Security Hierarchy

The Quick Version

Windows is a security disaster. iOS, Chrome OS, Amazon Fire and Mac are all very good, but not perfect. Android is a little risky.

As I talk to computer security experts,  two points on the list are not much debated: everyone places Windows at the bottom of the list, by a very long way. Everyone agrees iOS has earned its place at the top of the list.

For the others (Chrome OS, Amazon Fire and Mac) we have jolly debates about the order and that's fair enough. The truth is they are secure enough. That's not to say they are perfect (no such thing in security), but they're all good enough to pass the Mom Test.

That leaves Android. I would like that to be on the "good enough" list. There are fantastic machines out there. Ridiculously cheap smartphones with great functionality (like the Moto G), or crazy innovations like the Panasonic Lumix DMC-CM1 (a high end camera with a phone snuck in the back). But security? It's a bit of a worry. Nowhere near as bad as Windows, but there have been real life nasty infections out there in the wild and once an infection is on an Android device it has more free reign than it would on a "good enough" device. Still, if you don't have the money for an alternative, Android is hard to beat, just make sure you install some anti-virus software.

Security is not the only consideration

With any purchase you make,  you are weighing up all sorts of different considerations around price, functionality, reliability and all sorts of other things. iPads/iPhones have earned their place at the top of this list by doing an outstanding job of security in the world of home computing, a world where security is an out of control problem.

However, you might need to have a keyboard and mouse (for example) for what you want to do. Chrome OS can give you that, but it's third on the list for security. Is it a problem? No, not really. It's on the "good enough" list.

Even Windows has its place in the home market, despite its security problems. There are some people who simply have to run hardware and software that demands Windows (see Windows or Not? for more details).

So security is not the only consideration when buying a home computer, but it is very important indeed. Just ask anyone who has had an infection on their computer, there are plenty of people out there to choose from.



But this is all Nonsense!

The slaying of myths and misunderstandings

There's a staggering amount of misinformation and urban myth doing the rounds on the subject of home computers, often nonsense that is most definitely against your best interests. So let's prepare you for when someone "who knows about computers" comes knocking by covering the popular hogwash in advance.

But I have anti-virus!

People often think none of this applies to them because they have anti-virus software. Anti-virus software is not invincible, in fact it's surprisingly vincible. We have a constant stream of PCs coming into the workshop infected with all sorts of junk, all of them have anti-virus software. A huge industry has been created to exploit this. See Viruses and Junk Software for the details.

It's too small to be safe

There is a definite psychology gap here. When I say to people "if you can choose between an iPhone and a Windows Laptop to do your online banking, always choose the iPhone." they look at me like I'm mad. That softens when I remind them that the reason I am standing in their study is because their Windows Laptop is unusable because of infections and that they've never even heard of anyone getting an infection on an iPad.

The psychology gap happens because the iPhone/iPad and Chromebooks are smaller, therefore it cannot possibly be true that it's better, more clever or safer in some way. Clearly that logic is broken. You can have a massive gaming desktop PC breathing fire and sounding like an aircraft preparing for take off and it can be taken out in seconds by an infection, whilst your little old iPhone 4 will bounce off the best efforts of the entire criminal industry.

The same logic is true on price. Surely a little $200 Chromebook can't be anything but a toy that will break at the first sign of attack? Actually no. It will wipe the floor with the said fire breather. Price has nothing to do with how secure these systems are.


Photo by Martin Poole/Digital Vision / Getty Images

The Geeky Bit

Although this website is aimed at normal folks trying to make sense of the complex world of home computing options, some geeks will read it and I can guarantee some of them will get irrationally upset by this table  (read Fanboys to understand why). So this bit is for them. It's a geek's explanation of why the table is listed in the order it is. If you are a normal person you are welcome to read it, but I won't aim it at you, so I might drop in fancy pants technical language from time to time and then proceed to shamelessly not explain what it means. Here we go:

You have no %$£* idea what you're talking about Neil!

Fanboys are so tedious. It's not the fact that they care about their chosen platform, it's that they are so irrational. Platforms come and go, that's one of the lessons you learn if you hang around this industry for enough decades. Any semblance of stability is an illusion. Nothing is truly perfect, nothing is truly poo. Most things that have gained a reasonable amount of market share (everything on this list in other words) has merit in some areas. If I say that your chosen platform is not at the top of the security list, I am not saying that it is a pile of putrid trash in every regard and that your grandmother sells crack to small children, so don't act like that's what I said. Act like a grown up and state your case rationally (if at this point you are a normal person and wondering what on earth this is all about, read my article on Fanboys and be amazed that such people can exist).

What am I going to do about it? List my reasons for ranking each platform where I have and invite fanboys and rational people to comment. If you put up a well thought out argument I will be happy to move things around. 

iPad/iPhone

If I want to write software for iOS I have to register as a developer, cryptographically sign my work, submit it to Apple for them to review what I have done (admittedly that's probably the weakest part of the process because it's tough for other people to work out what code does, but omissions are covered by the other steps). Once it gets on an iPad it runs in a locked down sandbox that means it cannot harm the OS or the other programs on the device. If it's subsequently found to do something bad, Apple have a kill switch they can flick at HQ and it's removed from every iPad in the world (and I would have a lot of explaining to do as to how my stuff happened to be evil. Remember, I had to sign it to prove it was me).

