Contents

A recent Omdia survey of nearly 700 enterprise decision makers (undertaken as part of Google-funded research on mobile security) indicated that the three largest security risks are employee behavior, employee-owned devices, and cloud-based third-party apps. 

 

Android comes out on top for mobile security when looking at features that customers actually value

A recent Omdia survey of nearly 700 enterprise decision makers (undertaken as part of Google-funded research on mobile security) indicated that the three largest security risks are employee behavior, employee-owned devices, and cloud-based third-party apps. These were ranked as the top three security risks by 55%, 46%, and 34% of respondents respectively. The COVID-19 outbreak and subsequent rise in homeworking has amplified these risks as can be seen in the repeated security concerns raised about Zoom. In such a situation, choosing the correct technology partners is crucial, and the perception of many is that Android as an operating system is more vulnerable than iOS when it comes to mobile security. Our study showed that not only is this untrue, but Android’s security features best match what enterprises care about most.

Omdia asked in the survey what security features these decision makers value most to counter the threats they face and which security services/features they are using and plan to use. Omdia used this information to create a weighted scorecard to compare Android and iOS on the breadth of their security features and to discover whether they are tackling the right problems. The full scorecard is below, but to help explain the methodology, we’ll go into some detail on the three highest-priority security features the survey uncovered: malware protection, phishing protection, and patch management. Malware protection was clearly the most common concern, being the only problem rated in the top five concerns by more than half of respondents, with 61% already using mobile malware protection/detection software and only 6% saying they had no plans to add malware protection.

Malware protection is also probably the biggest difference between Apple iOS and Google Android. Apple’s approach relies on its control as a gatekeeper for apps. The App Store is tightly controlled, and sideloading of apps is prohibited on iOS, which means Apple should have oversight of every piece of software that could be downloaded onto iPhones. Android is more flexible in that it allows sideloading, so instead, Google has a dedicated antimalware software baked into the platform with Google Play Protect, which scans devices to ensure that nothing risky has escaped notice.

Anti-phishing measures such as password autofill are backed into both the default browsers on iOS and Android, while both platforms also support two-factor authentication for user accounts, which limits the potential for phishing. Google’s own hardware product line , Pixel, goes a step further with Call Screening and Message Spam Protection, which was introduced as a feature on the Pixel 4 and has since been rolled out to other Pixel devices and made available to other OEMs. These features check incoming calls and messages against a list of numbers known for phishing attempts and can automatically block these intrusions.

For patch management, Apple has a much more streamlined system in place, whereas Android’s patch management requires the device manufacturer’s involvement, which can mean delays to important security updates. Multiple Android brands, such as Google Pixel and HMD’s Nokia-branded smartphones, have made providing rapid, reliable security patching and control a selling point for consumers and enterprises alike.

 

Platform security feature scorecard

Feature Weighting (0-1) iOS score (0-1) Note Android score
(0-1)		 Note
Verified boot 0.75 1.0 1.0
Data-at-rest protection 0.75 1.0 1.0
Data-in-transit protection 0.75 1.0 1.0
Hardware security 0.75 0.75 Secure Enclave Processor on all post-2013 hardware 0.5 Depends on hardware and manufacturer, but since Android 7, all Android devices require hardware-backed security with at least a TEE
Application store security review 1.0 1.0 1.0
App permission 0.5 1.0 1.0
App separation 0.5 1.0 1.0
User separation 0.5 0.0 iPad feature only 1.0
Antimalware 1.0 0.0 App review process and lack of sideloading limits malware but is not infallible 1.0 Google Play Protect provides ongoing malware protection
Anti-phishing 1.0 0.75 Safari has a fraudulent website warning. Apple ID supports 2FA. WebAuthn support added in Sept 2020 with iOS 14 0.75 Safe browsing. 2FA on Google accounts. Support for WebAuthn and FIDO2 since April 2019
OS & security updates (patch management) 1.0 1.0 0.5 Depends on manufacturer
Track/locate/wipe lost device 0.5 1.0 1.0
TOTAL SCORE 9.0 7.06 7.88
Percentage 78.5% 87.5%

 

Android outperforms iOS on the scorecard primarily because of Google Play Protect’s ongoing malware protection, which addresses the single most important concern of enterprise customers. Unsurprisingly, iOS has advantages over Android when hardware comes into play because Apple has full control over both hardware and software, but these advantages do not turn out to be as important as many believe.

Google’s own Pixel product line shows just how secure Android hardware can be, providing excellent hardware security and guaranteed quick OS and security updates while also having some additional anti-phishing features such as the aforementioned Call Screening and Message Spam Protection. In fact, Pixel phones get a perfect score on this scorecard.

 

Enterprise security feature scorecard

Feature Weighting (0-1) iOS score
(0-1)		 Note

Android score
(0-1)

 Note
Jailbreak/root detection 0.75 0.25 1.0
Certificate management 0.75 0.75 1.0
Device management 1.0 1.0 1.0
App management 0.75 1.0 1.0
Management modes (e.g., bring your own device, company owned) 0.75 0.5 Supports two modes: organization owned and user owned 1.0 Supports four modes: BYOD, work-only device, personally enabled work device, dedicated device
Enterprise app distribution 0.5 1.0 1.0
Enterprise wipe 0.5 1.0 1.0
Enterprise access (VPN) 1.0 1.0 1.0
Enterprise authentication 0.5 0.75 Admins can enforce passcode policies for the entire device 1.0 Separate work challenge feature
Remote audit logging 0.5 0.5 Limited device details available (i.e., OS details, certs installed, apps installed) 1.0 API available to all EMM/MDM vendors
TOTAL SCORE 7.0 5.38 7.0
Percentage 76.8% 100%

 

Android comes out on top again in the enterprise security feature comparison, even though iOS also scored highly on the most important features. For example, while Android’s ability to add a specific password to corporate applications is a best in class feature, the difference between it and iOS’s ability to enforce security device-wide appears slim.

Methodology

The scoring is mainly based on two primary sources that detail the security features for each platform, which are listed in the references. The application store security features are detailed on webpages listed in the references. This is supplemented where necessary by examining OS update feature lists, patch notes, and individual hardware product launches, which are listed in the references. Scores were graded on a scale from 0 to 1 with increments of 0.25.

The features were then weighted based on feedback from Omdia survey data where decision makers were asked how important different features were. Weights were assigned on a scale from 0 to 1 with increments of 0.25.

 

References

Apple platform security overview

Apple App store review guidelines

Android Enterprise Security White Paper

Google Play Protect, app review process

Pixel Titan M hardware security

HMD Nokia Smartphone Security Maintenance Release Summary

Google Phone app features (spam protection, caller ID, call screen)

Google Messages app with Verified SMS and Spam Protection