I’ve always heard that iOS is more secure than Android but a huge part of that is updates and patches. So my question is a phone with regular updates like the Pixel or Essential Phone even close to the iPhone’s security?
Yes, in general, it is.
It gives the user less control, and users are generally stupid and unable to be trusted with security their device. I include myself in that statement - malware these days is pretty advanced. Even as a “power user” or non-clueless person, sufficiently advanced malware is difficult to detect by judgement call. Relying on human judgement on whether to run something, visit a site, etc. is far less reliable than just blocking the code from running in the first place (unless it is code-signed and vetted via the store, etc.), sandboxing it effectively, etc.
All applications are fully sandboxed.
The iOS app store is more heavily vetted as well.
A telco report i was given a couple of years ago indicated that 90% of all mobile malware targeted android (exclusively).
Yes, there are flaws in iOS just like any other software, but these are patched as they are uncovered. The architecture and design of it is IMHO more forward looking and security conscious than the Android platform.
Make of that what you will, but for me, i run iOS because I am willing to trade flexibility for security. I don’t “need” to do a lot of the stuff on my phone that Android proponents will claim they “need” to do and thus iOS is not viable for them.
Both ios and android apps are sandboxed. But once rooted/jailbroken, I believe, Android and ios apps loose their ability to be sandboxed.
As thro said, the reason why ios ( and android ) are more secure, is because of less control give to the user and because of sandboxing.
Just to go a little off topic, the same goes for Chrome OS. Chrome OS also has sandboxing, and it also is limited to what it can do. Which is why it is being marketed as a safer alternative to Windows at schools and businesses.
Depends on if you see companies as a threat. There is no way on iOS to hide from Apple. Android does exist without Google, LineageOS for example.
you mean to say you would use android without any google services?
That is what I do, yes.
One reason for Android being less secure than iOS is Android’s fragmentation. This is still a huge problem, even with Treble. This enables malware developers to target and exploit known vulnerabilities, while on iOS it can me assumed that users are using the newest version of iOS.
Also, according to some statistics site Android holds roughly 70% market share, while iOS holds the remaining 30%. This makes Android a more interesting target to begin with, since more potential targets exist.
As @thro already mentioned, the iOS store is more heavily vetted than the Play Store, where malware surfaces again and again.
That being said, Google has made many improvements concerning Android’s securitiy (SE Linux) and addressed the fragmentation problem (Treble).
Another thing in iOS’ favour is that it doesn’t have to support different hardware on different devices. Hence, the update and upgrade process is faster, than Google’s.
@Goalkeeper Why would they lose the ability to be sandboxed? Ofc
root can be more easily exploited, but there is still SE Linux for instance.
For the regular user, you can help yourself by buying wisely. Make sure the phone you are getting is going to receive timely updates. For Android, that’s Pixel or AndroidOne device. Personally, I have a Nokia 7 plus that is part of the AndroidOne scheme.
I see this sentiment a lot, and I understand it, but in a lot of cases, the person opts for an Android phone over an iPhone which makes no sense to me. You really have to go all the way and run LineageOS or equivalent (as @noenken has wisely done) , otherwise you are worse off with Google.
It’s also funny to see how batterylife improves by like 300-500% just by getting rid of all the services that are mostly tracking you. In standby my craptastic G4 Play runs out of power after a week because I forget to charge it.
That’s sweet, are you using the f-droid store? Is there Signal on it?
I do use F-Droid, yes. But I also use other third party apps that are not open source. Like the Amazon app store, Spotify and Threema for chatting.
Probably because it’s made by Apple but it’s only secure against hackers, not Apple, we know very well they backdoor but so does Google.
^^ Good point and it’s true. I personally prefer Replicant but jeez, take a look at Purism and the Librem 5.
I would say that’s a bit hyperbolic. We can suspect back doors but to my knowledge there is not incontrovertible evidence. I think realistically, the concern is with data mining, careless handling of anonymization and that sort of thing (which are well documented).
Kind of a hot take, maybe, but I believe that non-free (proprietary, non-libre) software is inherently insecure. It could hide malware/spyware, it could have unfound bugs due to less eyes on the code and less auditing.
There’s a fork of Signal on F-Droid called Silence, but Signal itself isn’t on there. They don’t exactly work together either. You’d have to get your friends to switch over to Silence. A better alternative to these might be avoiding SMS for communication and using something more secure such as Matrix. Purism seems to be using Matrix as the primary way to chat on the Librem 5 they’re working on. It actually seems like a good idea. It’s free software, decentralized, and federates (like email). Plus, outside of the US, a lot of people are using alternatives to SMS, such as how popular Whatsapp is in Europe.
Signal does not use SMS for communication, at least not when both parties are using Signal. It is more or less similiar to WhatsApp in that regard.
Define secure, what is an acceptable degree of increased security and how secure do you want to be?
What do you want to protect yourself from?
Automated drive-by exploit malware, automated phishing, scammers, script kiddies, Purse & wallet thieves, carders & gangs, blanket surveillance, targeted surveillance & malware, private investigators, skilled hackers, gangs, the mafia, nation state agents?
Any OS and the services you use are only as secure as the user and/or the person that set it up and use it.
Doesn’t matter how locked down it is, If I get you to click the phishing link it’s owned. You can be phished via signal or PGP encrypted e-mail if preferred.
If I convince a salesperson at your telco to give me access to your phone account. Bingo.
*Shockingly easy with most telco's*
If I get to someone at the company hosting any of the services you use (e-mail, messaging etc), you’re owned.
If I get a copy of your emails from the email provider… Guess what.
If I co-opt the baseband chip or the simcard on your phone to run malicious code. Same as before.
Run cellular surveillance at city scale.
If someone steals your phone at gunpoint forcing you to remove all locks, you could be hurt and owned or worse.
If I get to your workstation where you plug in your phone and install a script that modifies your phone?
If I get the active directory server in a company it doesn’t matter how secure the individual workstations are.
If I can target someone else close to you or in your family I can use them to get to you. In person or otherwise. Their device can also be used to pivot into your network to your device.
Think like a blackhat, actually no, be an absolute psychopathic asshole. Like someone that wants to make money from this. That sees you as their paycheck.
Or alternatively someone that is convinced they are doing the right thing, someone working in law enforcement, who does this as a job. Who is convinced that you are a criminal.
The software & hardware security of your devices is just one part of the security equation, they are not the end goal, but a means to an end.
You and your assets are the real target. That’s what the bad guys are after.
In security, All Roads Lead to Rome - there are many ways that can lead to a result.
With a competent technical user iOS, Android, Mac OS X, Linux, Windows, FreeBSD can try to protect you from the first 3.5 types of security threats I mentioned. The rest… that’s all on the user and how they conduct themselves. But even then there’s nothing you can do about most targeted threats.
For an average person most the security protections break down to malleable unknown state. Many people are easily fooled by basic phishing and scammers. And ignore security warnings designed to protect them in order to get to what they want.
In this regard, for device and os security it’s a level playing field.
The question you where originally asking really is then: are you yourself more secure with an iOS device or with another device? What technologies do they offer that you can use to better protect yourself from a specific threat?
Ultimately you are protecting yourself and your assets, not the device. You must decide what features they offer that can enable you to better reach that goal.
Couldn’t sum it up better if my life depended on it.
It really is all about deciding what “convenience” features you use.
I’ve always felt that security is the anthesis of convenience, but necessary.