Google has stated that its mobile operating system, Android, is just as secure as iOS.
While this may be true for the operating system itself, when you compare the two smartphone ecosystems as a whole, the data suggests that iOS is generally more secure.
There are several factors that must be considered before comparing the security of Android and iOS, however.
Firstly, Android has the benefit – and curse – of being an open, heterogeneous platform. Various manufacturers make hundreds of devices between them which all run on Android.
These devices span multiple price points, with expensive smartphones getting all the bells and whistles. Cheaper devices have to sacrifice on the hardware specifications to bring prices down.
“iOS hardware – iPhones, iPads and iPods – has some good security measures, but Android devices are a mixed bag,” SensePost chief technology officer Dominic White told MyBroadband.
“Some have some good hardware security, but others don’t.”
It’s a similar story on the software front, where many manufacturers will not provide security updates for their Android devices.
And while some will provide security updates, they only do so in countries where it makes financial sense for them to support their devices.
Brands like BlackBerry and Nokia pride themselves on releasing security patches for their Android smartphones as frequently as Google makes them available, but other manufacturers do not offer the same level of service across their range of devices.
As a result, Android security, especially on lower-end devices, is a disaster waiting to happen.
The reason not all Android phones are kept updated all the time is due to the way the firmware approvals process works on mobile networks.
Before a phone manufacturer may release a patch which affects their system software, they must get approval from the relevant mobile network operators.
To ensure that a software update won’t cause a problem for clients or their network, mobile operators insist on testing all firmware updates before they go out.
This incurs a cost, and manufacturers are usually charged for testing and approvals. Based on feedback from manufacturers, this isn’t an issue unique to South Africa – operators all over the world work on the same principle to safeguard their networks.
Nokia fixed this bottleneck by separating the device operating system software from the system software the mobile networks care about – the drivers which handle communications with cellphone towers.
“In general, Android is considered less secure because there are lots of old devices that don’t support newer operating system versions, and there’s a broken update ecosystem that historically required the mobile operator to push the update,” said White.
Compare Apples with Androids
To give as objective a view as possible on the matter, let’s assume an Android smartphone with hardware that is as secure as an iPhone’s runs on the newest version of Android and receives all the latest security updates.
Is it possible to say whether Android or iOS is more secure under these ideal conditions?
“This is also hard, because there’s lots of shared components that affect both,” said White.
To illustrate his point, White produced the graphs below showing the number of vulnerabilities and the average severity of vulnerabilities by platform, per year, using the data from CVE Details.
Total number of vulnerabilities in iOS and Android: 2009-2018
From 2009 to 2018, Android had 1,886 vulnerabilities reported, while iOS had 1,458 vulnerabilities reported.
Average severity of vulnerabilities in iOS and Android: 2009-2018
From 2009 to 2018, the average severity of vulnerabilities on Android was 7.3, while on iOS it was 6.3 (out of 10).