Between Apple's App Store curation and the strict enforcement of signed apps, iOS users have enjoyed a largely malware-and-Trojan-free environment -- something that Android can't even approach. Despite its restrictive nature, the App Store process gives the consumer a pretty darned safe (vs. secure) mobile app world to work and play in.
On the other hand, data protection via encryption has been a near-complete failure for iOS. Back when the iPhone 3Gs came out, we got hardware AES-256 encryption. Hooray, said the security world -- until we saw the details. Indeed, today's iOS devices all do whole-disk encryption in addition to encrypting every file on the file system. That encryption is AES-256 performed in hardware. On paper, this sounds military grade, but in practice it's not even comic-book grade, because Apple stores the primary encryption keys (the EMF! and Dkey keys) in plaintext in Block 1 of the solid-state hard drive.
In cases when an attacker has possession of a lost or stolen iOS device, only encrypted files that are further protected with keys derived from the device's unique hardware ID and the user's passcode, such as email, keychains and a few others, are somewhat protected from trivial compromise. But those AES keys can be broken in most cases, since most consumers use nothing more than a four-digit PIN to passcode lock their devices -- and many use nothing at all.
The impact of this is that app developers cannot rely on Apple's otherwise brilliant hardware AES-256 encryption to protect users' files. They too have to invent their own means of protecting data, and that also has predictably random results.
In the end, both platforms have hugely useful features, and consumers are flocking to them by the millions. But declaring a security winner is simply not feasible. Security-minded consumers are forced to choose the lesser of two evils -- which seems highly apropos in this election season.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.
Read more about security in Computerworld's Security Topic Center.