Which platform would a typical IT guy be more on guard against?
While Windows has been known for decades to be a hot pot for all PC malware, Android phones are much more ubiquitous and personalized, and (as far as I know) aren’t hardened against malware in any way. I mean, it literally takes just two taps to install a rogue apk and that is notwithstanding that most OEM implementations and apps on the Play Store are ad-ridden privacy nightmares by themselves. At least when it comes to Windows, Administrators have greater control over client machines and can put in restrictions. How would someone handling infosec in an organization control security on people’s personal phones?
That’s a weird question, you are comparing a desktop OS with a phone OS (except you are talking about Windows phones, but I don’t think you are?).
All it takes to kill your Windows installation is double clicking a random .exe file (and being unlucky that Windows doesn’t warn you about this particular file). And nope, if it is a custom program your antivirus won’t detect it either. Every time I hear of a company getting a crypto locker on their systems it was over a Windows PC (mostly by email). I haven’t heard of your average company getting compromised by a phone yet (but those phones usually don’t have network access to shared drives…).
Android is relatively locked down, a lot more than Windows. Even if someone sends you malware per email, there is no easy way to execute it on your phone. It’s also not true that you can just install a rogue APK in two clicks, you have to do the following steps:
- Open the Settings app on your Android device.
- In the Settings menu, tap Apps.
- Tap Special app access (or Advanced > Special app access).
- Tap Install unknown apps.
- Select an app to use to install an APK file—your browser and file management apps are the best option here.
- Tap the Allow from this source slider to allow APK files to be installed via that app.
Definitely not something that happens by accident :)
Overall for your average user I’d say Android is safer.
But a rogue app can take everything from your phone - your pictures, emails, contacts, docs… without anyone being the wiser since there is no Administrator oversight. On organization Windows systems the user at least requires Administrator permission to run anything that can pose a risk, but he could do the same on Android without anyone stopping him. Dumb people will love to download and install Google_Pay_mod_Unlimited_money.apk that could scoop up all data (including company emails, slack, etc that he is running on his phone) and no one would ever know.
Ever heard of .bat files? There is no need for admin rights to steal company and user data. All it takes is opening the wrong file. Windows is also terrible about file names, per default extensions are hidden. So you can have a file named “report.pdf.bat” for example and it will show for most users as “report.pdf” with a funny icon. It’s a terrible default setting security wise.
Btw. you’re still comparing a desktop OS with a phone OS. You have to compare Android with iOS. Or Windows with Linux and macOS.
It depends purely on the user, his or her knowledge, activities, choices.
Really? 😑
Yes, really. I’m glad I helped.
I’d say Windows. Android can be more insecure but the Android ecosystem is so fragmented that it’s difficult to write malware or exploits that are ubiquitous or even work outside a specific Android ecosystem.
Windows is just kinda a hot mess and has tons of legacy stuff that can be compromised. The attack surface is larger on Windows imo.
Don’t all Android systems (at least on the same version) have the same APIs and file systems? Don’t apps made for Android run on all Android devices running the targeted version? Why would the cosmetic layers of adware that OEMs pile on AOSP turn phones into different ecosystems that don’t interoperate?
Well, for example, Android phones need to be rooted for full system access, for example. That’s a series of hoops to jump through. Same goes for installing a malicious .apk. A windows user just needs to click through a AUC prompt and the lovely has keys to the city. That’s before we touch the wonder that is admin PowerShell.
I suppose the ratio of how much knowledge the average person knows about tech to “dangerous” behavior naturally taught by the OS is higher, I suspect, on Windows.
All software is unsafe. Leave behind software. Pure hardware is the future.
Agreed.
Sent from my Typewriter
Agreed
Carved on my Tablet
You’re making some incorrect assumptions about Android. You can absolutely have company-owned Android phones that are enrolled in management systems that lock things down and only allow pre-approved apps. Same as Windows.
Both platforms allow you to assume your users are stupid and force them to be safe, IF you have ownership of the device. Both are as safe or unsafe as you allow them to be.
I mean, it literally takes just two taps to install a rogue apk
Unlike Windows programs that get downloaded & installed willy nilly? The Play Store is at least somewhat vetted and by default you can’t install third party apps.
Mobile Device Management (MDM) tools have come a LONG way in the past decade and are now very good at thoroughly locking down both iOS and Android devices. Any enterprise wanting to ensure the absolute security of their mobile devices can do so with ease.
At least when it comes to Windows, Administrators have greater control over client machines and can put in restrictions.
This hasn’t been true for about 10 years…at least not in the enterprise. Administrators can enforce the same or greater control over client mobile devices using modern Mobile Device Management tools.
How would someone handling infosec in an organization control security on people’s personal phones?
If you take infosec seriously, you aren’t going to let your users have access to any corporate data or systems (and that includes email) using their personal devices. If you must, as a compromise, you’ll restrict that access only to users of iOS or Samsung devices supporting Knox work profile, and then you’ll enable the remote features necessary to monitor and/or wipe everything associated with the work profile in the event the device is lost/stolen or the employee leaves.
Hard to tell, but I would say Windows. It’s easier to fool users to download and run arbitrary executable files like ILOVEYOU.txt.exe on a PC. On Android you need to go through many more hoops and turns to run some unverified executable.
Although Windows is pretty well guarded these days.
Windows has a bunch of warnings if you try to download a virus. It even deletes it so you can’t run it. On stock android, I’ve experienced that it will give you red flags if you try to download any .apk. There are also downright malicious apps in the official Play Store too so downloading the recommended way isn’t safe either. Can’t say too much about Window’s store but idk anybody who actually uses that but I bet there are a couple malicious apps in there also. However, I think Windows has more protections in place out of both of the platforms.
