November 10, 2021
Which mobile operating system (OS) is more secure: iOS or Android? This straightforward question does not have a simple answer. As with most topics in IT security, the proper response is: it depends. And the next logical question is what it depends on. This article will help you answer this question and find out which operating system can be considered more secure for common use cases or threat models.
A threat model is a security concept that considers and analyzes the attack surfaces, threats, and attacker tactics most likely to impact a given user or organization. A mobile device threat model for most users is primarily based on their app usage. This article helps you determine your basic threat model based on your usage of mobile devices and software.
The Essential Question to Determine Your Threat Model
Before we jump into examining mobile OS security, you need to answer a key question:
What type of user are you?
Here are four categories that might help you answer the question:
- The App Lover – you install new apps weekly or even daily
- The Diligent User – you rarely install new apps and regularly update your devices
- The High-value Target – it is likely that you might be a target for intellectual property theft or financially motivated cybercrime, e.g., because you are an owner or executive of a multi-million-dollar business
- The High-profile Target – you might be a target of surveillance by foreign or local intelligence services
The way you answer this question will make it easier to determine which mobile OS is more secure for you.
The App Lover
If you (or your kids) love to install new apps, the answer is relatively easy: stick with iOS. Even though we’re in 2021, from a security point of view, Google still lacks the proper processes to filter malicious apps from the Play Store.
It’s even worse if you or your kids install Android apps from third parties, such as websites, as these have a very high chance to infect Android. It is usually more challenging to install third-party apps in iOS, and most users do not bother to do so.
The Diligent User
If you rarely install new apps and check whether the app is popular and has a large user base before you do, if you tend to buy the latest mobile phones from known, trusted vendors, and regularly patch your devices, I have some good news for you. It is highly likely that your phone is secure, and it does not matter if it is an Android or iOS device.
What matters in your threat model is which services you use and whether those companies get hacked and leak your data. You should also look out for phishing sites when browsing on mobile devices to protect your credentials.
In terms of financial loss due to mobile security, a likely threat vector you might be ignoring is your children: can they see your phone’s passcode and “borrow” it to spend some money?
Again, these risks are the same, whether you have an Android or an iOS device.
The High-value Target
Does your company own intellectual property worth millions of dollars? Is it a highly lucrative business that is likely to be targeted by competitors or criminals? If this is the case, you are about as secure on the Internet as a banker in the Wild West.
Choosing between the “walled garden” approach from Apple and the more open mentality of Android is not as clear cut when you are a valuable target. There are several ways in which experts try to compare the security of the systems, but the truth is that there are not perfect systems, and the more valuable the target, the more resources the attackers might be willing to dedicate to compromise their smartphone. Some people might even measure the security of iOS vs. Android systems based on how much it costs to buy an “exploit” targeting the system.
Mobile OS Exploits: iOS vs Android
What is an exploit? An exploit is a particular type of code that can bypass a device’s security to give attackers control of that device. Some exploits will allow them to read messages, tap the microphone, steal photos, log keystrokes, etc.
To illustrate the cost of some modern exploits, there is Zerodium, charging 2.5M USD to fully compromise the latest Android devices, and 2M USD for an iOS device. Based on Zerodium’s pricing you could say that Android is more secure, but I don’t believe the difference is significant.
The exciting part is the magnitude of these prices: this is not the ecosystem where a talented exploit researcher could sit down in their cave for a week and come out with a working exploit. Significant research, knowledge bases and teamwork are needed for any new exploit to appear on the market. This does mean that modern platforms are secure enough for the average user, but not necessarily for high-value targets.
There are also some nuanced differences when we consider how the exploits might be used.
iOS and Android Security for High-value Targets
Consider this: if someone creates a new exploit for iOS, the chances are high that the same code can run on the vast majority of the iOS devices, as shown by our data in the device intelligence report. As for Android, it may or may not work on different devices. The effectiveness of a given exploit comes down to the fragmented market of Android, as there are so many models running so many different Android versions, that it is difficult to create a single exploit that would affect a significant percentage of devices. It is an exciting problem that cuts both ways: Android phone vendors have a hard time patching this fragmented device base, but the attackers face similar challenges.
So far, I would say there is no clear winner for high-value, but you (or your IT department) can make a difference if you use Android. The walled garden approach of iOS prevents any security monitoring on the device itself. Also, as only one phone vendor exists (Apple), all of its phones will have just the “default security.”
As for Android, if you are willing to pay the price, you can install mobile threat defense solutions or have some extra hardware-based security like Samsung Knox. For iOS, you don’t have these options. But if you lack the resources to buy these, it probably does not matter whether you use Android or iOS. However, CUJO AI is looking to change this with CUJO AI On The Move, which allows network operators to provide mobile protection to iOS and Android mobile users.
If you believe attackers are not targeting mobile devices and this is just a hype to sell more IT security solutions, I recommend you e-search the terms APT41 or Sandworm.
In any case, if you are a high-value target, it matters more how you do OPSEC than which mobile OS you choose. And OPSEC is hard.
The High-profile Target
Lastly, if you are the target of foreign intelligence services or local law enforcement, I have some bad news. Your best option is to not use any technology in the foreseeable future. Consider moving to a remote island and taking up fishing with a non-IoT fishing rod, as these are unaffected by mobile device exploits or backdoors used by the most advanced intelligence agencies. Other than that, there is not much you can do to protect your data on your mobile phone.
You should now have a basic notion of which mobile operating system is better for your threat model. Remember: you must continue learning about device security and emerging cybersecurity risks, because nothing in IT security is written in stone, and you should always keep educating yourself to keep your data, identity, and devices secure. To know more about mobile security threats, read our brief overview of Android malware.