Android users don’t have many things they can point to when it comes to security advantages over iPhone users. The iOS platform is considered significantly safer and more resistant to attack than Android, as are the devices. But when it comes to the patching schedule, if not the process, Google has it all over Apple.
In the security community, there is essentially no debate about whether iPhones or Android devices are more secure. The iPhone ran away and hid with that title years ago and has never looked back. There are a variety of reasons why this is so, but the main one is the locked down nature of the Apple ecosystem. The company’s security model only allows users to install apps from the official App Store (unless the device is jailbroken), and there are several levels of safeguards in place to ensure that malicious apps don’t make into the store. Code reviews, developer certificates, and code signing all contribute to the safety of the apps available for iPhones.
But the closed nature of Apple’s ecosystem is also one of the main reasons that detractors point to when talking up Android. Apple provides little visibility into its processes and policies and, until very recently, even less insight into the iOS internals. The latest beta releases of iOS 10 have an unencrypted kernel, which allow for deeper inspection by security researchers. Apple has not made life easy for the research community in most respects.
Google, meanwhile, has taken the opposite tack. Android is an open source operating system and has years of public documentation and research. Security researchers have the ability to dig into the guts of the software and see how the security defenses work and where weak spots lie. Google also has a lucrative bug bounty program for Android, which encourages researchers to find flaws and report them directly to the company. In its first year, the program paid out $550,000 in rewards. Apple doesn’t have a bounty program and likely won’t anytime soon.
Apple does what it wants, when it wants
But the big difference between Android and iOS in terms of security is Google’s monthly patch release schedule for its OS. One of the oddities of the Android ecosystem is the fact that carriers are responsible for distributing patches to their users. Most handset manufacturers have their own custom versions of Android, so updates require them to do their unique fixes. Google pushes the patches to them, and then the manufacturers update their versions and get them to the carriers who can then distribute them to customers. However, both the handset makers and carriers are financially discouraged from doing any of that in a timely fashion. Updating the software makes them no money, but having users buy new devices loaded with the current version of Android does.
The federal government took notice of this last year and began pressuring carriers and manufacturers to get their acts together on patching. So some of the handset makers, including HTC, have begun pushing out regular updates. But that only works because Google now releases patches for Android every month, something it started last summer. That was a huge change, as Android often has dozens of new vulnerabilities each month, making the regular patches vital.
Apple releases fixes for iOS haphazardly. The schedule is roughly quarterly, but it can sometimes be six months between major security updates. It’s all dependent upon the company’s whims. And those iOS updates are often massive, with patches for dozens and dozens of vulnerabilities. Part of the reason for this non-schedule is likely that exploitation of iOS bugs is typically quite difficult. But much of it is just the fact that Apple does what it wants, when it wants. Outside pressure has little to no effect on the company’s policies, and Apple certainly won’t do something just to be seen as following Google’s lead.
But that stubbornness can affect user safety, and it is long past time for Apple to commit to a regular patch schedule for iOS.