Thanksgiving, Black Friday, Cyber Monday, and Christmas come around every year, with bumper deals on so many things it hurts my brain to think about it. Why am I telling you this? Well, with all the incoming deals you might consider picking up a new smartphone. 2017 has given us a new iPhone generation, as well as some great Android handsets, too (our Samsung Galaxy S8 and OnePlus 5 reviews).
But before you rush out and grab one or the other, consider this: which is the most secure smartphone operating system? Is it an Android device, or an iPhone?
Security Feature Overview
Let’s start by considering the most important smartphone security features. This is the core set of security features no smartphone operating system should be without.
- Overall device control, including bloatware app deletion, locking, PINs, and passwords
- App Store/Play Store security, including app permissions
- Bug and exploit security, update frequency
- Malware and ransomware protection
Having overall control of your device is important. It sounds like something basic. But anyone who has purchased a branded smartphone knows all too well that this can sometimes be far from the truth. Undeletable apps, unknown updates, additional battery and bandwidth use, and reduced storage are just some of the pitfalls of this situation. So, how do Android and iOS handle this issue?
iOS 11 comes with several pre-installed apps. You can delete the majority of built-in apps from iOS 11 (find the full list here). And having that control is a great feature. But even better is the fact that if you keep the pre-installed apps, you know they are developed and signed by Apple. The vast majority of Apple-designed pre-installed apps have remained secure over the years.
To delete a pre-installed iOS 11 app:
- Touch and hold the app symbol until it jiggles.
- Tap the app, then tap Delete
- Press the Home button to finish
Android is a completely different affair. Google develops the Android operating system, but a wide range of device manufacturers use it. As such, different smartphones come with different pre-installed apps. The level of bloatware is astounding, at times. I purchased a Samsung Galaxy S8, and it took months for Samsung even to allow users to disable the Bixby smart assistant button (without rooting the phone), let alone the other pre-installed apps.
Samsung is not the only offender, however. They’re not even the worse. Some U.S. carriers see pre-installed apps as a way of further ensnaring you into payment systems. As such, removing Android pre-installed apps is usually a difficult experience.
And, unlike Apple, Android pre-installed apps are predominantly developed by the device manufacturer. As such, there is no uniform approach to pre-installation. This is exacerbated by the range of Android operating systems in operation. Older devices with aging operating system versions have different vulnerabilities to newer devices (and manufacturers have much less incentive to patch old devices, too). As such, vulnerabilities appear unexpectedly, entirely dependent on the device.
Want to remove Android bloatware? You’ll have to complete an internet search for your “[your device] + remove bloatware.” There are simply too many phones out there for us to offer specific advice. As well as this, you’re probably going to need full root access to completely remove Android bloatware — a whole different set of issues. (Check out our guide if you’re unsure!)
iOS wins this round. Pre-installed apps are easy to uninstall (for the most part). The restrictive iOS platform offers better overall security than open-source Android.
Locking, PINs, Passwords
Next up, we’ll consider the options for locking your device using a PIN, password, or otherwise. Naturally, you’ll protect your smartphone with a password or alternative, but which operating system does it best?
The release of iOS 11 attracted a significant amount of interest. The new operating system granted users the opportunity to lock and unlock their device using only their face. The new-to-iOS tech, called FaceID, has already come under serious scrutiny. In fact, as I was penning this article, Vietnamese research team Bkav claimed to have cracked FaceID security using just a mask. The tech world is still waiting for further confirmation, but you should still watch the video below.
That said, this is fairly elaborate, and won’t affect you at the current time.
Further to FaceID, TouchID has featured on every iPhone since 2013 (bar the recent iPhone X). TouchID enables fingerprint unlocking for fast device access. TouchID is touted as the most secure iOS lock method but has also been compromised by enterprising hackers.
— Arjun Kharpal (@ArjunKharpal) February 24, 2016
TouchID has been compromised in other ways, too. Most hacks remain difficult and require direct access to a device or your hand. (Users can disable TouchID by pressing the power button quickly five times. This opens “emergency mode,” allowing a user to call 911 without fully unlocking the device.)
