Android vs IOS: which is safer?

[Tomcat]

Strange title, isn't it? The author must have gone nuts to compare the security of iOS, which even the FBI cannot crack, and the leaky bucket called Android. But I'm serious: Android and iOS can and should be compared. Not to prove once again that iOS is so much better. But because iOS is losing.
I am convinced that iPhones are much safer than Android smartphones. This is an obvious fact, which stems from the fact that Apple completely controls the ecosystem of its devices: its hardware, its only App Store, quick updates directly from the iOS developers, no one makes edits to the OS except Apple itself. The company not only develops iOS, but also manages everything around it, including the devices themselves.
However, if you look a little from a different angle and compare not devices, not the ecosystem, not all this layer of services and technologies created around iOS and Android - if you discard all this and compare Android and iOS as separate operating systems, then the picture becomes far from the same. unambiguous.

First, a small sign:

• iPhone OS 1.0 - jailbroken after 11 days;
• iPhone OS 2.0 - jailbroken after 35 days;
• iPhone OS 3.0 - jailbroken after 2 days;
• iOS 4.0 - jailbroken after 2 days;
• iOS 5.0 - jailbroken after 1 day;
• iOS 6.0 - jailbroken on the same day;
• iOS 7.0 - jailbroken after 95 days;
• iOS 7.1 - jailbroken after 25 days;
• iOS 8.0 - jailbroken after 35 days;
• iOS 8.1.1 - jailbroken after 12 days;
• iOS 9.0 - jailbroken after 28 days;
• iOS 9.1 - jailbroken 142 days later;
• iOS 10 - jailbroken after 106 days.

It shows how many days have passed between the release of the new version of iOS and the first jailbreak. In the context of a security discussion, this is a very important table because, technically, jailbreaking is nothing more than gaining root privileges. And root rights, in turn, give full control over the device, and you can get them in only one way - bypassing the protective mechanisms of the OS.
You can say that Android is also rooted by all and sundry, and you will be right. However, there are many nuances here, including factors such as the frequent possibility of getting root "legally" (by unlocking the bootloader), the existence of a huge number of devices on MTK processors in which the bootloader is not locked in principle, as well as holes that are not directly related to Android, and appeared thanks to the curvature of the manufacturing company.

In general, it is almost impossible to compile a similar table for Android, but we can compare iOS and Android using slightly different data. Take a look:

1. Android - 1308 vulnerabilities.
2. iOS - 1275 vulnerabilities.

This is the number of all iOS and Android vulnerabilities ever found, according to cvedetails.com. Android ranks first, iOS lags slightly behind. This information alone is enough to dispel the myth that Android is a sieve, and iOS is an impregnable fortress. But we'll go a little further and take a look at the vulnerabilities themselves.

As of this writing, the last three Android vulnerabilities are:

1. The lockscreen on Elephone P9000 devices (running Android 6.0) allows physically proximate attackers to bypass a wrong-PIN lockout feature by pressing backspace after each PIN guess.
2. In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition in a WLAN driver can lead to a Use After Free condition.
3. In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition in a USB driver can lead to a Use After Free condition.

One bug in the implementation of the lock screen in a cheap Chinese piece of plastic called the Elephone P9000 and two vulnerabilities in Qualcomm's proprietary drivers, authored by Qualcomm itself, which have the same relation to Android as the driver for a Nvidia video card has to Windows.

Ok, quite possibly this is an accident and just a coincidence. Let's take a sample of the last 100 vulnerabilities:

• 29 - Qualcomm drivers;
• 28 - Android vulnerabilities;
• 20 - CAF core developed by Qualcomm;
• 9 - Mediatek drivers;
• 7 - Broadcom drivers;
• 4 - vulnerabilities in manufacturer's firmware;
• 3 - Nvidia drivers.

Total: almost half of the vulnerabilities were found in Qualcomm drivers (and proprietary kernel), less than a third in the Android code itself. The same sample for iOS:

• 99 - iOS vulnerabilities;
• 1 - Qualcomm driver.

