Strange title, isn’t it? The author must be crazy, if he decided to compare the security of iOS, which can’t even crack the FBI, and a holey bucket called Android. But I am serious: Android and iOS can and even need to compare. Not because, once again, to prove that iOS is much better. And because the iOS loses.
I am convinced that the iPhone is much safer than the Android smartphones. This is an obvious fact, which stems from the fact that Apple fully controls the ecosystem of its devices: its iron, its only App Store, fast updates directly from the developers of iOS, in the OS no one makes any changes, except Apple itself. The company not only develops iOS, but also controls everything around it, including the devices themselves.
However, if you look a little bit at a different angle and compare not the devices, not the ecosystem, not all of this layer of services and technologies created around iOS and Android, – if you throw it all away and compare Android and iOS as separate operating systems, the picture becomes far from so unambiguous.
For starters, a small plaque:
- iPhone OS 1.0 – hacked after 11 days;
- iPhone OS 2.0 – cracked after 35 days;
- iPhone OS 3.0 – hacked after 2 days;
- iOS 4.0 – cracked after 2 days;
- iOS 5.0 – hacked after 1 day;
- iOS 6.0 – hacked the same day;
- iOS 7.0 – hacked after 95 days;
- iOS 7.1 – hacked after 25 days;
- iOS 8.0 – cracked after 35 days;
- iOS 8.1.1 – hacked after 12 days;
- iOS 9.0 – hacked 28 days later;
- iOS 9.1 – hacked 142 days later;
- iOS 10 – cracked after 106 days.
It shows how many days have passed between the release of a new version of iOS and the first jailbreak. In the context of security discussions, this is a very important table, because technically a jailbreak is nothing more than obtaining root permissions. And root’s rights, in turn, give full control over the device, and there is only one way to get it – by bypassing the OS security mechanisms.
You can say, that Android too ruthet all who are not lazy, and you will be right. However, there are many nuances, including such factors as the frequent opportunity to get a root “legally” (by unlocking the loader), the existence of a huge number of devices on the MTK processors, in which the loader in principle is not blocked, as well as holes, which are not directly related to Android and appeared due to the curvature of the manufacturer.
In general, a similar table for Android is almost impossible to make, but we can compare iOS and Android, using a little different data. Take a look:
- Android – 1308 vulnerabilities.
- iOS – 1275 vulnerabilities.
This is the number of all ever found vulnerabilities in iOS and Android according to
At the time of writing, the last three Android vulnerabilities were such:
- The lockscreen on Elephone P9000 devices (running Android 6.0) allows physically proximate attackers to bypass a wrong-PIN lockout feature by pressing backspace after each PIN guess.
- In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition in a WLAN driver can lead to a Use After Free condition.
- In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition in a USB driver can lead to a Use After Free condition.
One bug in the implementation of the lock screen in a cheap Chinese piece of plastic called Elephone P9000 and two vulnerabilities in the proprietary drivers Qualcomm, the author of which is Qualcomm itself and which have the same relevance to Android, which the driver for the Nvidia graphics card has to Windows.
Ok, it is quite possible, it is an accident and just a coincidence of circumstances. Make a sample of the last 100 vulnerabilities:
- 29 – Qualcomm Drivers;
- 28 – Android vulnerabilities;
- 20 – CAF kernel, developed by Qualcomm;
- 9 – Mediatek drivers;
- 7 – Broadcom drivers;
- 4 – vendor firmware vulnerabilities;
- 3 – Nvidia drivers
Total: almost half of the vulnerabilities found in the drivers (and branded kernel) Qualcomm, less than a third – in the code of the Android itself. The same sample for iOS:
- 99 – iOS vulnerabilities;
- 1 – Qualcomm driver
You can of course argue that my analysis is too primitive, I took the whole vulnerability slice by including DoS, low rating vulnerabilities and the like. But let’s face it. I’ve brought statistics based on 100 vulnerabilities, that’s 8% of all registered OS bugs since they existed. If it is a non-representative sample, then I do not know what will be representative.
And now let’s look at the most famous and terrible bugs, about which not so long ago trumpeted on every corner. Here is a partial list for iOS:
- CVE-2009-2204 (up to 3.0.1) – viewing a malicious SMS message may cause an unexpected device failure or execution of arbitrary code;
- CVE-2010-3832 (up to 4.2) – remote code execution in GSM-modem processor;
- CVE-2012-0672 (up to 5.1.1) – remote code execution using a specially generated web page;
- CVE-2016-4631 (up to 9.3.3) – remote code execution by displaying the image in TIFF format on a web page, in a letter, message and the like;
- Trident (up to 9.3.5) – user clicks on the link, then the trojan jailbreaks and is placed in the system;
- Broadpwn (up to 10.3.3) – remote execution of the code by sending a specially formed Wi-Fi-Frames (the same bug is present in smartphones on Android).
For Android you can give the same list, and more than half of it will consist of the bug Stagefright found in 2015-2016. The only difference is that the bug iOS is quickly forgotten, they just stop being relevant because of the update of all devices to the new version of the OS. But the Android bugs are remembered for a long time, because vulnerabilities even two and three years ago remain relevant for millions of devices.
If we talk about vulnerabilities, iOS is definitely not the most protected OS, and Android is not the most holey. But the average smartphone on Android is a sieve. All these modifications, added by the manufacturer, bugs in the branded bootloaders, eternal problems with updates – all this negates the efforts of Google to make Android safer.
So, if you choose a smartphone on Android, follow a few tips.
- The best choice is Nexus, Pixel and Android One smartphones. They run on a “pure” Android and receive operational updates for three years (two years of regular updates and one year of security updates).
- If a better choice is not possible, look towards the smartphone for which there is official LineageOS support, first of all Samsung and OnePlus. If the manufacturer stops updating your device, you’ll always have the option to switch to LineageOS and keep getting updates.
- Don’t hope that your Chinese smartphone on the MTK processor will be difficult to crack. The person with the initial training will salt the data from it on the count of times.
If your choice is iPhone, then you have no problems at all. No matter how many bugs are found in iOS, Apple will close them within two weeks.