In the past, it’s been generally accepted that iOS easily outperforms Android when it comes to matters of security – and in the past, that has been absolutely accurate. Apple’s closed operating system combined with their strict policies on third-party apps, regular update schedule, and regular commitment to protecting the privacy of their customers has led to an extremely secure environment for iPhone users. The Android operating system, by contrast, operates in a very ‘open’ manner. While the ‘open’ OS allows its users the plethora of customization options that they so often brag about, it also allows for a much less secure environment. On top of that, the fact that Android phones and tablets account for around 70% of the market share vs. the roughly 25% that iOS devices account for, explains why those designing viruses and malware typically target Android devices instead of iOS devices.
That said, mobile security is constantly evolving. The security on the iPhone 7 is the best that Apple has ever designed, and Google has taken huge steps to beef up the security of its Pixel devices. The security gap between the two is closer than you might think – let’s take a look at how they compare.
iPhone 7 vs. Google Pixel – Prevention of Malicious Access
Apple’s dedication to user privacy made worldwide news this past February when the FBI demanded that Apple “unlock” the iPhone 5c of Syed Rizwan Farook, a terrorist responsible for a mass shooting in San Bernardino, California in December of 2015. Apple opposed the FBI’s demands, with CEO Tim Cook proclaiming in a public memo that FBI’s court order “has implications far beyond the legal case at hand,” and could set a dangerous precedent that could “undermine the very freedoms and liberty our government is meant to protect.” When all was said and done, it took the FBI nearly two months to gain access to the phone, and although their method was never made public, many suspect that they took advantage of a security flaw on the phone’s outdated operating system that had already been patched with the release of iOS 9.
Gaining access to a locked iPhone is notoriously difficult. With the release of the iPhone 5s, Apple began featuring a security measure called the “Secure Enclave” – “a sub-section of the processor chip that stores the fingerprints and other security-critical data,” as MacWorld described it. Security expert Mike Ash clarified the Secure Enclave, adding that it “uses a secure boot system to ensure that the code it runs can’t be modified… and uses encrypted memory to ensure that the rest of the system can’t read or tamper with its data. This effectively forms a little computer within the computer that’s difficult to attack.” Had the San Bernardino shooter’s phone been an iPhone 5s instead of a 5c, there’s a good chance that the FBI (and even Apple themselves) would never have been able to gain access to it thanks to the Secure Enclave.
On the user end, Apple has bolstered the iPhone unlocking process (especially using Touch ID) with a number of security measures, many of which require the user to enter their four to six-digit passcode – the passcode must be entered to register a new fingerprint with Touch ID, after a device is rebooted or power cycled, if a lock command is issued from Find My Phone, after 5 unsuccessful login attempts, if the device hasn’t been unlocked in 48 hours, and/or if the device hasn’t been unlocked using a passcode in 6 days and hasn’t been unlocked with Touch ID in over eight hours. The passcode itself is very hard to crack – a four digit passcode has 10,000 possible combinations, and a six-digit passcode has 1,000,000. And incorrect combinations lead to a waiting time before more combinations are attempted – phones are locked down for 15 minutes after 8 incorrect passcode attempts, an hour after nine, another hour after 10, and an eleventh incorrect passcode completely erases all of the data on the device.
With the release of Android 7.0 Nougat, currently only available on the Pixel line and a handful of other manufacturers latest flagship phones, Google introduced a host of new security features making phones running the latest Android OS tougher to access – many of which seem to be almost direct copies of security measures Apple introduced in previous versions of iOS. With the release of Nougat, Google took advantage of the technology that Apple’s Secure Enclave is based on – ARM TrustZone. According to Google’s Security Blog, TrustZone provides “a means to execute code in a mode that remains secure even if the kernel is compromised… Starting in Android Nougat, all disk encryption keys are stored encrypted with keys held by TrustZone software.” The introduction of TrustZone is a huge step forward for Android device security.