If you’re not using TouchID or FaceID, you’ll set a strong passcode. iOS passcode options are:
- Six-digit passcode
- Four-digit numeric code
- Custom numeric code (any number of digits)
- Custom alphanumeric code (any number of letters and digits)
When using a passcode, there is another option to consider: Erase Data. This option deletes all data on the device after ten failed passcode attempts. If this option is disabled, the device will need restoring in iTunes (after ten failed attempts).
Android offered facial unlocking technology before iOS, but has suffered the same issues. The Samsung Galaxy S8 face recognition lock was easily fooled by a photo. Check out the video below.
As with many things Android, your security options are somewhat specific to your device. For instance, my S8 features an iris scanner, but other recent devices from other manufacturers do not. Similarly, thumbprint scanners aren’t available with all devices.
For the most part, Android 8.0 users will have access to the following standard locking features:
- Swipe: No protection, stops apps opening in pocket
- Pattern: Low to medium protection, sometimes guessed from smears on the smartphone screen, cracking software exists
- PIN: Medium to high protection, up to 16 digits
- Password: Medium to high protection, up to 16 alphanumeric characters
The best option is combining security features, like a fingerprint scan with a PIN, and so on. That way if one barrier is broken down, there is always a backup.
However, Android being open source is a blessing and curse. Open-source software exists to crack Android pattern locks, usually doing so in less than five attempts. Furthermore, there are several methods for completely bypassing the standard lock-screen and entering the core of an Android device. Are you waiting for the plus side? There are numerous excellent additional Android security apps out there. You can easily bulk out your security for free. Furthermore, Android users can set Smart Lock areas. For instance, when you connect to your home Wi-Fi, your device will remain unlocked.
As with bloatware, the issues faced by Android devices directly relates to the manufacturer version. There is more than one occasion where a manufacturer developed version of Android is susceptible to PIN and password override issues while stock Android remains secure.
Locking, PINs, Passwords Results
A close section, but I think iOS 11 edges it. iOS 11 allows for unlimited alphanumeric password length. This means users can create lengthy passcodes like martyr silent blind towing wolves cask herd or rout axiom afire lanky sarcasm align therapy. These passcodes use 44 characters and will take an age to brute force. The following is an extremely relevant xkcd:
And while you can bulk out your Android security with apps that allow lengthy passcodes, it isn’t baked into the base functionality.
As mentioned above, combine security options to give yourself greater coverage.
App Store and Play Store Security
The Apple App Store and Google Play Store are where iOS and Android users download apps, respectively. Many apps feature in both stores, but that doesn’t make their security the same. The security approach of both app stores has aligned over recent years as both Apple and Google learn from one another (Google, particularly). But which app store has the best security?
iOS: App Store
The App Store has long been considered vastly more secure that is Android counterpart. Why? Because Apple tightly controls the development process for iOS. There are vastly more hoops to jump through, attracting a deeper appraisal and security process.
That’s not to say the App Store remains clear of security issues.
In 2015, Apple removed hundreds of apps infected with the XCodeGhost malware. And before that there was WireLurker, Masque Attack, and AceDeceiver, as well as underlying SSL issues (all are long fixed). At the time of writing, Apple is purging third-party apps that do not live up to their billing. This includes apps that include superfluous code, or that attempt to inject alternative ads after download. Furthermore, a recent Skycure report [PDF] exploring iOS hacking found iOS malware increasing quarterly.
Android: Play Store
The Google Play Store has more than a few malware issues. In fact, the numbers are startling. A recent study found some malicious apps with up to 4.2 million downloads. Security researchers at Check Point noted that even after Google removed the offending apps, new versions would appear, instantly attracting downloads.
Recently, Android users have contended with malware such as Xavier, Judy, ExpensiveWall, Googlian, Godless, and SonicSpy. A major bonus for malware developers is the sheer range of Android devices, many of them running severely outdated Android versions. These unpatched, vulnerable devices are the delightful low-hanging fruit for malware developers.
The Google response to ongoing malware issues hasn’t always been as swift as Android users would like. In 2017, however, Google introduced a number of measures to stop malware-infected apps proliferating. The biggest feature update was Google Play Protect, an app security suite that ensures your security in several ways, including scanning your device, verifying apps before download, and device tracking.
