An in-depth look into Android vs. iOS, in terms of security and freedom


The battle of the duopoly [1]

 

Now, in this post I’m going to dive into the whole rabbit hole of benefits and problems surrounding the two dominant players in smartphones today - Android and iOS - and whether there are any solutions in sight. We’re going over this with a very fine comb, so be prepared to brace yourself - if you’re running short of time, don’t worry, I’ve put an (admittedly vague) conclusion at the end, but as you are about to see (as with many things), neither is perfect.

As a disclaimer before we start - due to my perhaps soft heart for open source (although I’d think you would agree is definitely beneficial for all), I do lean towards Android, but the irony is that I still begrudgingly use iOS devices - you’ll probably see why but I’ll explain at the end anyway.

iOS

Let’s start with iOS. To give credit to Apple, because they control all the hardware and software, they will keep providing all security patches for your device - but only if you are running the latest major iOS version. If you are not, you don’t need to worry too much, but Apple will only provide updates for severe vulnerabilities (such as against exploits in Safari) for iOS versions near to the latest one. In a sense, you might be more vulnerable if you are on much lower iOS versions (as Apple probably will presume most people will use the latest version for their device and not care to backport fixes too far) but upgrading might cause you to lose performance and more “stronger” jailbreaks (such as those that use untethered exploits)[2]

However, this control, although opinions may vary on this, comes at a cost in freedom. Non-jailbroken iPhones can only download software from Apple’s curated App Store - a “walled garden” in a sense (there’s a nice explanation applying this analogy on Reddit). Of course, the reasoning for this is so Apple can check apps are safe before offering them to users (instead of checking them yourself as on Windows or Android[3]), and although the App Store does contain quite a lot of software, there is a perception that Apple uses this in an additional way to reject apps that they don’t like. For instance, you cannot easily get software like emulators on iOS (on Android, you can simply sideload them, but Google seemingly does allow them on its Play Store, such as RetroArch). Apple has faced criticism over its treatment of third-party developers from companies such as Valve, Basecamp and most famously Epic Games whose lawsuit brought a massive amount of revelations, shedding light on Apple and even other notable companies in the technology and game industries as a whole.

 

Epic parodied Apple's famous 1984 advert as it filed its lawsuit, alleging Apple holds a monopolistic position over its App Store.[4]

 

I’d also point out that unlike Android[5], you cannot use custom ROMs or other operating systems on iOS devices. This is because Apple employs a chain of trust as a security measure during booting that ensures each successive stage that runs is signed only by them.[6] The very first stage is written directly to the ROM chip (Bootrom), so it cannot be modified.[7] In theory, you could boot another OS using a semi-tethered exploit such as checkra1n (but as the name implies, you need to have the iPhone connected to a computer to exploit it while it is booting, which is quite inconvenient). [8] [9]

In response to iOS’s walled garden, a lot of users “break out of this jail” using community-developed jailbreak exploits. Jailbreaking is certainly legal, at least in the US,[10] despite Apple’s resentment to jailbreaking (and continuous cat-and-mouse patching with each new version) and it does allow you to have more freedom and control over your device like those who use Android.

There are some, like Apple, that say jailbreaking is a potential security risk, and while I do agree that if you remain on lower iOS versions[11], you might be more susceptible to vulnerabilities that would have been patched (although there wouldn’t be that many), and perhaps there is some debate over the quality of some jailbreak exploits (although to be honest I don’t think they would weaken the device to remote exploits at all, and jailbreak authors are simply trying their best to get around iOS’s security measures), it seems the risk of jailbreaking only simply allows the user to install untrusted software, and that in itself isn’t really an issue with jailbreaking but more on the user to be wary of what they install (especially from piracy or “cracked” repositories), just like on Windows and Android.