The result is this platform has only ever had one infection outbreak of any size (WireLurker) and that only happened because people in China stopped using the official Mac app store and instead used a local one that served up Malware. The Malware was then able to send some nasties down the USB line when the iPad was plugged in.

The relative number of infected machines compared to the number of infected Windows machines is tiny.  How many infected Windows PCs are there in the world today with Viruses and Junk Software? A hundred million? Two hundred million? More? No one knows for sure, but it has to be way up there. The point is the staggering difference in scale. It's just on a different planet.

It's the old gatekeeper problem. By moving to a non standard Mac App store those folks in China moved their gatekeeper from Apple (who are doing a good job of keeping their store clean) to some unknown bloke in China. That's why the hacker had to go after the Mac, not the iPad directly. The users couldn't choose a different app store on iOS (unless they did a jailbreak, but again, that's the gatekeeper problem). I hope Apple make the Mac a system that can only install software from their official app store. Not because I want them to make even more money (which obviously they would), but because I want a strict gatekeeper. iOS has that and it shows in the level of security it provides.

WireLurker reminded us that there is no such thing as perfect security (I have followed with interest the debate about Apple using the wrong elliptic curve algorithms for Keychain and I am irritated that Safari will not enable hard fail on certificate revocation checks and lots of other things that us geeks obsess over). Even with these imperfections the results speak for themselves. Little or no Malware in the appstore. Even if it's not perfect, this is a job very well done and it deserves its place at the top of the pile.

Chrome OS

Chrome OS is very locked down. It's just a browser, there is very little for a bad guy to attack. Full marks for their Depth-Charge bootloader, which makes sure nothing has been tampered with by the likes of a root-kit.

I would like to say it's equal to iOS, but it's not quite there because I have seen some Junk Software in their extensions library. Nothing really evil, but extensions that cause advertising to pop up instead of the thing you clicked on. I had hoped we had left that behind with Windows, but Google have not been tough enough with checking things in their Play Store.

Like I say, it's not evil stuff, but it knocks them off the top spot. They are still the safest option if you need a mouse and keyboard experience and the automatic continuous backup is second to none because you cannot turn it off by accident or misunderstanding.

Amazon Fire

The Amazon Fire runs a version of Android, therefore it should have the same place on the table as all other Android devices? No. The big difference (with regard to security) between Fire and all the other Android systems is that you can only install apps on the Fire that come from Amazon's app store. Amazon's store is smaller than the main Google Play store and more tightly curated. The bad stuff is just not getting in there.

This can be a frustration if there is some app you would really like to run and you know it's in the Google Play store, but you can't get it on Fire. The upside is I am just not seeing any malware on Fire (I have seen some stuff that's a bit naff, but nothing that's even close to being evil). It's very nicely locked down and has some great innovations in it (on top of the security model). Should it be level with iOS on this table? I am going to say no. Talking to developer friends they have pointed out to me that if Malware gets onto an Android device it has more access to the system than it does on iOS, it's not sandboxed in the same way. That's been great for offering more functionality on Android, but it raises a security problem. Whilst on the system Android malware could plant a root-kit or other bad things. When the app store kill switch is thrown, the malware would go, but the root-kit would be left behind. On iOS the app never gets out of its sandbox. It cannot even see the file system. That can be a pain for a developer because it stops them doing all sorts of things, but it also stops the black hats digging their way into the system.

I am assuming here that Fire works the same way as the underlying Android in this regard, which I think is a valid assumption because if you develop for Android it works on Fire. But it is an assumption (one that I cannot validate from any public source) and if you know better, let me know.

Mac

I know that I will have so upset Apple fanboys by not putting their religion on the top of the list, but I will have also confused them by putting another Apple product on the top of the list. They will look like the head of Janus. Still, there will be plenty for them to get over excited about as I listed Chrome OS and Amazon Fire above the Mac.

Until quite recently this used to be king of the hill for security and it's still very good. It wasn't invulnerable to infections, but it looked that way because for every single infection on the Mac there would be tens of thousands on Windows. There is no doubt that Mac has earned its place on the "good enough" list. I have no problem recommending Macs to people, providing they can afford them. 

People who use Macs often tell me there are no infections on the Mac at all. That's not right and people who think that way are in danger of getting bitten. Want an example? Here goes: Backdoor.Flashback infected about half a million Macs and put them into a botnet. Even Macs inside Apples' own HQ got it. A couple of years later 20,000 Macs around the world were still reporting in for duty on the botnet. OK, I'm being unfair, that's the worst outbreak so far on Macs, but it's not the only one (do a bit of googling to see more). I am not saying Mac is a hot bed of problems (nothing in the league of Windows), but there are infections in the wild and people are getting infected. It's the gatekeeper problem.