Android will always be under threat. As Windows users will attest, if you use the most popular operating system, you’re a potential target for malware.
Because anyone, anywhere can easily develop an Android app, the system is open to abuse. And boy do people abuse it. The Google Play Protect system isn’t incredibly difficult to game, either. Developers simply set the malicious aspect of their code to deploy on a time-switch or download the malicious code after the user installs a legitimate app.
App Store and Play Store Results
There is a clear winner here: iOS. Apple consistently strives to keep its App Store completely free of malware, reigning in the app development process and keep close tabs on those wishing to publish their apps. Google is making strides forward in protecting Android users. Unfortunately, the sheer number of devices running outdated and vulnerable versions of Android means this perpetual struggle must continue.
Bugs, Exploits, and Update Frequency
I’m not going to delve into this section as thoroughly as others. Simply put, iOS has fewer bugs and fewer exploits than Android. Update frequency is slightly more contentious.
When Apple updates iOS, they update the entire core: the apps, the dialer, Siri, and everything else in-between. Apple tends to support their devices for longer, too. However, once support for an iOS device ends, it is a more terminal affair. Older devices creak under the weight of newer iOS versions and cease to function.
On the other hand, an old Android device will not receive full updates, but will still function due to the huge range of app support for outdated versions. (This is a major Android selling point and a sure reason as to its global popularity.)
Malware and Ransomware Protection
We’ll consider malware and ransomware protection in our final section. We’ve looked at the App Store and Play Store, but how do the operating systems protect against direct threats?
Apple integrated iOS security from the ground-up. iOS has excellent sandboxing between apps and the operating system. This alone curtails (the few) vulnerabilities in its code, making iOS users extremely safe. Apple even went as far as removing a bunch of antivirus apps in 2015 because they were useless (to the point that they actually introduced vulnerabilities).
All apps are sandboxed, restricted from accessing files stored by other devices, or even making unprompted changes to an iDevice. iOS layers overall app security using code signing, runtime process analysis, and specialized extension support.
Give the iOS Security Guide [PDF] a read because it really is fascinating.
Android also features a high level of built-in security features. The Android Application Sandbox isolates app data and code execution, securing data between apps. And, like iOS, apps are restricted from communicating with one another.
There are, however, two major differences between iOS and Android. The first is user controlled app permissions. Malicious code can take advantage of the permissions for individual apps and abuse the system. The second relates to the nature of Android. As previously stated, Android is vastly more open than iOS. In turn, this means Android users are simply exposed to a wider range of malware.
For instance, Symantec report [PDF] that between 2014 and 2016 the number of new Android malware families decreased, but the overall number of variations increased.
Malware and Ransomware Protection Result
Both Android and iOS protect users using a sophisticated security layer system. Unfortunately, Android users encounter vastly more malware and ransomware due to the open nature of the operating system.
As such, iOS offers better protection against malware and ransomware.
Extra Security Features
Some users will consider these standard security features. But they are advanced for the majority of users.
Full Disk Encryption
Both Android and iOS users have access to full disk encryption. However, iOS users use full disk encryption by default, so long as they have a passcode turned on. Remember the huge spat between the U.S. government and Apple regarding the San Bernardino iPhone? That was because it was encrypted! iOS and Android full disk encryption is tied to system hardware, making private keys difficult to extract.
In the past, however, Android devices have been compromised, and there is a wider range of potential attack vectors for those devices.
Both iOS and Android have extensive integrated VPN support. Android has a wider range of customizable VPN solutions that work directly with the operating system.
In search of “true” privacy, some smartphone users remove their battery to strip their device of power. iOS devices are sealed — the battery is inaccessible. If this is a concern for you, consider Android devices on a manufacturer by manufacturer basis.
And the Winner Is?
Overall, iOS is the most secure mobile operating system. There are certainly ways to improve the security of an Android device vastly. But out of the box, iOS beats Android in almost every way.
Do you stick to iOS for its security? Or can Android be just as secure? What are your must have smartphone security features? Let us know in the comments below!