Of course, you can argue that my analysis is too primitive, I took the entire snapshot of vulnerabilities, including DoS, low-rated vulnerabilities and the like. But let's face it. I gave statistics based on 100 vulnerabilities, this is 8% of all bugs registered for the entire time of the OS existence. If this is a non-representative sample, then I do not know which one will be representative.

Now let's take a look at the most famous and terrible bugs, which were trumpeted on every corner not so long ago. Here's a partial list for iOS:

• CVE-2009-2204 (up to 3.0.1) - Viewing a maliciously crafted SMS message may lead to an unexpected device crash or arbitrary code execution.
• CVE-2010-3832 (up to 4.2) - remote code execution in the GSM modem processor;
• CVE-2012-0672 (up to 5.1.1) - remote code execution using a specially formed web page;
• CVE-2016-4631 (up to 9.3.3) - remote code execution by displaying a TIFF image on a web page, in a letter, message, and the like;
• Trident (up to 9.3.5) - the user clicks on the link, after which the Trojan jailbreak and is placed on the system;
• Broadpwn (up to 10.3.3) - remote code execution by sending specially formed Wi-Fi frames (the same bug is present in Android smartphones).

For Android, you can give the same list, and more than half of it will consist of Stagefright bugs found in 2015-2016. The only difference is that iOS bugs are quickly forgotten, they simply cease to be relevant due to the update of all devices to the new OS version. But Android bugs are remembered for a long time, because vulnerabilities even two and three years ago remain relevant for millions of devices.
When it comes to vulnerabilities, iOS is definitely not the most secure OS, and Android is not the most leaky. But the average Android smartphone is a sieve. All these modifications added by the manufacturer, bugs in proprietary bootloaders, eternal problems with updates - all this negates Google's efforts to make Android safer.

Therefore, if you are choosing an Android smartphone, follow a few tips.

• The best choices are Nexus, Pixel and Android One smartphones. They run pure Android and receive live updates for three years (two years of regular updates and one year of security updates).
• If a better choice isn't possible, look towards a smartphone that has official LineageOS support, primarily Samsung and OnePlus. If the manufacturer stops updating the device, you will always have the opportunity to upgrade to LineageOS and continue to receive updates.
• Don't expect your Chinese MTK smartphone to be hard to hack. A person with the very initial training will merge data from him at a time.

If your choice is the iPhone, then you have no problems at all. No matter how many bugs are found in iOS, Apple will close them within two weeks.

 

[Ace864]

Still, I prefer iOS. It's more convenient for me. Besides, I have nothing to hide

 

[masdondillard]

It seems to me that IOS is safer, because you can't hack root rights, and you can't download something from the Internet

 

[minarkhokha]

IOS-based devices are the best, imo. At least, I use only them. It's more convenient, more stylish and much safer than Android. My brother, who use Samsung, told me that someone once withdrew money from his card due to the insufficient protection. Apple products also serve longer, according to my friends' stories, who used to have Android. And you can repair your Mac or iPhone with a better quality. I usually do it here, allrepair.fr. Btw, some Android models may cost as a new Apple device. But does it have the same quality? To tell the truth, I'm not sure about that.

 

[Father]

Table of contents

1. What is the difference between the two operating systems in terms of information security?
2. Common security concerns
3. The main problem of smartphone security
4. How to protect yourself from hacking
5. So which is more reliable: Android or iOS?

According to the BBC for 2021, the modern person uses his smartphone for about five hours a day. Photos, conversations, browser history, user activity and payment data – a modern smartphone literally knows everything about its owner.

In this regard, there is an increased interest in the security of personal devices and the security of the data that is stored on them. In this issue, the whole world is divided into two camps: those who are for Android, and those who are for iOS.

In this article, we will analyze the main aspects that affect the security of mobile operating systems, which one is preferable in terms of security, what threats exist, and how to protect your phone from cybercriminals.

What is the difference between the two operating systems in terms of information security?​

The difference between the two systems is really significant. It's not for nothing that there are many jokes and memes about the inconvenience of switching from Android devices to iOS. First of all, it is worth mentioning the fundamental differences that are caused by the economy, that is, the business model and distribution methods that companies use.

