Android Security – Best Ways to

Secure your Android Devices

security is to guard us from the vulnerabilities and danger. And thus,
Android Security is something that protects our Android mobiles from
bugs and unethical access. Also, it improves the working of the
complete Android System and its functionalities.

What is Android Security?

Android Security can be understood as something that is there to protect your
Android devices. Android Security works upon protecting the devices from
bugs and viruses. It even helps in saving the data and maintaining privacy once
the device has been stolen or lost. Google’s Android platforms help us in
protecting Android Devices such as mobiles and tablets that support Android.
This protection is done against the malware attacks and unauthorized access.
Protection against these is important as it may lead in Data or Device loss.
We can ensure the safety of Android even from our sides using Android as
follows:

1. Mobile application security applications, and device lock system.

2. VPN connectivities is another important security aspect as it protects the
data transition.
3. Scanning the websites to avoid the potential phishing schemes and fraud
activities.
4. Finding the lost devices through GPS trackers.
5. There are many security applications available from Google as well as some
third-party vendors. Some of the third-party vendors are Kaspersky, Lookout,
Avast, and Qihu.
Ok, Do you remember noticing your device getting timely prompts to download
new versions of firmwares. You might have thought that they were the latest
Android version updates. Or you might have confused it with some new
features having been added in your device. But, ending up with nothing new
after the download must have let you down. Basically, they were none of the
things that I mentioned above, but the security patch updates. Security patches
were indeed boring to us, but vital to our devices. Okay, so let us get into this
thing called Security Patches, and understand it.

What are Android Security Patches?

To begin, let us understand the term Security Patch. A security patch is
basically a set of changes to a program or its supporting data. This set of
changes is made to fix, update or improve its functions and performance.These
patches work on the vulnerabilities of the devices and try to reduce them. There
are basically two types of bugs/ vulnerabilities that are-
1. The first is the one that causes the software system to behave erroneously. It
makes the software malfunction and shows wrong results to users actions.

For example, consider trying to open a music application, but Call logs get
opened instead. So yes this type of bugs generally create inconvenience to the
users. But, once they get severe they can also leave a deep impact on the
reputation.
2. Another type is the one that actually affects the security of the software.
Along with the software, it also affects the devices on which the software is
installed on.

For example, you can consider the application asking you to enter the
username and password but, as soon as you enter the username, it logs in. This
might sound interesting but it may lead to leaked information and severe
situations later.
So these were the two types, to be more exact, the first category of the bugs
might turn into the second if they are manipulated in such a way. And that is the
reason that security patches are actually important for us and our devices.

Why are Security Patches important

in Android?
So security patches are important because they address the vulnerabilities of
software’s. It is important as it stops cyber criminals from gaining unauthorized
access to our devices and data. Security patches for Operating Systems are
indeed crucial as OS vulnerability can be too bad at times.

Security patches are distributed to all the Android devices in a timely manner.
Thus, there are various different levels of Security patches. You must always
keep your device’s security patch level up to date to ensure it is safe.
SECURITY STANDARDS

During mobile application design, it is important to evaluate and take Pro-active

security measures to mitigate the security risk. The following are some of the
practices that will lead to development of a secure Mobile App:

 Security assessment: It is always recommended to assess mobile devices for known

security risks and vulnerabilities.

 Security policies:

 All mobile devices must be password protected.

 All key applications (such as banking apps) should be password protected.

 All confidential and user data should be encrypted.

 All mobile apps should present the privacy policies, data sharing policies, legal
policies through end-user license agreements.

 Password policies should include length restriction (to at least 8 characters),

complexity (usage of special characters and alphanumeric), password change
frequency and such.

 All major events such as failed login attempts, apps crashes, and system events should
be logged.

 For secured applications and secure functionality, the system should use multi-factor
authentication or mobile device management (MDM) capability.

 Data at rest and in motion should be encrypted using appropriate encryption

standards.

 Various Authentication mechanisms for mobile apps:

 Single factor authentication: Here, user is asked to enter a password

every time the application is started or any secured activity is being

initiated.
  Two factor authentication: The authentication is performed twice, once
with the user credentials and second using the OTP (One time password).

 Single Sign on (SSO): Mobile app is integrated with enterprise SSO

solutions to seamlessly access all secured enterprise applications.

 Other modes of authentication:

 Authentication using popular social channels like Google+,

Facebook, Twitter, etc.

