There is great debate in the industry as to whether iOS or Android provides the most secure mobile device. In all my conversations with security pros, most, if not all, believe Apple’s iOS to be inherently more secure than the Google-built Android. This recent article spells out a number of strengths iOS has over Android in the area of privacy, such as Apple’s new feature in which users can stop apps from tracking them. In the article, the author states: “When it comes to privacy, Google and Apple are almost on extreme opposite ends.”
However, a new study begs to differ; a report from research firm Omdia caught my attention. The key finding is that the Google Pixel 6 running Android 12 is significantly more secure than the Apple iPhone 12 Pro running iOS 15. There are comparisons to two other Android-based phones: the Samsung Galaxy S21 Ultra and the Xiaomi Mi 11 5G. The report scored each vendor on nine different factors and weighted them in order of importance. The Google Pixel 6 achieved a perfect score of 5.4, while Apple was fourth at 4.03. The weighting turned out to be irrelevant because of the Pixel 6’s perfect score.
Since I had always believed Apple to have better security by a wide margin, I thought it was worth diving into this report and understanding the criteria. One interesting point is that I had always looked at iOS versus Android software; this report did its analysis at the device level, meaning a mix of hardware and software.
After reading through the report, I found several questionable points that I felt were worth raising. They are:
The most questionable fact about the report is that Google, the manufacturer of the Pixel phones, was the sponsor of a report in which it gained a perfect score. It’s essentially saying the Google Pixel 6 is a perfect device with respect to security, and that’s just not true, because any device can be breached. Google has been issuing security patches for the phone, indicating there were at least a few issues. Not all sponsored research is bad, but when coupled with a perfect ranking, it makes one wonder.
The weighting of the security criteria is done by asking consumers to rank the importance of the nine features. While the report does not explicitly say this, I believe the 1,520 respondents were asked to pick their top three, because the total percentage adds up to 300%. In my opinion, this is a questionable way to do it, because the average end-user is not a security expert. This would be akin to asking a person on the street what safety features are most important in an airplane. I fly a lot, but I have no idea of the relative importance of each feature. The survey should have used a panel of security professionals.
This was also flawed as the scoring in each section was derived from counting the number of features versus meeting the objective of the category. A good way to think about this is that it counted “tick boxes” versus how well those worked. It’s certainly not the most effective way to score, and I’ll elaborate below.
Identity protection: This was the top-ranked feature by users, but the methodology was completely botched. Google scored highest because it had the most identity options, which makes sense because it’s tied to one’s Gmail account. Users can choose between one-time passwords, FIDO, push notifications, and others, where Apple only has two-factor, so Google got the highest score. What’s not told here is that Apple iCloud is the largest and one of the most — if not the most — successful deployment of two-factor security in the industry. With identity, more isn’t always better. Apple also does some interesting things when users have multiple devices; for example, it will inform you if you’re logging into your Mac in San Jose while your phone has just been authenticated in Russia.
Security updates: The report takes a curious approach to security updates. One of the criteria is how long the vendor commits to providing security updates. It gives Google Pixel 6 a perfect score as it commits to what it calls “a solid five years’ security update period,” which is the longest of all vendors tested. It grades Apple more harshly because it does not document how long the support period is but then states “Apple devices tend to receive five to six years of support.” It also rewards Google for enabling upgrades via the Google Play store and refers to Apple’s methodology as “monolithic” but doesn’t define what that means. The fact is Apple does have a proven track record of providing updates to over a billion devices in less than a week when it is required to do so, and isn’t that the most important thing?
Anti-malware: The fact that Apple has a lower score here than the three Android phones actually made me laugh. The report states: “While Samsung, Google, and Xiaomi have anti-malware solutions built into their devices to protect and detect malicious software, Apple is lacking here.” The reason Apple does not have on-device anti-malware is that it offers App Store and ecosystem protection, whereas Google does not. Also, to many users’ chagrin, Apple does not allow for apps to be side-loaded, so there can be no “back-door” malware. This report from Panda Security stated that Android devices are responsible for 47% of all observed malware compared to less than 1% for iPhones. This becomes a vicious circle; threat actors will often target Android first because breaches are easier, adding to the Android problem.
Lost devices: The report gives both Apple and Google Pixel top marks for having a web-based tool and mobile app to locate, trigger, lock, and wipe the device if it’s lost or stolen. What’s omitted is that iPhone supports the finding of offline (and even powered-off) devices, whereas Pixel must be powered on and connected to Wi-Fi or cellular.
Physical access control: Here is another area where Apple and Google Pixel 6 each received full marks, but they would not have been ranked that highly if effectiveness was looked at instead of simply having the feature. The iPhone 13 face ID has a 1:1 million false acceptance rate (FAR) while Pixel 6 has a 1:50,000 FAR. Also, there have been many reports of the Pixel 6 having a slow fingerprint scanner.
I can make similar arguments for secure backups, hardware security, and network security where Apple is as good or better than Google Pixel 6. The one section I did feel was accurate was anti-phishing, although the write-up was somewhat misleading. Safari uses Google safe browsing, but the report fails to mention that. The Pixel 6 does have an on-device anti-phishing warning system, which the iPhone does not have. Oddly enough, the one area where Google does have a clear win over Apple, is ranked very low on the importance scale.
The net result is that, after reading the report, I would have ranked Apple as good or better than Google Pixel 6, if effectiveness was used instead of counting sub-features. In this case, Apple is being penalized for having solid features. This is akin to ranking a car safer because it has a parachute to stop it when it has brakes that are known to fail, versus one that has brakes that never fail.