It’s also prudent to acknowledge government-backed tools such as the Pegasus spyware, which has been receiving considerable press coverage recently.[12] iOS is closed source, which means third-party researchers find it harder to find and report security issues. Google’s Project Zero has criticised Apple for being less accommodating to researchers and lax on iOS security in general. It’s debatable, but it is concerning that Apple’s BlastDoor service in iOS 14, designed to protect against the zero-day iMessage exploits Pegasus was using in iOS 13, clearly isn’t working since Pegasus can still infect a fully updated iPhone on iOS 14.6. Then again, given the difficulty and cost of finding or obtaining these zero-day exploits, it’s probably not a concern for the average user. But in the end, such incidents are leading to a general shift in opinion: that Android may actually be slightly more secure than iOS (although you'll see the catch with this later)

Android

Android, on the other hand, is much more open. Android itself is an open-source project licensed under the permissive Apache License, and is bundled with the Linux kernel where Google’s patches to it are under GPL.[13] This means that anyone, particularly those in the cybersecurity industry, can readily look and examine the code for security issues and other problems, and even contribute to Android themselves.[14]

A lot of people consider Android to be insecure, but this seems to be a common misconception. Android, unlike iOS, simply allows you to download and install (“sideload”) random apps from anywhere (once you’ve enabled a setting at first usually). Admittedly, some malicious apps have been found on Google’s Play Store, but even Google can’t validate them all (as can’t Apple), the user should probably treat less known applications with caution before installing them (as on Windows and other platforms), sandboxing measures in both iOS and Android should reduce the impact (though as we’ve seen with Pegasus and self-root/semi-untethered jailbreaking apps, these can be bypassed through vulnerabilities), and both iOS and Android have measures to monitor and remotely remove malware from your phone - as seen with Google doing so with the Pegasus version on Android which they nicknamed “Chrysaor”.[15]

Being a more open platform brings many other benefits as well, which I’ll list here in comparison to iOS:

And finally I should mention (although you can probably guess), Google happily gives the code away to all kinds of manufacturers such as Samsung, OnePlus, Sony etc. to use as long as they are part of Google’s Open Handset Alliance (and even those who don’t want to join, such as Amazon, can still use Android due to its open-source license for their devices).

Now, you’re probably wondering, what’s the catch? Fragmentation is the catch, my friend.

Now, I would like to emphasise, fragmentation is not inherently a bad thing. The wide variety of Android devices is really a strength of the ecosystem that gives users more choice. The ability for different companies to produce phones offers opportunities to them to produce innovative features and differentiate their brands (which would be more sluggishly adopted by Apple's more consistent but concentrated and monolithic approach due to them being heavily vertically integrated).

In comparison to Android, Microsoft has somehow handled fragmentation incredibly well over the several decade long PC market[17] such that we've managed to get a single operating system to boot across thousands of variations of hardware thanks to a standardised BIOS. Unfortunately, that doesn’t exist on ARM[18]. Fragmentation is probably the reason that Android is the most installed OS of all time, but the way fragmentation is handled in Android does lead to severe problems with updates (more importantly security ones).

Basically, for Android, Google hands the code through like 5 different companies who all modify it so it runs on the final device. So, essentially, there’s probably hundreds if not thousands of forks of Linux (with proprietary binary drivers etc.) for each individual Android device. Passing through updates, such as security ones, through that chain will be slow, and worst of all, when one of those companies decides it is no longer financially viable to support your device, updates will completely stop. There’s an estimated one billion Android devices, vulnerable to publicly known exploits such as KRACK and Dirty COW and Stagefright (and almost certainly dozens of vulnerabilities in default web browsers on the device and other programs). I mean, in theory, if you’re extremely careful, you might be okay, but it’s like walking on eggshells, and it’s much better if you get a new phone immediately.[19]

Google is trying to improve the situation with things like Project Treble, although some do criticise that the kernel and firmware do not receive any further updates, and that older devices (unless supported by the community) never get the chance to experience Project Treble. Still, it is bringing out faster updates for certain phones (for at least the OS component) and now has brought generic custom ROMs that work with many devices, which is nice.

Linux on smartphones?