 Authentication using Biometrics for e.g. facial features, speech

patterns, fingerprints, etc.

 The following Information Risk Management (IRM) policies should be

applied:

o Periodic threat and vulnerability assessment of all the applications.

o Remote data wipe methods should be enabled for administrators.

o Mobile device disposal policies should be devised and enforced to

protect the confidential and business critical data.

o Virus and malware scan should be carried out on periodic basis.

o Filters and scanners should be installed to prevent vulnerabilities

such as phishing, data leakage, cross-site scripting, etc.

o Screen locking policies should be enforced.

o Restrict the installation of applications such as Jailbreak to prevent

unauthorized usage.

Mobile Platform Security

The following are the security related practices for securing mobile platform:

 Data Transmission Security - Provide secure connection for end to end

mobile communications.

 Operational Data Security - Minimize exposure of data across all end

points.

 Communication Channel Security - Provide secure communication

channels for transmitting confidential data.

 Application Security - Provide role based access to all functionality and

data and provide access only for authorized roles.

 On-Device Data Security - Encrypt data that resides on the device for
native and hybrid apps.

 Encryption Standards: Use encryption standards such as SHA2 (Secure

Hash Algorithm) to encrypt sensitive information.

All mobile apps should use filters, validations and other secure mechanisms to
address following vulnerabilities:

 Invalidated input

 Broken access control

 Broken authentication and session management

 Cross site scripting (XSS) flaws

 Buffer overflows

 Injection flaws (e.g., SQL injection)

 Improper error handling

 Data under-run / overrun

  Application denial of service

 Insecure configuration management

 Improper application session termination

 Insecure storage and transmission

 Insecure configuration management

 Viewing instructions or code in the server script

 Modification by web page users

 User-entered input used for script code injection

 Access via other non-web-based services

 Dynamic generation of other server-side scripts

 Dynamically generating executable content (beyond HTML)

 Not running as a user ID with least privilege (Running with system

 level privilege)

 Running in a system shell context

Use secure transport layer (SSL/HTTPS) for secured data transmission.

App should not log any sensitive data.

The following practices may be followed for source code security:

 Regular security review of code.

 Secured access controlled source code repository.

 Proper version management and release management processes.

Following are the major threats regarding mobile security −

 Loss of mobile device. This is a common issue that can put at risk not
only you but even your contacts by possible phishing.

 Application hacking or breaching. This is the second most important

issue. Many of us have downloaded and installed phone applications.
Some of them request extra access or privileges such as access to your
location, contact, and browsing history for marketing purposes, but on
the other hand, the site provides access to other contacts too. Other
factors of concern are Trojans, viruses, etc.

 Smartphone theft is a common problem for owners of highly coveted

smartphones such as iPhone or Android devices. The danger of corporate
data, such as account credentials and access to email falling into the
hands of a tech thief is a threat.

Mobile Security - Attack Vectors

An Attack Vector is a method or technique that a hacker uses to gain access to
another computing device or network in order to inject a “bad code” often
called payload. This vector helps hackers to exploit system vulnerabilities.
Many of these attack vectors take advantage of the human element as it is the
weakest point of this system. Following is the schematic representation of the
attack vectors process which can be many at the same time used by a hacker.
Some of the mobile attack vectors are −
 Malware
o Virus and Rootkit
o Application modification
o OS modification
 Data Exfiltration
o Data leaves the organization
o Print screen
o Copy to USB and backup loss
 Data Tampering
o Modification by another application
o Undetected tamper attempts
o Jail-broken devices
 Data Loss
o Device loss
o Unauthorized device access
o Application vulnerabilities
Consequences of Attack Vectors

Attack vectors is the hacking process as explained and it is successful,

following is the impact on your mobile devices.
  Losing your data − If your mobile device has been hacked, or a virus
introduced, then all your stored data is lost and taken by the attacker.

 Bad use of your mobile resources − Which means that your network or
mobile device can go in overload so you are unable to access your
genuine services. In worse scenarios, to be used by the hacker to attach
another machine or network.

 Reputation loss − In case your Facebook account or business email

account is hacked, the hacker can send fake messages to your friends,
business partners and other contacts. This might damage your reputation.

 Identity theft − There can be a case of identity theft such as photo,

name, address, credit card, etc. and the same can be used for a crime.

