alphaspirit - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why Android 5.0 doesn't measure up to iOS 8 security

Google is closing the gap on Apple when it comes to mobile OS security, but Android is still more vulnerable to malware and corporate data loss than iOS.

Mobile OS security is a top priority for enterprise IT shops supporting mobility, which is why Apple and Google have moved to improve data protection in the latest versions of their mobile operating systems.

Although Apple iOS 8 security is more comprehensive, Android 5.0 Lollipop takes steps to reduce instances of malware and protect corporate data more than ever with the new Android for Work program. Let's take a look at how these two popular mobile operating systems (OSes) compare in terms of security.

Apple delivers a locked-down platform

Apple iOS devices benefit greatly from Apple’s tight-fisted approach to platform security. It rigorously curates the App Store to detect and reject malware before it gets published. Only apps that Apple certifies are permitted to run on non-jailbroken iOS devices.

Enterprise IT needs time and experience to determine the effectiveness of Android's antimalware upgrades.

Apple also allows for application sandboxing to prevent data sharing -- except through newly-introduced iOS 8 content-sharing APIs. Apple iOS 8 still mediates shared content, so that apps are not simply reading and writing to shared storage. So despite Apple opening up iOS a bit more, it’s still not nearly to the extent of Android. It's a compromise that facilitates more effective usage of third-party apps without throwing the door wide open for malware.

Android, on the other hand, historically suffers malware attacks. This trend is partially due to relaxed curation of the Google Play Store, but most Android malware spreads via unofficial third-party app stores. In fact, it’s relatively easy to run non-Play Store apps; users just toggle one device setting to permit sideloading of apps from other sources. Although Android apps also embrace sandboxing, they can share files -- including files stored on removable media, which can be especially malware-ridden.

Google is working to improve Play Store curation, including a recently-introduced ratings system and the ability to deploy OS patches through Google Play. Android 5.0 includes SE Linux, further tightening the OS against privilege escalation attacks, which allow elevated access to the data, applications and the network. And Android for Work provides IT with the ability to prevent sideloading and install only enterprise-approved apps.

Those steps should help to address malware fears, but if the device is compromised, can organizations still trust Android for Work? Enterprise IT needs time and experience to determine the effectiveness of Android's antimalware upgrades.

Android for Work boosts data protection

Many companies are shifting their focus from managing devices to protecting corporate data, especially data exposed in a bring your own device program. The ability to keep corporate data safe when mobile devices are lost, stolen or otherwise misused is a necessity.

Both iOS and Android allow IT to configure and enforce security policies that require PINs or passwords, enable remote find and wipe, and require virtual private network (VPN) protection for data in transit. But here’s the fundamental difference between the two OSes: Every iPhone and iPad manufactured since 2009 supports hardware-based AES-256 bit encryption, which the end user cannot disable. Android 5.0 supports hardware-based AES-128 bit encryption, but many devices running Android don't support encryption. Furthermore, devices upgraded to Android 5.0 and then encrypted can still return to an unencrypted state via a factory data reset. Android for Work uses secure containers to protect corporate data; however, those containers are only compatible with encrypted devices.

Perhaps just as importantly, both iOS and Android allow IT to control the flow of data between apps on managed devices. Apple’s Managed Open In feature introduced in iOS 7 allows IT-managed apps to share data while still preventing that data from leaking out to unmanaged apps. In iOS 8, IT can use Managed Open In with more content types and managed applications, while administrators have more visibility into -- and control over -- iCloud backup, limiting data copied to iCloud. Android for Work lets IT control the flow of data between managed apps, although the program cannot block data copies from unmanaged apps or synchronization of data with Google cloud storage.

Android remains more challenging to secure because of its open platform and the number of device models that it runs on, but iOS 8 security isn't miles ahead of Android 5.0. Both companies have grown to realize just how closely enterprise mobility and security go hand-in-hand.

Next Steps

Mobile OS comparison: iOS 8 vs. Android 5.0

Five ways IT can prevent mobile data loss

The secrets of iOS security

Dig Deeper on Enterprise mobile security