Just like the problem I described with Amazon Fire, once bad stuff is on the system it can dig its roots deeply in and be difficult to remove (unlike iOS, where an app is very self contained, it goes on in one lump, it comes off in the same way). It's a tough trade off. If you want a full function computer that can do everything, you have to allow more open ended access, but with that comes security problems.

I expect Mac security to improve over time as Apple seem to be moving to the point where they will only allow you to install software via their app store (just like on iOS). We are not there yet (and I don't believe they have announced it, it just seems to be what they are moving towards) and developers will no doubt kick back because Apple will want their 30% commission for selling in the store, but it might just be what's needed to lock things down.

However, I doubt it will ever be as secure as the iOS, because if malware has access to the computer, even via the app store, if it asks and is given root (not an unreasonable request for software installing from a trusted source) it could plant a root-kit or other nasties, which even if Apple have a kill switch would not be removed. iOS will remain more secure, because it was designed with perfect hindsight with what happened to all the platforms that came before it. Lessons got learnt.

The Mac is the most secure platform if you need a traditional full function computer, it's just not the only option any more and from a security only perspective, systems created more recently have the edge.

Android

Android has two interrelated weaknesses: Firstly Google have been a little slack in letting malicious software into their app store and secondly there is a switch in the settings that lets you download apps from any source you like. The net result: there's bad stuff in the wild on people's Android phones and tablets. Again, it's not as bad as Windows, but it's there and I would recommend using anti-virus software with Android for that reason, especially if you are in the habit of installing apps. Because it powers so many low price devices, it's a shame Google didn't aggressively lock this one down, as Android is selling like hot cakes. The last thing we need is another generation of computers with infections on them.

To be fair to Android, I've never actually seen a real live infected Android device in the wild. I am basing my ranking on this chart on what I have read in the technical press about researchers finding malware. There seems to be no doubt that it exists in the wild today, but it's nowhere near the scale of Windows malware, which I will typically see several times a day on different home computers.

Windows

I cannot imagine that anyone would seriously argue that Windows belongs anywhere on this list except at the bottom. No, hang on, I have heard people say "I don't know what all the fuss is about, I've never been infected".  I'm not sure how they would know that statement is true. We have already established that your anti-virus saying you are clean is an indicator, not a guarantee and many folks have root-kits that are invisible to anti-virus software. Although they probably wouldn't express it this way, the argument of these folks seems to be that because they have never seen such things, they don't exist. Clearly they do exist. Enough to support an enormous industry of criminals shifting billions of dollars every year. There is no question that this problem is real and huge. The naysayer's sample size of one doesn't really tell us anything.

Others will say "but my company IT department uses Windows and they know what they are doing", I have devoted a whole article on why that tells you nothing about how safe your home computer will be.

A fair point is that Windows is better than the alternatives for all sorts of reasons that come to the fore if you are trying to do specific tasks, but could you argue that Windows is more secure than the others? Seriously, a plague of Viruses and Junk Software has conclusively proven otherwise. It has earned its place on the bottom of the list.

Why not Ubuntu, Windows Phone, Windows RT etc?

It's true that I haven't listed every possible alternative to Windows on this page or the others. The reason is simple: market share. There are certainly things about Linux that I like and indeed use, I just don't think it's ever going to break out and be a major player. I see a gazillion home computers in my line of work, but I have never seen a single Windows RT machine in the wild. I gave my wife a Windows Phone because I was impressed by it. Unfortunately she gave it back to me within an hour because it was missing a vital feature (doesn't show the caller ID on contacts that you store in sub-folders on your exchange server, in case you were wondering), but whilst we had it, we both thought it was a great bit of kit and an unbelievably low price. If they or Ubuntu, or anyone else, get more market share, I would happy to include them.

Closed systems are evil!

"I want to break free!" (cue the music from Queen) say the geeks. "I don't like the fact that I jump through hoops to install software I create on the newer platforms. It's a closed system and we tried that in the old days and it created all sorts of problems, which is why Windows and Mac became popular". All good points. It's also true that all security is inconvenient. Next time you come home drunk on a Saturday night and you can't find your front door key, are you going to vow to remove the lock on the door forever? I doubt it. Are you going to remove the password on your bank account because you can't always remember it? Doesn't seem likely.  

When you first create a new technology all the focus is on just making it work. Security is a lesson you learn as bad people attack your creation over time. That's what's happened in the world of home computers. As we move more of our lives online, security keeps getting more important and the old approaches are just not delivering the goods.

This industry is growing up.

Make your case

If you think this list should be different, jump in to the comments below and let me know why. Obviously fanboys will be both ignored and subjected to an ancient magical curse making them smell of overripe cheese (but only when in the presence of people they fancy). I would love to hear from rational people with good points to make, that's always fun and I will be happy to fiddle with the chart and text in the presence of compelling arguments.


Your Comments

Don't be shy, say what you think. The comment system below is there for anyone to ask a question or make a point. Especially don't hold back if you are a normal person just trying to make sense of it all. It's easy to get the opinions of geeks on geeky matters. Much more interesting to hear how this works out for you or what bits need more explanation. No such thing as a silly question, jump in.