SecurityWatch: Android vs. iOS, Which Is More Secure?

It's a tale as old as time: Writing a polemical piece about two competing brands in order to pit the fanboys for each against one another in the comments. Dance, my puppets. Your rage posting just racks up the unique views and pays my salary. Yet as I survey the human wreckage, brandy snifter in hand, I consider: is the iPhone really more secure than Android? Is Android's "good enough" approach to security really good enough? What if, despite successes, both platforms are failing in important ways?

Security the Apple Way

Apple is usually touted as the clear winner in terms of mobile security. Frankly, it's hard to argue with that assessment on the face of it. Apple's unprecedented control of the iPhone and iOS experience has meant that most people receive and install software updates and security fixes. That's critical, and it's a major differentiator from Android.

Apple has managed to keep a tight grip over its hardware supply chain and also, through the App Store vetting process, kept control of apps from independent developers. It's also a controversial process, with apps being rejected for seemingly arbitrary reasons, but one that has kept the App Store largely malware free.

When it comes to security, Apple seems to use a "whatever it takes" approach. A great example is its Messages (formerly iMessage) platform. This might just seem like text messages shared between phones and computers, but a Black Hat presentation from a few years ago made it clear that wasn't the case. Apple designed the platform from the ground up to be end-to-end encrypted and as tamper resistant as possible. Servers for messages, for example, need hardware keys to be spun up. Once the servers are operational, those keys are destroyed, preventing anyone—even Apple—from spying on users or tampering with the system. It's enormously complex, but it works.

Security the Android Way

For a long time, Google made the argument that it was secure enough. No, it didn't catch every single malicious app uploaded into Google Play. Yes, there have been several major vulnerabilities in the operating system discovered by researchers. Yes, the openness of Android and an installed base fractured into several different versions of the Android OS has put customers at risk. But Google representatives would point out that of the billion or so users, only a tiny fraction—something like one percent—would ever actually encounter something malicious. That said, even just one percent of a billion is a lot. Like, 10 million a lot.

To its credit, Google has changed its tune. Updates to the Android operating system have placed greater limitations on what information apps can gather. The company has ditched its all-or-nothing permissions model in favor of an Apple-flavored approach, under which users can agree to let an app access their camera but not their contacts list. Google has also moved to a much faster cadence for its security updates, pushing more fixes to more devices.

The biggest change from Google has actually been quite subtle. Google has moved its security efforts deep within Android, into Google Play Services, which Google can update regardless of what version of the operating system users are running. That allows for programs like Safety Net, which lets Google watch for malware on devices, even malware that was sideloaded from outside the Google Play store.

From there, Google has not just expanded the security features of Android, but also worked to make Android devices into security devices. Google recently announced that Android devices can be used as FIDO2 two-factor authentication devices, providing one of the best and most flexible 2FA options to every Android owner. If you wanted to use FIDO2 before, you'd have to spend $20-$50 for a hardware key from the likes of Yubico or Google.

What They Each Get Wrong

While the actual number of malware infections is low, that one percent of Android users who encountered something malicious was never evenly distributed across all Android users. According to 2015 stats, it was predominantly among people using low-cost devices, often in developing countries. This has really stuck in my craw since the day I heard it. The risk of these devices was disproportionately pushed to those with the least means to weather a scam or attack.

Despite pushes made by Google to clean up Android and Android Apps, the model requires a fair amount of developer buy-in. Google needs to convince developers to do things differently, and use the new, safer tools the company provides. Google has introduced some sticks and carrots to get developers on board, but with mixed success. This is further compounded by the fractured nature of Android, with three distinct versions each having more than 20 percent of the installed base, and even tinier splinters of other versions. That means there is a sizeable audience that still doesn't receive the latest OS improvements, and developers can continue to target them with apps.

Nor has Apple's strategy been without consequences that have hurt users. Its incremental approach to security improvements means that it will probably be a while before an iPhone can be used as a 2FA FIDO2 authenticator, if it happens at all. I can't even use my existing YubiKey 5 NFC with an iPhone because it doesn't yet support FIDO2 over NFC.

Apple has also been slow to adopt password manager integration, making more difficult the best thing people can do to keep their information secure.

Apple's greatest security sin, however, is that its "whatever it takes" strategy comes at a high handset price. The most affordable phone still available from Apple is the iPhone 7, which costs $449, although trade-in discounts can be applied, as can a payment plan of $18.99 per month. New, good quality Android phones, on the other hand, can be purchased for as little as $220. The high price of an Apple device sends a pretty clear message: if you're not rich enough, you don't get to have Apple security. If iOS is outside the price range of many consumers, Apple isn't protecting them.

Recommended by Our Editors

With Android P, Google Stops Playing Catch-Up on Security

None of this even addresses the fact that the biggest threats to both iOS and Android users are spam, phishing, and fraud. These can come in the form of malvertising, SMS scams, and phishing emails. Both platforms have taken steps to tackle the challenge, but we need to remember that while spam and phishing aren't as sexy as government-crafted malware, it is the real threat to consumers.

Both Android and iOS Can Do Better

Not only do I think it's hacky writing to say that one platform is better than the other, I genuinely think that there is a massive gap between how Apple and Google approach to mobile security. The companies have different goals and business models, and have addressed security concerns through those lenses.

The dirty truth is that both Apple and Google are succeeding at security—if you view it through the lens of their respective business models. Google has to maintain a massive, uneasy alliance of hardware and software developers, in order to continue running the most popular OS on the planet. It can get a few things wrong, provided all those relationships remain strong.

Apple on the other hand, knows that its reputation is everything. Because people feel safe on iPhones, they feel safe to spend money both on iPhones and (increasingly important) with iPhones. The company moves very slowly and deliberately so it can get it right the first time, which sometimes makes them slow to adopt new technologies.

Instead of picking a winner, let's hold both of these tech giants accountable for their shortcomings. At the end of the day, odds are you have a device with all of your personal information on it from one of these two companies, so neither can afford to be satisfied with past accomplishments or recent improvements.