To note, Android phones do have the ability to use custom ROMs like LineageOS (it depends on the phone in general, although Google and OnePlus phones tend to have the best support apparently), but the ideal solution for supporting running Linux would be if all Android OEMs[20] release the source code for the drivers on their phones,[21] but of course all(?) of them do not.[22] The good news is that there is a community project called postmarketOS which is seeking to bring mainline Linux to old devices and therefore fix the Android longevity problem, among others.

Personally, to be honest, I don’t mind sacrificing the higher quality (although it is subjective) that comes with iOS or Android for the true Linux freedom on a device - the only issue is that support for phone by phone varies, and even the PinePhone which is made to support mainline Linux isn’t up to the reliability of Android and iOS phones. I’m not sure if it is down to either the hardware (as this Reddit comment and this other Reddit comment seem to imply) or the software (as this review seems to suggest). Nonetheless, it is very encouraging to see a community who is aware of the issues that face iOS and Android today trying to provide the ideal solution.

Conclusion (tl;dr)

In conclusion, though, then again it is up to you. It seems possible that Android is slightly more secure (and certainly more open) than iOS due to the former’s open source nature, but sadly, much of this is negated by the poorer flow of updates received on most Android phones. It’s exactly why I use iOS[23], because despite where I look, it seems unfortunate that Android phones (even those reaching $1,000 and those being supported by Google directly) only get at least two years in updates, which pales in comparison to iOS devices reaching around six years (such as those released in around 2015/2016 still receiving updates today).

If you want something usable and reliable (more importantly, in calling and texting) at the present, you’ll have to pick between iOS (less freedom[24] and more expensive but with longer update support) or Android (more freedom and cheaper but with shorter update support). Linux-based community efforts are encouraging, but they are not usable yet as a daily driver for most people (but hopefully they will be one day).


  1. "iPhone vs Android" by NRKbeta / Marius Arnesen (licensed under CC BY-SA 3.0 NO)

  2. By the way, if you did want to downgrade your old iOS device for jailbreaking purposes, there is a tool on GitHub to do so.

  3. On how to actually check them yourself, I’ll probably write another post about that - but basically, you can use websites such as VirusTotal. Note they’re not perfect - they might give false positives, or sometimes even give a clean result even if what you’re scanning is malware, but it’s a good rule of thumb anyway.

  4. This whole battle of the Tims (lol) is kind of dripping in irony. Arguably, this video is a clever move by Epic, as it reframes Apple into the position it believed IBM were in 1984. And in some "ironyception", the trial's ruling (on page 23) reveals Epic planned to push this as part of a "pre-planned, and blistering, marketing campaign" that would convince the public that they were "benevolent" and that "at the same time make Apple out to be the bad guys". It's hard to state how much this trial revealed - if you want to read more I suggest this article by the Verge which uncovers some points in emails brought up during the trial, and of course if you somehow have time you can read the full 185 page ruling here (although most press articles have summarised some main points and conclusions from that). Interestingly as well, the NSA also made the same comparison as Epic privately, although perhaps for different reasons.

  5. Well, it’s easier on some Android devices than others, but definitely not near-impossible like on iOS devices.

  6. Fun fact: this is why you need to resign apps every week on newer jailbroken devices, because Apple utilises signing everywhere for software on iOS (more specifically, jailbreakers utilise development certificates to get around these signing measures, which is why they expire after a week). There are tools such as AppSync Unified and AltStore that negotiate around this in a way, but you can see it is more cumbersome than Android.

  7. Nice thing however is that even Apple can’t modify it, so jailbreak exploits from it such as the famous checkm8 cannot be patched.

  8. I’d like to point out there is this awesome open source virtual machine app called UTM that allows you to run virtual machines with OSs such as Linux distributions or even Windows itself on iOS, but unfortunately for me it only supports iOS 11 and above, so much like older Android devices and their updates my older iPad 3 will never see it :(

  9. Also for another thought - I wonder if you have an untethered jailbreak that perhaps you could boot into another OS from perhaps a partition on the device? It wouldn’t be perfect as you would have to boot into iOS anyway first which is annoying, but would it be possible? It feels similar to vein to asking whether it would be possible to switch execution and boot into a Linux distro while Windows is running (perhaps by killing off Windows processes). If I had more experience I would try it, but I wonder if it is possible.