Valery Stepanov
Head of the Competence Center for Information Security T1 Integration

Two indisputable facts: Android is much more popular than iOS in the world and the probability of detecting vulnerabilities in the Android source code is much higher. Consequently, more people are potentially at risk. This is because the main difference between iOS and Android in terms of cybersecurity is the fact that Android is an open source system. Android devices are easier to root: it includes removing restrictions set by the device manufacturer and installing unauthorized programs.

Thus, iOS is a product for one specific line of smartphones, and Android is an open OS that is used by many companies, such as Samsung, Huawei, Xiaomi and some others. Thus, a number of advantages and disadvantages of operating systems are due to the very attitude of companies to their product.

Anton Kuznetsov
Leading Information Security Engineer at R-Vision

If we talk about the difference between these operating systems, then it is worth highlighting two key differences: in the application architecture and in the control of the app store: AppStore/Google play.

In this case, Apple takes a more advantageous position: you can install only those applications that are available in the official AppStore. At the same time, all applications submitted to the AppStore undergo a thorough security check before entering the store, and their developers are subject to stricter control.

As for the architecture, iOS uses an isolated environment for running each application, which means that malicious code will not be able to leave this container and thus harm the system and its user. But there is also old code in applications that allows you to install Pegasus spyware, for example, via iMessage. It is important to understand here: that such an attack is costly and there is no point in following ordinary users, and Apple also released a special protected mode some time ago, which prevents hacking.

In turn, Android is an open source operating system. This means free access to the source code for any software developer who can change and publish their OS version. And, as a result, Android devices are more likely to detect vulnerabilities. According to numerous research reports in this area, Android devices have more malware infections than Apple devices.

If we take a closer look at the issue of app stores, then Apple's advantages in the coming years may be offset by new EU legislation that will oblige OS manufacturers to allow the installation of applications from third-party stores. Apparently, this will happen in 2023.

The monopoly on app stores also became a serious problem for Russian users this year, as they could not download or update the apps of companies that were included in the lists of European sanctions. This gave rise to a number of interesting ads on various ad platforms. For example, on Avito, they tried to sell a phone with the Sberbank app installed for 15 million rubles.

Along with such funny cases, the demand of ordinary users for the services of people who can hack a smartphone, that is, "make a jailbreak", has also increased. A significant proportion of such offers on various sites look extremely dubious, and users are at great risk of getting malware instead of the desired application (or bundled with it).

It is also important not to forget that updates, including those related to device security, are released only for current smartphone models. In the case of the iPhone, tracking this factor is quite simple, but Android devices from different manufacturers lose support quite quickly and chaotically, since there are many companies using the Android OS.

Daria Zubritskaya
Marketing and Communications Director of the digital travel management and expense management platform Raketa

A common measure for both operating systems is update monitoring. The user should keep track of how up-to-date the installed version of the operating system and applications are. As for the Android operating system, the most important thing that a user can do is to prohibit the installation of applications from unverified sources. The user should not install applications downloaded from various sites and forums.

The main drawback of Android devices is that manufacturers do not support the device for long enough, update the operating system version to a new one, and also do not release security patches. Because of this, Android-based devices quickly become vulnerable and manufacturers do not seek to eliminate this.

Thus, in terms of" starting positions", iOS currently offers a higher level of protection than Android. On the other hand, Android offers a lot of variability: the user can flexibly configure the security of their own device, use as protective programs from the markets, such as Kaspersky Lab antivirus, or use a variety of tools from third-party sources that they deem necessary.

Common security concerns​

The most obvious problem for both operating systems is the physical security of the device. Relatively speaking, when handing over your device for screen replacement to a service located in the middle of a shopping center, almost no one thinks about what manipulations a specialist performs with it. It is quite difficult to control it without proper knowledge, so it is better to use trusted services or certified centers of the manufacturer.