Anatomy of a Mobile Attack

Following is a schematic representation of the anatomy of a mobile attack. It

starts with the infection phase which includes attack vectors.

Infecting the device

Infecting the device with mobile spyware is performed differently for Android
and iOS devices.

Android − Users are tricked to download an app from the market or from a
third-party application generally by using social engineering attack. Remote
infection can also be performed through a Man-in-the-Middle (MitM) attack,
where an active adversary intercepts the user’s mobile communications to
inject the malware.

iOS − iOS infection requires physical access to the mobile. Infecting the device
can also be through exploiting a zero-day such as the JailbreakME exploit.

Installing a backdoor

To install a backdoor requires administrator privileges by rooting Android

devices and jailbreaking Apple devices. Despite device manufacturers placing
rooting/jailbreaking detection mechanisms, mobile spyware easily bypasses
them −

Android − Rooting detection mechanisms do not apply to intentional rooting.

iOS − The jailbreaking “community” is vociferous and motivated.

Bypassing encryption mechanisms and exfiltrating information

Spyware sends mobile content such as encrypted emails and messages to the
attacker servers in plain text. The spyware does not directly attack the secure
container. It grabs the data at the point where the user pulls up data from the
secure container in order to read it. At that stage, when the content is decrypted
for the user’s usage, the spyware takes controls of the content and sends it on.

How Can a Hacker Profit from a Successfully Compromised Mobile?

In most cases most of us think what can we possibly lose in case our mobile is
hacked. The answer is simple - we will lose our privacy. Our device will
become a surveillance system for the hacker to observer us. Other activities of
profit for the hacker is to take our sensitive data, make payments, carry out
illegal activities like DDoS attacks. Following is a schematic representation.
OWASP Mobile Top 10 Risks
When talking about mobile security, we base the vulnerability types on
OWASP which is a not-for-profit charitable organization in the United States,
established on April 21. OWASP is an international organization and the
OWASP Foundation supports OWASP efforts around the world.

For mobile devices, OWASP has 10 vulnerability classifications.

M1-Improper Platform Usage

This category covers the misuse of a platform feature or the failure to use
platform security controls. It might include Android intents, platform
permissions, misuse of TouchID, the Keychain, or some other security control
that is part of the mobile operating system. There are several ways that mobile
apps can experience this risk.

M2-Insecure Data

This new category is a combination of M2 and M4 from Mobile Top Ten 2014.
This covers insecure data storage and unintended data leakage.

M3-Insecure Communication

This covers poor handshaking, incorrect SSL versions, weak negotiation, clear
text communication of sensitive assets, etc.

M4-Insecure Authentication

This category captures the notions of authenticating the end user or bad session
management. This includes −

 Failing to identify the user at all when that should be required

 Failure to maintain the user's identity when it is required

 Weaknesses in session management

M5-Insuficient Cryptography

The code applies cryptography to a sensitive information asset. However, the

cryptography is insufficient in some way. Note that anything and everything
related to TLS or SSL goes in M3. Also, if the app fails to use cryptography at
all when it should, that probably belongs in M2. This category is for issues
where cryptography was attempted, but it wasn't done correctly.
M6-Insecure Authorization

This is a category to capture any failures in authorization (e.g., authorization

decisions in the client side, forced browsing, etc.) It is distinct from
authentication issues (e.g., device enrolment, user identification, etc.)

If the app does not authenticate the users at all in a situation where it should
(e.g., granting anonymous access to some resource or service when
authenticated and authorized access is required), then that is an authentication
failure not an authorization failure.

M7-Client Code Quality

This was the "Security Decisions Via Untrusted Inputs", one of our lesser-used
categories. This would be the catch-all for code-level implementation problems
in the mobile client. That's distinct from the server-side coding mistakes. This
would capture things like buffer overflows, format string vulnerabilities, and
various other code-level mistakes where the solution is to rewrite some code
that's running on the mobile device.

M8-Code Tampering

This category covers binary patching, local resource modification, method

hooking, method swizzling, and dynamic memory modification.

Once the application is delivered to the mobile device, the code and data
resources are resident there. An attacker can either directly modify the code,
change the contents of memory dynamically, change or replace the system
APIs that the application uses, or modify the application's data and resources.
This can provide the attacker a direct method of subverting the intended use of
the software for personal or monetary gain.
M9-Reverse Engineering

This category includes analysis of the final core binary to determine its source
code, libraries, algorithms, and other assets. Software such as IDA Pro,
Hopper, otool, and other binary inspection tools give the attacker insight into
the inner workings of the application. This may be used to exploit other nascent
vulnerabilities in the application, as well as revealing information about back-
end servers, cryptographic constants and ciphers, and intellectual property.

