One can only hope that security software provider Trend Micro saw a nice sales boost after the proclamation of its chairman earlier this week that Android phones are more vulnerable to hacking than iPhones are. If it didn’t, those blatantly self-serving statements were made for nothing.
After all, they’re certainly not true. Not only that, but they were made immediately after the company launched its brand-new security software for Android. There’s no way that was a coincidence.
The statements were, however, a classic example of the FUD that’s so often resorted to by companies that earn their bread by instilling fear in the hearts of computer users. Microsoft’s recent anti-OpenOffice.org campaign was one example of such fear tactics used for profit; now, Trend Micro’s little threat is another. Who needs enemies when you’ve got “friends” like these, working to steer you away from free and open source software and toward their expensive products?
Lest anyone get fooled by the dramatic headlines, let’s take a cold, rational look at Android vs. iPhone security.
‘Security Through Obscurity’
“Android is open source, which means the hacker can also understand the underlying architecture and source code,” is what Trend Micro’s Steve Chang originally told Bloomberg Businessweek.
Basically, what he’s doing there is falling back upon the tired old argument–highly popular among closed-source vendors and those that make a living off of their products–that open source software’s openness makes it less secure. It’s called the old “security through obscurity” claim, and those of us who have been watching this industry for more than a few minutes know it well.
“If hackers can’t see the code,” the old argument goes, “then it’s harder for them to create exploits for it.”
The reality, however, is that it just doesn’t work that way–as evidenced by the ever-increasing parade of (often incomplete) patches coming out of Redmond. First, even developers for Windows or the iPhone, say, have to understand the underlying architecture in order to create their applications. It’s by no means a Big Secret.
A Misplaced Trust
Second, no closed-source company’s limited set of developers–each of which is bound to have its own timetable and agenda–can possibly do a better job of finding and eliminating vulnerabilities than the worldwide mass of developers and users, which is who’s at work 24/7 for open source software’s security.
Zooming in more specifically on Android, the software draws many security advantages from the Linux operating system that underlies it. Much the way Linux users are not typically given the “root,” or administrator, privileges that would be required in order for a virus to do widespread harm, so Android apps are isolated in separate “silos,” unable by default to read or write data or code to other applications.
With Android, users are explicitly asked for permissions right up front, when the app is installed. On the iPhone, users can only blindly trust Apple to keep things secure for them–a trust that seems misplaced at best given the threats that have slipped into Apple’s “walled garden” anyway.
‘Most Vulnerable’ of 2010
Then, too, there’s the data.
Security research firm Lookout, for example, recently reported through its App Genome Project that Android applications are more secure than iPhone apps are because they’re less likely to be capable of accessing a user’s contact list or retrieving their location. It also found that nearly twice as many free iPhone apps can access the user’s contact data.
Security firm Secunia, meanwhile, declared that Apple products now have more security vulnerabilities than any others–including even Microsoft’s. Apple, in fact, topped Secunia’s ranking of the top 10 vendors with the most vulnerabilities in 2010.
Even more recently, researcher McAfee fingered Apple products as growing targets for malware this year.