  10. To be honest, I’m more amazed Apple somehow hasn’t taken legal action against Cydia for selling paid iOS apps and tweaks outside the App Store, given that Apple is quite willing to take legal action against companies for issues such as source code leaks and iOS virtual machines, and Apple would certainly be aware of Cydia’s existence if not before by its own lawsuit against the perceived iOS monopoly. Perhaps paid iOS “homebrew” is legal?

  11. I believe updating is possible if you are jailbroken, although you have to wait for a jailbreak for the updated iOS version if there isn’t one available (since semi-untethered jailbreaks do not survive a reboot)

  12. If you are interested in reading more about Pegasus, Citizen Lab (who discovered it in 2016) has some excellent articles on it and the people affected. There’s also this Reddit comment which I found gives a nice balanced and wide overview surrounding the nature and origin of these tools.

  13. If you’ve confused by how Google is allowed to do this, my understanding is that Android is a program that runs on top of the Linux kernel and is not combined with it - there’s a GPL exception in the Linux kernel for the syscall interface anyway. There are a lot of proprietary legal applications that run on Linux such as Steam and Microsoft Teams, so in a sense Android is legal.

  14. Some argue that the source code being public means that it is easier to find vulnerabilities in Android, but in my opinion that’s a good thing, because they can be patched quickly. The security of an operating system should never depend on its code being private - trying to do this is called “security through obscurity” - and it seems unanimously people agree it is a bad idea, as exemplified by open source projects such as Debian.

  15. You can also see Google’s willingness to embrace third-party security researchers more readily than Apple, given that they have uploaded Chrysaor binaries to VirusTotal (at the bottom of the post). They even notified those who had been affected, unlike Apple.

  16. Almost certainly, at least, because in a similar vein to default software repositories on Linux distributions all the applications have open source code, so they can be checked by others and built into binaries on the servers themselves.

  17. What’s more amusing to me is that this all started because everyone was cloning IBM’s PC, so it seems entirely accidental.

  18. To be honest I don’t know if it can be conjured into being, perhaps Google should strong arm OEMs into supporting UEFI.

  19. You can see this isn’t good for e-waste either. Some would also say that the slowing down of iPhones with newer software updates, but at least they last for longer in theory: iOS devices seem to last around 6 years, while Android devices such as those from Google may reach 2 years if you are lucky.

  20. I guess blame could be placed on OEMs for heavily customising Android for their devices (in the sense that they burden themselves to maintain their forks more rather than using features present in “mainline” Android/the Linux kernel), but some are also shifting some blame onto Google in the same vein.

  21. And also if there was some standardised BIOS/UEFI for ARM like on PCs, but maybe that’s asking too much.

  22. Fun fact: given that Android uses the Linux kernel, and that the Linux kernel is licensed under GPL, in theory you can legally ask your Android OEM to give you the source code for the kernel because they obviously distribute the kernel as part of the phone.

  23. Funnily enough, since I brought up the Epic Games trial here, Tim Sweeney, the CEO who is leading this "crusade" (as Judge Rogers put it in the ruling) against Apple uses an iPhone himself as well. From the ruling - "Mr. Sweeney himself owns an iPhone in part because of its better security and privacy than Android." (on p.110) and "Mr. Sweeney, an iPhone user himself, admitted that he found Apple’s approach to privacy and customer data security superior to Google’s approach to customer privacy and customer data." (on p.45). It's rather funny, and I've also realised from this (although it's probably obvious) that for Apple it is more important business-wise to sell devices rather than Google (which obtains most of its revenue from advertising), which may explain why Android is in a more "dire" state.

  24. Of course, as mentioned, you can jailbreak, but as Android is more accommodating to openness in general it is considerably better in this regard, such as in terms of the amount of possible software.