Android vs iOS: Which Is More Secure?

By Ava McKinneyOnline Safety

Android vs iOS: Which Is More Secure?

The title might sound strange, right? You might think the author has lost it for even considering comparing the security of iOS—which even the FBI struggles to crack—with the so-called “leaky bucket” that is Android. But I’m serious: Android and iOS can and should be compared. Not to once again prove that iOS is far superior, but because, in some ways, iOS actually falls short.

I’m convinced that the iPhone is much more secure than Android smartphones. That’s an obvious fact, stemming from Apple’s complete control over its ecosystem: its own hardware, a single App Store, fast updates delivered directly from iOS developers, and no one but Apple making changes to the OS. The company not only develops iOS but also manages everything around it, including the devices themselves.

However, if you look at things from a different angle and compare not the devices, not the ecosystem, not the whole layer of services and technologies built around iOS and Android—but strip all that away and compare Android and iOS as standalone operating systems—the picture becomes far less clear-cut.

How Quickly Is iOS Hacked?

Let’s start with a quick table:

  • iPhone OS 1.0 — hacked after 11 days
  • iPhone OS 2.0 — hacked after 35 days
  • iPhone OS 3.0 — hacked after 2 days
  • iOS 4.0 — hacked after 2 days
  • iOS 5.0 — hacked after 1 day
  • iOS 6.0 — hacked the same day
  • iOS 7.0 — hacked after 95 days
  • iOS 7.1 — hacked after 25 days
  • iOS 8.0 — hacked after 35 days
  • iOS 8.1.1 — hacked after 12 days
  • iOS 9.0 — hacked after 28 days
  • iOS 9.1 — hacked after 142 days
  • iOS 10 — hacked after 106 days

This table shows how many days passed between the release of a new iOS version and the first jailbreak. In the context of security, this is important because technically, jailbreaking is nothing more than gaining root access. Root access gives full control over the device, and it can only be obtained by bypassing the OS’s security mechanisms.

You might say that Android devices are rooted all the time, and you’d be right. But there are many nuances here, including the frequent ability to get root “legally” (by unlocking the bootloader), the existence of many devices with MTK processors where the bootloader isn’t locked at all, and vulnerabilities that aren’t directly related to Android but are due to manufacturer mistakes.

In short, it’s almost impossible to make a similar table for Android, but we can compare iOS and Android using other data. Take a look:

  • Android — 1,308 vulnerabilities
  • iOS — 1,275 vulnerabilities

This is the total number of vulnerabilities ever found in iOS and Android, according to cvedetails.com. Android is in first place, with iOS close behind. This alone is enough to dispel the myth that Android is full of holes while iOS is an impenetrable fortress. But let’s dig a little deeper and look at the vulnerabilities themselves.

What Are the Vulnerabilities?

At the time of writing, the last three Android vulnerabilities were:

  • The lockscreen on Elephone P9000 devices (Android 6.0) allows physically nearby attackers to bypass the wrong-PIN lockout by pressing backspace after each PIN guess.
  • In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition in a WLAN driver can lead to a Use After Free condition.
  • In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition in a USB driver can lead to a Use After Free condition.

One bug is in the lockscreen implementation of a cheap Chinese phone (Elephone P9000), and two are in Qualcomm’s proprietary drivers, which are as related to Android as an Nvidia video card driver is to Windows.

Okay, maybe that’s just a coincidence. Let’s look at a sample of the last 100 vulnerabilities:

  • 29 — Qualcomm drivers
  • 28 — Android vulnerabilities
  • 20 — CAF kernel (developed by Qualcomm)
  • 9 — Mediatek drivers
  • 7 — Broadcom drivers
  • 4 — Manufacturer firmware vulnerabilities
  • 3 — Nvidia drivers

So, almost half of the vulnerabilities are found in Qualcomm drivers (and their custom kernel), less than a third are in Android’s own code. The same sample for iOS:

  • 99 — iOS vulnerabilities
  • 1 — Qualcomm driver

You might argue that my analysis is too simplistic, since I included all vulnerabilities, even low-rated ones like DoS. But let’s be honest: I used a sample of 100 vulnerabilities, which is 8% of all bugs ever registered for these OSes. If that’s not representative, I don’t know what is.

Major Security Flaws

Now, let’s look at some of the most notorious bugs that made headlines not so long ago. Here’s a partial list for iOS:

  • CVE-2009-2204 (up to 3.0.1) — Viewing a malicious SMS could cause the device to crash or execute arbitrary code.
  • CVE-2010-3832 (up to 4.2) — Remote code execution in the GSM modem processor.
  • CVE-2012-0672 (up to 5.1.1) — Remote code execution via a specially crafted web page.
  • CVE-2016-4631 (up to 9.3.3) — Remote code execution by displaying a TIFF image on a web page, in an email, message, etc.
  • Trident (up to 9.3.5) — User clicks a link, a trojan jailbreaks the device and installs itself.
  • Broadpwn (up to 10.3.3) — Remote code execution via specially crafted Wi-Fi frames (this bug also affected Android smartphones).

A similar list for Android would be more than half filled with Stagefright bugs found in 2015–2016. The difference is that iOS bugs are quickly forgotten, as they become irrelevant once all devices are updated to the new OS version. But Android bugs linger, since vulnerabilities from two or three years ago remain relevant for millions of devices.

So, Which Is More Secure?

When it comes to vulnerabilities, iOS is definitely not the most secure OS, and Android is not the most vulnerable. However, the average Android smartphone is a sieve. All those manufacturer modifications, bugs in custom bootloaders, and constant update issues undermine Google’s efforts to make Android more secure.

If you choose an Android smartphone, follow these tips:

  • The best choice: Nexus, Pixel, and Android One smartphones. They run “stock” Android and get timely updates for three years (two years of regular updates and one year of security updates).
  • If that’s not possible: Look for a phone with official LineageOS support, especially Samsung and OnePlus. If the manufacturer stops updating your device, you can switch to LineageOS and keep getting updates.
  • Don’t expect your cheap Chinese phone with an MTK processor to be hard to hack. Even a beginner can extract data from it in no time.

If you choose an iPhone, you really don’t have to worry. No matter how many bugs are found in iOS, Apple will patch them within two weeks.

Leave a Reply