Anatoly Peshkov
Co-founder and CTO of Mad Brains

It is worth remembering that:

• first, devices and operating systems are still made by people, and they make mistakes (or even deliberately leave backdoors);
• secondly, the device does not live in a vacuum, so everything we do on it somehow leaves a trace: from packets flying on the Internet to data from the phone's hardware (connection to cell towers, communication with GPS satellites, and even traces of fingers on the screen).

So the security will never be 100%, you will have to accept this. But to give up the benefits of civilization because of paranoia is not worth it. You need to sensibly assess the risks and the need to share or hide some information.

It is also important to remember that OS developers are high-level specialists, but still ordinary people. Yes, people's work is partially automated with the help of source code analyzers and other tools used by most leading manufacturers. For example, Samsung and Huawei use the Svace analyzer developed by Russian specialists. However, no automation tools can, at the moment, neutralize the influence of the human factor, so installing the next update is always associated with certain risks.

Anton Malygin
Senior iOS Engineer at Cogni

Both iOS and Android devices have some shortcomings in terms of information security. For example:

- Both operating systems can be used by hackers if the user becomes a victim of a phishing attack or installs a malicious application.

- Both operating systems can collect user data for various purposes, such as to personalize ads or improve user experience. This data collection can cause privacy concerns, although users can usually adjust their privacy settings to limit the amount of data collected.

Both operating systems may be vulnerable to physical attacks, such as when someone tries to gain access to the device by guessing the password or using physical tools to bypass security measures.

And the third aspect, which is typical for both OS and Android, is the "love" for the legal and legitimate collection of user data in a formally impersonal format. It is legal because it is not prohibited by law, but becomes legitimate at the moment when the user accepts the nth user agreement, which contains the agreement on the processing of personal data.

Ordinary users are often surprised that it is worth talking next to a smartphone lying quietly next to them (even if it is turned off) about some planned purchase-and when entering the search engine, it will immediately offer a trip abroad, a country plot or a marketplace for the sale of household appliances. It is important to understand that even turning off the device does not guarantee that it "does not hear" you. Removing the battery can partially solve this problem, but this is not possible with all models. The second option is to purchase a folder or a case-blocker, in which you can put the device during important negotiations, but there is a high risk of stumbling upon a fake that does not meet the stated characteristics and does not fulfill its functions.

The main problem of smartphone security​

If you analyze search queries related to the security of mobile operating systems and smartphones, you may encounter the following::

• is it possible to hack a phone through a call?;
• hacking via text messages.

This, on the one hand, indicates the growing attention of users to the security of their devices. On the other hand, there is a low level of understanding of what "entry points" attackers can use and how to secure your phone.

Maxim Aferov
Leading expert in mobile development, Auriga

Unfortunately, absolutely all devices, systems, and applications have vulnerabilities. I continue to believe that the main vulnerability is the poor education of the users themselves. I would put another question-who is going to defend themselves against whom? If you are a regular user and you need protection from random attacks by not very experienced hackers, then any OS in the hands of an information security-savvy user will provide such protection. If the user is of serious interest for hacking (for example, a celebrity or a major official, businessman, or politician), then any device can be hacked if resources are available. But, as a rule, such users have their own information security services, whose task is to ensure the safety of their employer.

Can I hack my phone using VPO? Yes, there are a huge number of Trojans, keyloggers and other software tools that can be " delivered to the phone and get all the data. You can also encounter VPO online, for example, after entering payment details in an online store that is infected with a skimmer.

But in the vast majority of cases, an attacker will not use operating system vulnerabilities, but user "vulnerabilities", that is, social engineering.

A high-profile example was the events of August 31, 2014, when gigabytes of personal photos of many Hollywood celebrities were "leaked". The event received not only a loud response, but also its own page in Wikipedia. The hacker simply sent messages to gmail and iCloud accounts asking them to confirm their credentials and a link leading to a phishing site.

It is important to understand that a high level of security for mobile devices consists of two factors:

• OS security;
• custom behavior.

If a user downloads apps without control, gives them maximum permissions, and leaves their user data on questionable sites – then you can only protect their privacy by "degrading" a modern smartphone to a push-button device that simply can't do anything more than call and send SMS.

