Apple vs. Google: The Security Differences You Need to Know

Tony Zhan checks out his new iPhone 6 Plus outside the Apple store in Pasadena, California on the first day of sale, September 19, 2014.

Robyn Beck/ AFP/ Getty Images

Apple has made a point of emphasizing security and privacy when it talks about its iOS mobile operating system. But Google is making headlines for a move it made to undermine one for the security features of Apple’s forthcoming iOS 9, and in the process, is exposing some key differences in how the two tech giants handle security.

iOS 9, the new version expected to launch in a matter of weeks, offers a new feature called App Transport Security (ATS), which will require iOS app developers to use an advanced security protocol to protect communication between an app and any web servers it needs to contact. Apple’s documentation explains that the new feature consists of “default connection requirements that conform to best practices for secure connections.” The company also explains that apps can override this default behavior to turn off transport security or to specify exceptions.

But as Re/Code’s Mark Bergen reports, when app publishers that aren’t running the protocol meet Apple’s new encryption, their mobile ads won’t run. So Google, which has drawn criticism for prioritizing advertising over security, published a post on its Ads Developer Blog, explaining to developers how to disable Apple’s encryption by adding an exception “that allows HTTP requests to succeed and non-secure content to load successfully.”

The workaround is described as a short-term fix, and Google explains that while it’s committed to the industry-wide adoption of HTTPS, “there isn’t always full compliance on third-party ad networks and custom creative code served via our systems.” While disabling the protocol doesn’t appear to violate Apple’s rules, Google’s post drew criticism from those in the security world. The company later updated its post to clarify that “developers should only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful.”

Rene Ritchie reports for iMore that “what Google could have done, and arguably should have done,” in offering developers help with ATS was to help them configure their apps in such a way that traffic between apps and web servers remains secure, while making the ads secure, as well. “Instead,” Ritchie writes, “Google simply told them how to turn it all off. Private data connections and ads, all of it. It’s the easiest approach but also the laziest and worst approach for users.”

Because ATS is new with iOS 9, it will inevitably cause some headaches for developers with outside content, like ads, to deal with. “But that doesn’t mean the privacy and security baby should be thrown out with the bathwater,” Ritchie notes. “Everyone is stressed and rushed leading up to a launch, so if a company like Google recommends an easy out by just shutting security down, that out is more likely going to be taken.” He adds, “once security and privacy is turned off, there’s a good chance they’ll stay that way.”

Google is a big proponent of Internet security, and both Apple and Google are moving toward the same security goals. But as Bergen points out, Google wants to figure out a compromise when ads and security clash because Google is an advertising company. Apple isn’t. That’s, ostensibly, where their priorities differ — but not as much as you might expect them to.

Walt Mossberg reported for Re/Code that the assurances that Apple made about privacy at this year’s Worldwide Developers Conference “escalated a recent campaign to emphasize that the tech giant stands for privacy — and that, by implication, Google does not.” But Apple’s arguments aren’t airtight, and Mossberg notes that its marketing of privacy as a new, key products conveniently coincides with the fact that Apple makes money by selling devices, not by selling advertising.

However, Apple’s intentions aren’t all noble.As The Cheat Sheet recently reported, Apple’s addition of a usage policy and API’s for content-blocking extensions — which seems like a win since it will enable users to protect themselves against tracking-based advertising –benefits few parties but Apple itself. Apple is enabling iOS developers to create content-blocking apps, but because these apps will block web ads from loading, the move puts advertising targeted to iOS users completely under Apple’s control.

If content-blocking apps catch on, publishers will be forced toward Apple’s new News app, where users can’t block ads and Apple gets a cut of all of the advertising, which is handled by Apple’s iAd network. Or, publishers can choose not to use News, but to create a third-party app where, again, they’ll need to use iAd to monetize their content.

While Re/Code reports that Apple chief executive Tim Cook says that iAd “doesn’t get data from Health and HomeKit, Maps, Siri, iMessage, your call history, or any iCloud service like Contacts or Mail, and you can always just opt out altogether,” it wouldn’t be as accurate to say that Apple prioritizes security over advertising as it would be to say that Apple prioritizes advertising placed within its own ecosystem over advertising served by third parties. That puts Apple on a collision course with Google, and highlights the fact that the difference between Apple and Google’s security priorities is more practical than ideological.

More from Gear & Style Cheat Sheet: