The security is in the app storeIt's not surprising, then, that security professionals pointed not to Apple's design but to the company's gated App Store and its required code review before publishing as a major security advantage. "The closed ecosystem makes the model pretty safe," says Trend Micro's Genes. "It is not because the iOS is completely safe. From a system design standpoint, Android is safer."
Although security experts question the quality of the review performed by Apple's team -- the company is not transparent about its process -- Apple does seem to catch most of the bad actors, says Accuvant's Miller. "If you are completely security-clueless, you can still download every app out there and be fairly safe," he says.
But Apple doesn't catch all the bad apps. Lookout's Mahaffey points to the Handy Light incident as an example of the ability of applications to slip by Apple's review. In 2010, Apple pulled the flashlight app after it was discovered that hidden features allowed tethering, where a user could connect to the Internet through the phone's network. While the hidden functionality was not malicious for the user, it did undermine AT&T's own service for allowing network access and underscored that hidden, and potentially malicious, functions could get by Apple's review.
"The review process is great, but it is a reminder that we should not treat any one thing as a silver bullet," Mahaffey says.
iOS speeds patchesPatching is another area where Apple has done as well as desktop operating systems and better than its smartphone rivals. Software developers are fairly speedy in patching vulnerabilities in the operating system and popular desktop software. Yet, in rival smartphone OSes, multiple companies must sign off on a patch to the devices. A patch for an Android phone, for example, is created by the developers responsible for the software component -- in many cases, the product of an open source project -- included in an Android build by Google, integrated into Android by the phone manufacturer, and distributed by the carrier.
In a recent paper, two researchers from the Technische Universität Berlin found that vulnerabilities in "feature phones," a step down from smartphones, were rarely fixed. Five-year-old bugs still affected devices that were just a few months old, accordin to the researchers. Their conclusion: Carriers have the ability to do an over-the-air update for the phones, but they are rarely implemented.