M10-Extraneous Functionality

Often, developers include hidden backdoor functionality or other internal

development security controls that are not intended to be released into a
production environment. For example, a developer may accidentally include a
password as a comment in a hybrid app. Another example includes disabling of
2-factor authentication during testing.

App Stores & Security Issues

An authenticated developer of a company creates mobile applications for
mobile users. In order to allow the mobile users to conveniently browse and
install these mobile apps, platform vendors like Google and Apple have created
centralized market places, for example, PlayStore (Google) and AppStore
(Apple). Yet there are security concerns.

Usually mobile applications developed by developers are submitted to these

market places without screening or vetting, making them available to
thousands of mobile users. If you are downloading the application from an
official app store, then you can trust the application as the hosting store has
vetted it. However, if you are downloading the application from a third-party
app store, then there is a possibility of downloading malware along with the
application because third-party app stores do not vet the apps.
The attacker downloads a legitimate game and repackages it with malware and
uploads the mobile apps to a third-party application store from where the end
users download this malicious gaming application, believing it to be genuine.
As a result, the malware gathers and sends user credentials such as call
logs/photo/videos/sensitive docs to the attacker without the user's knowledge.

Using the information gathered, the attacker can exploit the device and launch
any other attack. Attackers can also socially engineer users to download and
run apps outside the official apps stores. Malicious apps can damage other
applications and data, sending your sensitive data to attackers.

App Sandboxing Issues

Sandbox helps the mobile users by limiting the resources that an application
uses in the mobile device. However, many malicious applications can overpass
this allowing the malware to use all the device processing capabilities and user
data.

Secure Sandbox

It is an environment where each application runs its allocated resources and

data so the applications are secure and cannot access other application
resources and data.

Vulnerable Sandbox

It is an environment where a malicious application is installed and it exploits

the sandbox by allowing itself to access all data and resources.

Mobile Security - Mobile Spam

You might have received a similar SMS which seemed to be genuine. In fact,
after a bit of analysis, we realize it is not genuine. It is an example of SMS
phishing.
The links in the SMS may install malware on the user’s device or direct them to
a malicious website, or direct them to call a number set up to trick them into
divulging personal and financial information, such as passwords, account IDs or
credit card details. This technique is used a lot in cybercrimes, as it is far easier
to trick someone into clicking a malicious link in the e-mail than trying to break
through a mobile’s defenses. However, some phishing SMS are poorly written
and clearly appear to be fake.

Why SMS Phishing is Effective?

SMS Phishing is successful because it plays with the fear and anxiety of the
users. Irrational SMS instills fear in the mind of the users. Most of the
scenarios have to do with the fear of losing money, like someone has purchased
something using your credit cards.

Other instances include, the fear when an SMS accuses you of doing something
illegal that you haven’t done. Or an SMS regarding the possibility of harming
your family members. of your family, etc.
SMS Phishing Attack Examples

Now let us see a few examples to understand the cases where SMS Phishing
mostly happens.

Example 1

Generally, scammers use email to SMS to spoof their real identity. If you
google it, you may find many legitimate resources. You just google search:
email to SMS providers.

Example 2
The other classical scam is financial fraud which will ask you for PIN, username,
password, credit card details, etc.
Example 3
Spelling and bad grammar. Cyber criminals generally make grammar and spelling
mistakes because often they use a dictionary to translate in a specific language. If
you notice mistakes in an SMS, it might be a scam.
Example 4
SMS phishing attempt to create a false sense of urgency.
Example 5
Cybercriminals often use threats that your security has been compromised. The
above example proves it well. In the following case, the subject says you have won
a gift.

