Android vs iOS Security: Is Android Actually Safer?

A few months ago, Oleg Afonin from Elcomsoft wrote a lengthy article about how well smartphones on different mobile platforms are protected. The Android section was particularly scathing: he tore the OS apart and called it the leakiest of the big three (iOS, Windows Phone/Mobile, Android).

We debated this at length and eventually agreed to add my sidebar to the article—an alternative take on the issue. In short, the gist of the sidebar is this: Oleg, as a mobile forensics specialist, knows better than anyone that compromising a typical Android smartphone is much easier than an iPhone. My point, however, was that the problem lies less with Android itself and more with the devices it runs on—and a lot depends on the specific handset you use.

Like Oleg, I’m convinced the iPhone is far more secure than Android phones. That’s largely because Apple exercises end-to-end control over its ecosystem: its own hardware, a single App Store, rapid updates shipped directly by Apple, and no third-party modifications to the OS. Apple doesn’t just develop iOS; it also manages everything around it, including the devices themselves.

However, if you look at it from a different angle and compare not the devices, not the ecosystems, not the whole stack of services and technologies built around iOS and Android—if you set all that aside and judge Android and iOS as standalone operating systems—the picture is far less clear-cut.

To start, a small table:

• iPhone OS 1.0 — jailbroken 11 days after release;
• iPhone OS 2.0 — jailbroken 35 days after release;
• iPhone OS 3.0 — jailbroken 2 days after release;
• iOS 4.0 — jailbroken 2 days after release;
• iOS 5.0 — jailbroken 1 day after release;
• iOS 6.0 — jailbroken on the same day;
• iOS 7.0 — jailbroken 95 days after release;
• iOS 7.1 — jailbroken 25 days after release;
• iOS 8.0 — jailbroken 35 days after release;
• iOS 8.1.1 — jailbroken 12 days after release;
• iOS 9.0 — jailbroken 28 days after release;
• iOS 9.1 — jailbroken 142 days after release;
• iOS 10 — jailbroken 106 days after release.

It shows how many days passed between the release of a new iOS version and the first jailbreak. In the context of security, this table is very important because, technically, a jailbreak is simply obtaining root privileges. And root privileges, in turn, grant full control over the device, and the only way to get them is by bypassing the OS’s security mechanisms.

You could say that anyone and everyone roots Android, and you’d be right. But there are plenty of nuances: in many cases you can obtain root “legitimately” by unlocking the bootloader; there’s a huge number of MediaTek-based devices whose bootloaders aren’t locked to begin with; and there are vulnerabilities that aren’t part of Android itself but arise from OEM sloppiness.

In short, putting together a comparable table for Android is practically impossible, but we can still compare iOS and Android using a slightly different dataset. Take a look:

• Android — 1,308 vulnerabilities.
• iOS — 1,275 vulnerabilities.

This is the total number of vulnerabilities ever found in iOS and Android, according to cvedetails.com. Android tops the list; iOS is slightly behind. This alone is enough to dispel the myth that Android is riddled with holes while iOS is an impregnable fortress. But let’s go a bit further and look at the vulnerabilities themselves.

At the time of writing, the three most recent Android vulnerabilities were:

1. The lockscreen on Elephone P9000 devices (running Android 6.0) allows physically proximate attackers to bypass a wrong-PIN lockout feature by pressing backspace after each PIN guess.
2. In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition in a WLAN driver can lead to a Use After Free condition.
3. In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition in a USB driver can lead to a Use After Free condition.

One bug in the lock-screen implementation on a cheap Chinese plastic phone called the Elephone P9000, and two vulnerabilities in Qualcomm’s proprietary drivers—written by Qualcomm itself—which are to Android what an Nvidia graphics driver is to Windows.

Okay, it’s entirely possible this is just a coincidence and happenstance. Let’s take a sample of the 100 most recent vulnerabilities:

• 29 — Qualcomm drivers;
• 28 — Android vulnerabilities;
• 20 — the CAF kernel maintained by Qualcomm;
• 9 — MediaTek drivers;
• 7 — Broadcom drivers;
• 4 — OEM firmware vulnerabilities;
• 3 — NVIDIA drivers.

Overall: almost half of the vulnerabilities were found in Qualcomm drivers (and its vendor kernel), and less than a third in Android’s own code. The same breakdown for iOS:

• 99 — iOS vulnerabilities
• 1 — Qualcomm driver

You could, of course, argue that my analysis is too simplistic—I used the full set of vulnerabilities, including DoS, low-severity issues, and so on. But let’s be honest. I based the stats on 100 vulnerabilities, which is 8% of all bugs ever recorded for the OS. If that isn’t a representative sample, I don’t know what is.

Now let’s look at the most notorious, scary bugs that were making headlines not long ago. Here’s a non-exhaustive list for iOS:

• CVE-2009-2204 (prior to iOS 3.0.1) — viewing a malicious SMS message can cause an unexpected device crash or arbitrary code execution;
• CVE-2010-3832 (prior to iOS 4.2) — remote code execution in the GSM baseband processor;
• CVE-2012-0672 (prior to iOS 5.1.1) — remote code execution via a specially crafted web page;
• CVE-2016-4631 (prior to iOS 9.3.3) — remote code execution by rendering a TIFF image on a web page, in an email, message, and similar contexts;
• Trident (prior to iOS 9.3.5) — a user taps a link, after which the trojan jailbreaks the device and installs itself;
• Broadpwn (prior to iOS 10.3.3) — remote code execution via specially crafted Wi‑Fi frames (this bug also affected Android phones).

You could make a similar list for Android, and more than half of it would be Stagefright bugs discovered in 2015–2016. The key difference is that iOS bugs are quickly forgotten because they become irrelevant once devices are updated to the latest OS version. Android bugs, however, stick around: vulnerabilities from two or even three years ago can still affect millions of devices.

When it comes to vulnerabilities, iOS isn’t the most secure OS, and Android isn’t the leakiest either. But the average Android handset is riddled with holes. OEM tweaks, bugs in proprietary bootloaders, and chronic update issues all but nullify Google’s efforts to make Android safer.

So if you’re choosing an Android phone, follow a few simple tips.

• The best choices are Nexus, Pixel, and Android One phones. They run stock Android and get timely updates for three years (two years of regular updates and one year of security updates).
• If the top choice isn’t an option, look for a phone with official LineageOS support—primarily Samsung and OnePlus. If the manufacturer stops updating the device, you can switch to LineageOS and keep receiving updates.
• Don’t assume your Chinese phone with an MTK (MediaTek) chipset will be hard to crack. Someone with very basic skills can dump the data off it in no time.

If you go with an iPhone, you’re basically in the clear. No matter how many bugs are found in iOS, Apple will patch them within two weeks.