How to protect yourself from hacking​

The most important thing in the issue of personal information security is to understand two basic factors:

• personal data needs to be protected not only by the operating system, regulators or smartphone manufacturers, but also by a specific person;
• one hundred percent data protection is basically unattainable, you can only constantly reduce the risks to a minimum value.

Understanding these basic truths allows you to look at familiar tools from a new angle. For example, choose apps with a long history, check links before clicking, and use cybersecurity tools. However, there are a number of specific rules that can help protect your smartphone, regardless of the operating system.

Alexey Marinin
Senior Mobile App Developer, Independent expert

Here are 10 tips on how to protect your smartphone.

1. Set a strong password for the device. A Google / Apple account, Face ID, or fingerprint will allow you to unlock your phone in public places without compromising your password.
2. Set different passwords for your phone, account, and banking apps and email, so that if attackers get hold of your device password and unlock it (or snatch it out of their hands when it was unlocked), they don't get control of all your data and apps. In the apps themselves, you can configure them to log in using your fingerprint or FaceID, which saves you from having to constantly enter passwords.
3. Use a password manager. You should not store such sensitive information in notes or create a universal password for all your services and applications.
4. Link your device to your account so that if it is lost or stolen, you can remotely clear it. In this case, attackers will not be able to get your information.
5. Update the software in a timely manner. In new firmware versions, smartphone manufacturers often fix vulnerabilities.
6. Do not use outdated devices that companies no longer support. For example, Apple supports its devices for 3 to 6 years, depending on the model.
7. If you have a phone running Android, you can opt out of third-party shells over the OS, and use a "clean" android. Potentially, this will significantly reduce the number of vulnerabilities.
8. You can install antivirus software on Android devices, and this will also improve the device's security.
9. On Android devices, I suggest that you stop downloading apps from third-party sites and alternative app stores. Using the official store offers will reduce (but not eliminate) the risk of installing malicious software
10. Don't download questionable apps even from official app stores. The control system in such markets is good, but not perfect, and malware can slip through. By using a program with a large number of reviews from familiar companies, you will reduce this risk.

Separately, it is worth mentioning "VIP users", which means people whose personal data can become a target for hackers. These include politicians, pop stars, top managers of large companies, opinion leaders, and a number of other people. For this category of people, it is highly desirable not only to follow the general rules, but also to resort to consultations and services of specialized information security specialists. These can be full-time employees of the company's information security department or outsourced specialists.

So which is more reliable: Android or iOS?​

Absolute reliability is not guaranteed by any system, since cybersecurity is a complex area in which the balance of software tools, user care and a number of other factors is important.

For one person, the best solution is to use a keyboard phone at all, since it works with extremely sensitive data and, at the same time, has little idea of how modern smartphones work and social engineering methods work, which is far from uncommon, for example, for older people.

Sergey Opivalov
Senior Software Engineer в Gradle Inc.

One of the disadvantages of Android devices is that they may be more vulnerable to malware and other threats due to the more open nature of the operating system. Android allows users to install apps from sources other than the official Google Play Store, which can increase the risk of downloading malicious software. In addition, Android devices may not receive updates as frequently as iOS devices, which may make them vulnerable to vulnerabilities that have already been fixed in newer versions of the operating system.

iOS devices, on the other hand, usually have more robust security features, including a secure download process and built-in encryption of data at rest. However, they may still be vulnerable to threats such as phishing attacks and malicious websites.

If we talk specifically about Android and iOS, then the operating system from Apple is more suitable for those who want to minimally delve into the security issues of their smartphone, and are ready to put up with some restrictions in user rights and device functionality.

Android devices are more suitable for those users who are willing to regularly spend personal time studying various tools and the very activity of their smartphone, and in return want to receive a potentially higher level of security than those users who want to receive security "as a service".

However, the nominal leadership of iOS in terms of security, it is likely to come to naught if regulators in different countries continue to promote the trend of unification of standards for smart devices.