Example 6
In this case, an SMS asks you to reply so that they can verify that your number is
valid. This can increase the number of SMS spams in your number.
Example 7
Spoofing popular websites or companies. Scam artists use the name of big
organizations that appear to be connected to legitimate websites but actually it
takes you to phony scam sites or legitimate-looking pop-up windows.
Prevention and Solutions
In order to protect ourselves from SMS phishing some rules have to be kept in
mind.
 Financial companies never ask for personal or financial information, like
username, password, PIN, or credit or debit card numbers via text message.
 Smishing scams attempt to create a false sense of urgency by requesting an
immediate response. Keep calm and analyze the SMS.
 Don’t open links in unsolicited text messages.
 Don’t call a telephone number listed in an unsolicited text message. You
should contact any bank, government, agency, or company identified in the
text message using the information listed in your records or in official
webpages.
 Don’t respond to smishing messages, even to ask the sender to stop
contacting you.
 Use caution when providing your mobile number or other information in
response to pop-up advertisements and “free trial” offers.
 Verify the identity of the sender and take the time to ask yourself why the
sender is asking for your information.
 Be cautious of text messages from unknown senders, as well as unusual text
messages from senders you do know, and keep your security software and
applications up to date.
Pairing Mobile Devices on Open Bluetooth and Wi-Fi
Connections
Bluetooth is a similar radio-wave technology, but it is mainly designed to
communicate over short distances, less than about 10m or 30ft. Typically, you might
use it to download photos from a digital camera to a PC, to hook up a wireless
mouse to a laptop, to link a hands-free headset to your cellphone so you can talk
and drive safely at the same time, and so on.
To obtain this connection, devices exchange each other’s PIN, but in general as a
technology it is not secure. It is a good practice to repair the devices after a period
of time.

What a hacker can do with a paired device?

 Play sounds of incoming call

 Activate alarms

 Make calls

 Press keys

 Read contacts

 Read SMS

 Turn off the phone or the network

 Change the date and time

 Change the network operator

 Delete applications

Security measures for Bluetooth devices

 Enable Bluetooth functionality only when necessary.

 Enable Bluetooth discovery only when necessary.

 Keep paired devices close together and monitor what's happening on the devices.

 Pair devices using a secure passkey.

 Never enter passkeys or PINs when unexpectedly prompted to do so.

 Regularly update and patch Bluetooth-enabled devices.

 Remove paired devices immediately after use

Mobile Security - Android Rooting

Rooting is a word that comes from Linux syntax. It means the process which gives
the users super privilege over the mobile phone. After passing and completing this
process, the users can have control over SETTINGS, FEATURES, and
PERFORMANCE of their phone and can even install software that is not supported
by the device. In simple words, it means the users can easily alter or modify the
software code on the device.
Rooting enables all the user-installed applications to run privileged commands such
as −
 Modifying or deleting system files, module, firmware and kernels
 Removing carrier or manufacturer pre-installed applications
 Low-level access to the hardware that are typically unavailable to the devices
in their default configuration
The advantages of rooting are −

 Improved performance
 Wi-Fi and Bluetooth tethering

 Install applications on SD card

 Better user interface and keyboard

Rooting also comes with many security and other risks to your device such as −

 Bricking the device

 Malware infection

 Voids your phone's warranty

 Poor performance

Android Rooting Tools

As Android OS is an open source, the rooting tools that can be found over the
internet are many. However, we will be listing just some of them 
#1) Threat Analysis and Modeling
When performing the threat analysis, we need to study the following points most
importantly:
 When an app is downloaded from the Play Store and installed, it may be
possible that a log is created for the same. When the app is downloaded
and installed, a verification of the Google or the iTunes account is done.
Thus a risk of your credentials is landing in the hands of hackers.
 The login credentials of the user (in case of Single Sign-on as well) are
stored, hence apps dealing with login credentials also need a threat
analysis. As a user, you will not appreciate it if someone uses your
account or if you log in and someone else’s information is shown in your
account.
 The data shown in the app is the most important threat that needs to be
analyzed and secured. Imagine what will happen if you log in to your
bank app and a hacker out there hacks it or your account is used to post
antisocial post and that in turn can land you in serious trouble.
  The data sent and received from the web service needs to be secure to
protect it from an attack. The service calls need to be encrypted for
security purposes.
 Interaction with 3rd party apps when placing an order on a commercial
app, it connects to net banking or PayPal or PayTM for money transfer
and that needs to be done through a secure connection.

#2) Vulnerability Analysis

Ideally, under vulnerability analysis, the app is analyzed for security loopholes,
the effectiveness of the counter measures and to check how effective the
measures are in reality.

