The company's closed ecosystem is beatable, and Android may well become a more secure system, Sophos says
Apple's approach to security on its mobile devices means it is likely to have a less secure operating system than rival Google within a few years, according to Sophos director of technology strategy James Lyne.
For many years Apple's iOS has been considered a safe operating system, because of the strict checks the company makes on apps before allowing them to go live on its App Store. Additionally, the "walled garden" system means users cannot load unauthorised software onto their device, unless they jailbreak it first.
That is in contrast to Google's more open approach, which lets users install apps from services other than its Google Play app store. With less stringent tests malware has traditionally been more of a threat to Android users than iOS users.
However that is beginning to change, according to Lyne, although he points out that at the moment there is no question that Apple has the more secure mobile operating system.
During 2012 there were a couple of cases of malware sneaking into the App Store.
First up was an app called "Find and Call", which uploaded the user's entire contacts book to a server and sent out a text message that encourages contacts to also download the app. It was also found on the Google Play store and was quickly pulled from both.
The second was a case of Windows malware being found within an app uploaded to Apple's App Store. While harmless to iOS devices it still raised questions about Apple's vetting process.
James Lyne, director of technology strategy at security firm Sophos, said the cases show that iOS isn't a malware-free zone. He added that Apple's current approach to security isn't as strong as Google's, which has recently announced a clampdown on rouge Android apps.
"I'm quite convinced that over the next couple of years Google will end up with a more secure operating system than Apple, because they are trying to put their hands round it and action it," he said.
"Apple has its head in the sand. So while Apple has undeniably a more secure mobile OS at the moment, these attitudes mean we will see more nasty, high-profile things on Apple," Lyne added.
The industry is already seeing that on Apple's desktop platform. At the end of 2011 a Trojan horse called Flashback was detected that was masquerading as an Adobe Flash Player installation and targeting Apple's Mac OS operating system. Within a few months a variant of the malware had infected 600,000 Macs around the world.
Apple's slow response - it released a patch in April 2012, months after Oracle had fixed the original Java flaw - drew criticisms from the security industry. Eugene Kaspersky, founder and CEO of the Russian security company of the same name, said Apple would soon be forced to treat security updates the way Microsoft has been for many years.
"I think they are 10 years behind Microsoft in terms of security," Kaspersky told CBR. "Apple is now entering the same world Microsoft has been in for more than a decade: updates, security patches and so on. They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software."