Google has added several security measures to the unlocking process, as well. Like many other Android devices, the Pixel allows users to choose how secure they want their device. Users can choose to unlock with a PIN code, a password, a pattern on the screen, via the Pixel’s fingerprint scanner, known as the Pixel Imprint, or for those that don’t care to secure their device, via a simple swipe. However, according to Google, with Android 7.0 Nougat, TrustZone now “enforces a waiting period between incorrect guesses at the user credential, which gets longer after a sequence of wrong guesses” – a feature Apple has enforced for some time now. Google claims that “With 1624 valid four-point patterns and TrustZone’s ever-growing waiting period, trying all patterns would take more than four years. This improves security for all users, especially those who have a shorter and more easily guessed pattern, PIN, or password.”
With Google’s recent additions to Android’s security measures, what has historically been a weakness for Android is now growing into a strength.
iPhone 7 vs. Google Pixel – App Security
Yet another classic knock on the security of Android phones concerns the safety/integrity of their apps – or how likely they are to be infected by viruses or malware. As discussed previously, much of the malware that is written is done so for the Android operating system – partly because of the fact that Android accounts for a larger market share of the smartphone and tablet market, but also because the rules surrounding apps are much looser in the Android ecosystem. Although apps downloaded directly from the Google Play Store are likely very safe, Android phones and tablets still allow users to install possibly tainted apps from third-party sources, such as from Amazon or a number of shady websites across the web. Although Android does its best to warn its users about the dangers of installing apps from third-party sources, many users fail to heed these warnings and pay the price because of it.
By contrast, Apple is notoriously strict with their App Store policies. iPhone, iPad, and iPod Touch users can only install apps directly from the official App Store. On top of that, as Digital Guardian explains, “Apps in the App Store have to be signed by an identified developer, and Apple tracks those developers and the apps they sign meticulously.” Although malware attacks on iOS apps aren’t completely unheard of – the XcodeGhost attacks from September of 2015 ring a bell – they are very rare, and Apple works meticulously to clean them up as soon as possible.
It may not be fair to say that the Google Pixel line is more vulnerable to malware – Google’s beefed up security efforts do make the phone quite secure – but the freedom of the Android platform gives users the ability to download malware themselves, which makes a malware attack much more likely on an Android device than on an iOS one.
iPhone 7 vs. Google Pixel – Security Updates
When Apple releases a new version of iOS, it is pushed out to every compatible iOS device immediately. Users are often excited about these updates due to the promise of new features for their phones and tablets, but the security and bug patches included in these updates are far more important. This is another area where Android’s fragmentation creates a security flaw for its ecosystem – as Digital Guardian points out, carriers such as Verizon or Sprint are responsible for releasing security updates for Android to their own users, and most of those carriers push them out at highly irregular intervals, if at all.” Add to that the fact that each manufacturer pushes out Android updates at different times, and many Android users don’t even bother with updating the firmware on their phones. According to cloud-based access security provider Duo Security, up to 90% of Android devices currently in use are running out-of-date versions of the Android operating system – although the latest Android operating systems have patched thousands of threats and backdoors, many users are still vulnerable to them due to the fact that they are running outdated firmware.
Although Google has worked hard to address the inconsistency in update availability – in August of 2015 Google made monthly security updates available to the Android OS. Unfortunately, however, these updates are pushed out to devices at the discretion of carriers and manufacturers – some, like Samsung and LG, have committed to making these updates available to their users, yet others, like Motorola, have not. The good news for Pixel owners is that they bypass all of this red-tape and fragmentation. Pixel owners will receive the most up-to-date version of Android as soon as it becomes available, and thus will experience the best security Google has to offer.
While it has been true in the past that the iPhone has been, generally speaking, a much more secure device than Android phones, that’s not necessarily the truth today. Android security has come a long way, and Pixel owners gain the benefit of all of Google’s hard work when it comes to phone security. Users who aren’t careless with their device will receive top-notch security from either the iPhone 7 or the Google Pixel.