There’s a persistent myth that about Apple products—that they’re somehow “more secure” than the alternatives. But there’s a glaring flaw in the system: the human using the products.
To keep electronic devices protected from the latest malware schemes, users must regularly update their software to the latest versions or risk leaving themselves open to electronic attack. “Risk” is the operative word in this scenario. Earlier this summer, the Stagefright vulnerability—a computer bug that bad actors could exploit with a single text message to hack nearly 1 billion Android phones—rocked the world of mobile security, and caused Google (GOOG) endless grief. Many industry observers pointed to the inconsistency of updates to Google’s Android mobile operating system. Though Google updates Android regularly, it relies on the its often sluggish manufacturing partners to push out fixes through a fragmented ecosystem.
The Google incident (and its fallout) led the mobile security firm Duo Security, which supplies multi-factor authentication technology to customers such as Disney, NASA, and Twitter, to turn the tables and investigate none other than Apple. Sure, Google’s system has issues. But is it really reasonable to think that the Cupertino, Calif. king is irreproachable?
“We felt that not enough attention was getting paid to the state of iPhone updates,” says Mike Hanley, Duo’s lead researcher on the study who joined the company a month or so ago, after serving as an adjunct faculty member at Carnegie Mellon. “The natural assumption is that Apple has fewer software versions and a more tightly controlled ecosystem, so the same problems are not there. That’s not what we found.”
For all the praise Apple’s ecosystem receives, many of its users are no better than Android’s manufacturing partner slowpokes. In a data analysis shared exclusively with Fortune ahead of Apple’s highly anticipated Sept. 9 event—during which the company is expected to unveil iOS 9, its newest operating system—Duo determined that a surprising number of iPhone users are incredibly slow at downloading operating system updates.
Both Apple and Google were not immediately available to comment. (We will update this story when we hear back.)*
Based on insights from thousands of phones across 150 countries, Hanley’s team found that about half of Apple iPhones on corporate networks run outdated versions of iOS. That means half of iPhone users that access corporate data still run versions prior to iOS 8.4, which was released in April of this year. Therefore, hundreds of security holes have gone unpatched, including the “ins0mnia” flaw, discovered by researchers at the security firm FireEye (FEYE), which allows malicious apps to run unnoticed in the background as they siphon off user data.
“You wouldn’t let a chief financial officer log into a corporate network with an obsolete version of Windows XP,” says Zack Urlocker, Duo’s chief operating officer, referencing Microsoft’s (MSFT) since-deprecated desktop operating system, a historically common computing platform for businesses. “So there’s a bit of a double standard that starts to emerge with mobile devices.”
Here’s another alarming Duo finding: 31% of iPhones are still running iOS 8.2, several versions behind. On these devices, more than 160 security vulnerabilities have yet to be patched. (Apple’s own developer page argues that 14% of devices that connect to its App Store use versions older than iOS 8 as of Aug. 31, 2015. It does not break down software versions [e.g. iOS 8.x] beyond that.)
Hanley says that operating system updates are far too easy for users to ignore. “The only thing I have is a little red notification circle with a number one in the update menu next to 3,000 unread emails and five new podcasts,” he says. “Once I dismiss it the first time—out of sight, out of mind.”
When asked whether better design on Apple’s part could help alleviate the issue, Hanley quickly adds that this is no fault of Apple’s, but is rather a problem related to user education.
Sometimes “in-between” iOS updates can get lost in the noise, Hanley says. When Apple isn’t adding brand new features—like Apple Music—in a major iOS overhaul, it can be easy for a user to pay less attention to the upgrade. These tweaks often bear critical security fixes, however.
Pressed about whether Apple could do more to prompt users into downloading updates, Hanley remains firm. He says that companies need to instruct employees about the need to keep up their security hygiene and regularly check for updates. Having enough storage space to execute the upgrade as well as being connected to Wi-Fi can be obstacles too, Hanley adds.
From the data, it’s clear that Apple’s update process—while better than Android’s (Duo estimate that 80% of Android users are not updated to Android 5.1, the latest version, which was released in March of this year)—is not perfect. There are too many stragglers. Five days after iOS 8.4.1 shipped, only 9% of iPhones had been updated to the latest software, leaving more than 70 bugs in the wild on unpatched devices, according to Duo’s analysis. Apparently, iPhone users aren’t in such of a hurry to apply fixes.
Of course, mobile malware still remains less of problem than the desktop variety. A report from Verizon (VZ) this year says that “data involving mobile devices should not be in any top-whatever list.” It goes on: “This report is filled with thousands of stories of data loss—as it has been for years—and rarely do those stories include a smartphone.”
In fact, even in situations where there is mobile malware, most of it overwhelmingly affects Google’s less locked-down operating system. Verizon cites FireEye (FEYE) research that found that 96% of mobile malware targets Android. That’s in line with Verizon’s findings, the report says.
Nevertheless, mobile devices are devouring the world of personal computing. And digital thieves are taking note. So when Apple unveils its newest operating system—iOS 9—at its Sept. 9 event this week, don’t dawdle.
The sooner you upgrade, the safer you’ll be.
*Update: Google has supplied Fortune with the following statements:
“Based on our research, fewer than 1% of Android devices had a Potentially Harmful App (PHA) installed in 2014, and fewer than 0.15% of devices that only install from Google Play had a PHA installed.”
“Security has always been a major focus for Android and Google Play: Android was built from day one with security in mind. But, we can always do more – which is why in August and moving forward, Nexus devices receive regular monthly updates that are purely focused on security to keep users safe. The first one of these updates rolled out on Wednesday, August 5th to Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player and includes fixes for the libStageFright issues. And, this has led the way for partners too.”
For more on smartphones, watch this video below.