at concealing vulnerabilities or is not being well vetted. What I take from these numbers is that there are a significant number of vulnerabilities for both OS’s and that our customers – and really every business professional – should be extremely vigilant in maintaining, managing, and locking down their mobility solutions no matter which OS they’re running.
In fact, over the past 10 years, Zebra has shipped over 10 million Android devices into every major enterprise vertical from government, healthcare, and finance to transportation and logistics, retail, manufacturing, energy and utilities – and 94 Fortune 100 companies use Zebra devices. And though the track record for our Android devices speaks for itself, we retain a healthy degree of paranoia and humbleness with regard to the security task at hand.
Eric: Any advice for security conscious customers?
Bruce: Yes. No matter which OS you select, remember security doesn’t come free. A 2014 Ponemon study of 518 practitioners found that 52% of respondents sacrificed security for productivity. A Verizon study in 2021 found:
- 76% of respondents were pressured to sacrifice security for expediency.
- 40% viewed mobile devices as the company’s biggest security risk.
- 23% were aware of their company having a device-related security compromise within the past 12 months, and more than half of the 23% stating the compromise had major consequences.
At the end of the day, we are always trying to make security as frictionless as possible, and we make extensive tools to secure our Android platform. But our customers must do their part as well.
Before you choose an OS, always consider:
1. what you are trying to protect (which correlates to the cost of a compromise)
2. what you are trying to protect against (i.e., sophistication of the attacker)
3. what you think is the probability of a malicious entity successfully mounting an attack (part of your risk assessment).
Eric: So, essentially, do your homework before you decide between iOS and Android?
Bruce: Yes. Listen to both sides and evaluate for yourself. Comments made 10 years ago are no longer valid. Google has made great strides to make Android the most secure OS platform.
 Gartner, Mobile OSs and Device Security: A Comparison of Platforms, Patrick Hevesi, Published 6 May 2019. “This Gartner report is archived and is included for historical purposes and may not reflect current market conditions.”
*Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.