Google's Schmidt claims Android 'more secure' than iPhone -- is he right?

There's a saying that one should "never let the facts interfere with a good story," and Google chairman, Eric Schmidt seems to be putting this into practise with his claims the Apple [AAPL] iPhone is less secure than Android.

[ABOVE: Apple's ad for the first ever iPhone in 2007.]

Google's new world order of facts

Schmidt was speaking at the Gartner Symposium/ITxpo

"If you polled many people in this audience they would say Google Android is not their principal platform. When you say Android, people say, wait a minute, Android is not secure," said David Willis, Gartner's chief mobility research analyst.

"Not secure? It's more secure than the iPhone," Schmidt immediately responded, to laughter from the audience, one mostly comprised of CIOs and tech decision-makers.

While most tech-savvy Android users recognize the need to protect their systems with layers of additional battery-draining malware protection apps above the main install, a vast number of users are insufficiently clued-up when it comes to security.

That's inevitable when you consider that nature of the mass market for mobile devices: not everyone in possession of these devices is going to understand the nature of mobile device security. Why should they? Where in Google's Android marketing do they receive any encouragement to be so aware?

[ABOVE: Samsung's ad for its iWatch attempt. Innovative or copycat? Apple must feel so flattered.]

Disaster recovery: who do you trust?

Google's security model is one in which (for the most part) responsibility for device security is passed along to individual users.

Meanwhile there's a growing tidal wave of malware appearing for the platform, as warned in a Department of Homeland Security advisory note. I guess some readers may already trust Google more than Homeland Security, though only one of these bodies is an ads sales company.

Some argue that a problem that hasn't yet transpired isn't a problem at all.  They can argue this if they wish.

Those who do argue this should probably explain their logic to the people of Fukishima (which was unprepared for the earthquake that hit it, even though it was in a quake zone), New Orleans (where flood defense were insufficient) or those impacted by the Deepwater Horizon oil spill.

Merely because something that's likely to happen eventually has not happened yet doesn't mean it won't happen. That a likely cataclysm hasn't happened yet is not security, but complacency.

With tens of millions of Android devices in use, such a cataclysmic event could potentially have as severe an impact on the mobile devices digital world as those natural disasters above had in the physical world.

Fundamental weakness

In the event such a problem did emerge, the Android ecosystem is fundamentally unable to deliver security updates across all devices on the platform. There's no easily available software upgrade path by which to propagate security upgrades across even all the Android powered devices that have been shipped across the last two years.

This means that when a problem shows itself users will be left on their own to deal with it, with the words of Eric Schmidt echoing in their minds.

The writing is on the wall.

Apple's attitude to security is very different: for example, recent well publicized revelations of lock screen vulnerabilities within iOS 7 were patched within days by means of a universally available software update.

When Apple delivers a software patch the patch is made available across all its recent devices so nearly all the Apple devices sold across the last two years can be secured within a few days. The recently released iOS 7 was installed on 200 million devices within 72 hours.

The Android ecosystem is unable to match this. That's yet another reason so many Android users migrate to the iPhone.

Security redux

Schmidt's partial public comprehension of the facts concerning Android security is just another slice of "don't be evil" dissembling.

He's an intelligent man and even though he's known to hang loose at Burning Man, he's surely not so deluded as to be unaware of what's understood about Android security, for example:

  • Android Malware Fraud ‘Rampant’, TechWeek
  • US government says Android is a malware magnet thanks to OS fragmentation, The Verge
  • Meet the most insidious Android malware yet, CITEworld

It is possible there's another side to this story. Google is fighting  back in an attempt to define its platform as secure.

Google’s Android Security chief Adrian Ludwig recently reported data that claimed only an estimated 0.001% of app installations on Android are "able to evade the system’s multi-layered defenses and cause harm to users". (The percentage is tiny but that's still a significant threat in an ecosystem of tens of millions of users, by the way.)

He points to the year old Verify Apps feature within the OS as evidence to this. While it is good that Google finally grew a little more serious about security so many years after Android shipped, it seems disingenuous to point to one security protocol as proof of platform security.

Don't be complacent

Of course, his arguments are specious to some extent, causing the Macalope to note: " There’s a term for blithely taking Google’s word on things when it downplays the problem on Android and suggests that iOS is the one with the problem. It’s called “enabling.”"

Even if Verify Apps were in position to protect every Android device (it isn't) and even if every Verify Apps user understood how it worked (they don't), reliance on a single software-based blacklist model of app control isn't reliable enough.

As the Michael on Security blog puts it: "We've seen failures with Bouncer.  Who's to say that similar issues won't be seen with Verify Apps?  Plus, like I think most security professionals, I prefer multi-level security measures.  It's a mistake to rely on one or a limited number of tools to protect our systems."

Schmidt is asking tens of millions of Android device users to rely on one single tool for their protection, even while the malware scourge explodes. Apple's walled garden approach puts all apps through multiple stages of check, while its ability to swiftly introduce security updates for most recent systems means it remains in position to control an outbreak should it occur, Android cannot match this.

Ah, but nothing has happened yet, after all, so it must be safe, right?

No wonder the Gartner audience of CIOs laughed at Schmidt. These are people paid to ensure their corporate data is kept safe. They can discern the difference between fact and FUD. They can't afford to allow their corporate data to suffer the digital equivalent of a natural disaster.

Can you?

Google+? If you're one of those who likes to use social media and also happen to be a Google+ user, why not join AppleHolic's Kool Aid Corner community and join the conversation as we pursue the spirit of the New Model Apple?

Got a story? Drop me a line via Twitter or in comments below and let me know. I'd like it if you chose to follow me on Twitter so I can let you know when these items are published here first on Computerworld

Copyright © 2013 IDG Communications, Inc.

Shop Tech Products at Amazon