Before performing a vulnerability analysis, make sure that the whole team is
ready and prepared with a list of the most important security threats, the
solution to handle the threat and in case of a published working app, the list of
the experience (bugs or issues found in previous releases).
On a broad level, perform an analysis of the network, phone or OS resources
that would be used by the app along with the importance of the resources. Also,
analyze what are the most important or high-level threats and how to protect
against the same.

If an authentication for accessing the app is done, then is the authentication code
written in the logs and is it reusable? Is sensitive information written in phone
log files?

#3) Top Most Security Threats for Apps

 Improper Platform Usage: Maltreat of features of the phone or OS like
giving app permissions to access contacts, gallery etc., beyond a need.
 Superfluous Data Storage: Storing unwanted data in the app.
 Exposed Authentication: Failing to identify the user, failing to maintain
the user’s identity and failing to maintain the user session.
 Insecure Communication: Failing to keep a correct SSL session.
 Malicious Third-Party Code: Writing a third-party code which is not
needed or not removing unnecessary code.
 Failure to apply server-side controls: The server should authorize what
data needs to be shown in the app?
 Client Side injection: This results in the injection of malicious code in
the app.
 Lack of data protection in transit: Failure to encrypt the data when
sending or receiving via web service etc.
#4) Security Threat from Hackers
The world has experienced some of the worst and shocking hacks even after
having the highest possible security.

In 2016 December, E-Sports Entertainment Association (ESEA), the largest

video gaming warned its players for a security breach when they found that
sensitive information like name, email id, address, phone number, login
credentials, Xbox ID etc., had been leaked.

There is no specific way to deal with hacks because hacking an app varies from
app to app and most importantly the nature of the app. Hence to avoid
hacking try getting into the shoes of a hacker to see what you can’t see as a
developer or a QA.

#5) Security Threat from Rooted and Jailbroken Phones

Here the first term is applicable to Android and the second term is applicable to
iOS. In a phone, not all the operations are available to a user like overwriting
system files, upgrading OS to a version which is not normally available for that
phone and some operations need an admin access to the phone.

Hence people run software which is available in the market to attain full admin
access to the phone.

The security threats that rooting or jailbreaking poses is:

#1) The installation of some extra applications on the phone.
#2) The code used to root or jailbreak may have unsafe code in itself, posing a
threat of getting hacked.
#3) These rooted phones are never tested by the manufacturers and hence they
can behave in unpredictable ways.
#4) Also, some banking apps disable the features for rooted phones.
#5) I remember one incident when we were testing on a Galaxy S phone which
was rooted and had Ice-cream Sandwich installed on it (although the last
version released for this phone model was Gingerbread) and while testing our
app we found that the login authentication code was getting logged in the log
file of the app.
This bug never reproduced on any other device but only on the rooted phone.
And it took us a week to fix it.

#6) Security Threat from App Permissions

The permissions that are given to an app also pose a security threat.

Following are the highly prone permissions that are used for hacking by
attackers:
 Network-based Location: Apps like location or check in etc., need
permission to access the network location. Hackers use this permission
and access the location of the user to launch location-based attack or
malware.
 View the Wi-Fi state: Almost all the apps are given permission to access
the Wi-Fi and malware or hackers use the phone bugs to access the Wi-Fi
credentials.
 Retrieving Running Apps: Apps like battery saver, security apps etc.,
use the permission to access the currently running apps, and the hackers
use this running apps permission to kill the security apps or access the
information of the other running apps.
 Full Internet Access: All apps need this permission to access the internet
which is used by hackers to communicate and insert their commands to
download the malware or malicious apps on the phone.
 Automatically start on boot: Some apps need this permission from the
OS to be started as soon as the phone is started or restarted like security
apps, battery saving apps, emails apps etc. Malware uses this to
automatically run during every start or restart.
#7) Is Security Threat different for Android and iOS
While analyzing the security threat for an app, QAs have to think even about the
difference in Android and iOS in terms of the security features. The answer to
the question is that yes, the security threat is different for Android and iOS.

iOS is less susceptible to security threat when compared to Android. The only
reason behind this is the closed system of Apple, it has very strict rules for app
distribution on the iTunes store. Thus the risk of malware or malicious apps
reaching the iStore is reduced.

On the contrary, Android is an open system with no strict rules or regulations of

posting the app on the Google Play store. Unlike Apple, the apps are not
verified before being posted.

In simple words, it would take a perfectly designed iOS malware to cause

damage as much as 100 Android malware.