From Newsgroup: comp.sys.mac.advocacy

Tyrone said:

e. You and I use completely different definitions of phone "security"
etc.

Yes. I use multiple sites (some that YOU provided in your attempt to show that Android is more secure) that ALL show that the vast majority of security issues/malware happen on Android. You use a single site that says iOS had 3 more zero-day patches than Android last year. Even with that, iOS is STILL way less likely to be infected. Thus, iOS is way more secure than Android.

So obviously, you are going to continue your absurd, undocumented claims. No one is shocked. As you stated, ignoring facts is not what adults do.

No serious security expert claims "iOS is way more secure".
There isn't one in the entire world, in fact, that you can find.

It's obvious why.
There isn't a professional security researcher on the planet who says that.

It's only Apple marketing that implies that.
Not serious researchers.

You are apparently attempting to reduce a very complex subject to a single metric (malware prevalence), and that is not how security professionals evaluate operating system security. Malware rates are not the definition of security. They are one symptom of a much larger system.

Here are some of the much more complicated facts that matter:

CISA KEV data does not show iOS as "way more secure." When you query the
CISA Known Exploited Vulnerabilities database, iOS and Android have roughly similar numbers of actively exploited CVEs over time. That is the only U.S. government maintained list of real-world, in-the-wild exploited vulnerabilities. It does not show iOS as dramatically safer.

Zero-day exploitation rates do not show iOS as "way more secure." Google Project Zero's annual reports show that Apple repeatedly ships code that
has never been fuzzed or tested with modern techniques. Project Zero has publicly stated that Apple's code quality and testing coverage lag behind industry best practices. Again, this is not my opinion; it is documented research.

iOS's monolithic update model slows down patch deployment. Before Rapid Security Responses existed, any fix to any system component required a full
OS rebuild and full QA cycle. That is why iOS historically took longer to
patch certain classes of bugs. Android's modular architecture (APEX,
Mainline, Play Services) allows many components to be patched
independently. Update speed is a major part of security.

Malware statistics do not prove OS-level security.
Malware prevalence is heavily influenced by:
a. market share
b. sideloading behavior
c. user behavior
d. distribution channels
e. regional differences

Furthermore, mere economic incentives for attackers Malware rates do not measure kernel security, sandboxing, exploit mitigations, patch velocity,
or code quality. They measure user exposure, not OS architecture.

No serious security expert claims "iOS is way more secure."

Security researchers consistently say the opposite: both platforms have strengths and weaknesses. iOS has a strong sandbox and strong hardware security, but slow patch cycles and opaque code quality. Android has a
larger attack surface and more malware, but faster patching for many
components and better transparency. Security is not a scoreboard. It is a system.

The only meaningful way to compare security is by looking at real-world exploited vulnerabilities, patch timelines, exploit mitigations, and code quality. When you look at those metrics, the picture is mixed, not
one-sided.

So yes, you and I use different definitions of "security." You are using malware statistics. I am using CISA KEV data, Project Zero research, patch velocity, exploit mitigations, and code quality. Those are the metrics used
by actual security professionals.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.sys.mac.advocacy

Marian <marianjones@helpfulpeople.com> wrote:

Tyrone said:

e. You and I use completely different definitions of phone "security"
etc.

Yes. I use multiple sites (some that YOU provided in your attempt to show >> that Android is more secure) that ALL show that the vast majority of security
issues/malware happen on Android. You use a single site that says iOS had 3 >> more zero-day patches than Android last year. Even with that, iOS is STILL >> way less likely to be infected. Thus, iOS is way more secure than Android. >>
So obviously, you are going to continue your absurd, undocumented claims. No
one is shocked. As you stated, ignoring facts is not what adults do.

No serious security expert claims "iOS is way more secure".
There isn't one in the entire world, in fact, that you can find.

Except the Isreali army.

It's obvious why.
There isn't a professional security researcher on the planet who says that.

Only Isreali army intelligence. Who know a thing or two.

It's only Apple marketing that implies that.
Not serious researchers.

You are apparently attempting to reduce a very complex subject to a single metric (malware prevalence), and that is not how security professionals evaluate operating system security. Malware rates are not the definition of security. They are one symptom of a much larger system.

Here are some of the much more complicated facts that matter:

CISA KEV data does not show iOS as "way more secure." When you query the
CISA Known Exploited Vulnerabilities database, iOS and Android have roughly similar numbers of actively exploited CVEs over time. That is the only U.S. government maintained list of real-world, in-the-wild exploited vulnerabilities. It does not show iOS as dramatically safer.

As we've discussed before the KEV cannot be used to make any extrapolation
or implication. It is an extremely narrow view of the landscape ignoring
96% of known vulnerabilities.

Zero-day exploitation rates do not show iOS as "way more secure." Google Project Zero's annual reports show that Apple repeatedly ships code that
has never been fuzzed or tested with modern techniques.

Cite required.

Project Zero has
publicly stated that Apple's code quality and testing coverage lag behind industry best practices. Again, this is not my opinion; it is documented research.

Cite required.

iOS's monolithic update model slows down patch deployment.

Cite required.

Before Rapid

Security Responses existed, any fix to any system component required a full OS rebuild and full QA cycle. That is why iOS historically took longer to patch certain classes of bugs. Android's modular architecture (APEX, Mainline, Play Services) allows many components to be patched
independently. Update speed is a major part of security.

Malware statistics do not prove OS-level security.
Malware prevalence is heavily influenced by:
a. market share
b. sideloading behavior
c. user behavior
d. distribution channels
e. regional differences

Furthermore, mere economic incentives for attackers Malware rates do not measure kernel security, sandboxing, exploit mitigations, patch velocity,
or code quality. They measure user exposure, not OS architecture.

No serious security expert claims "iOS is way more secure."

Security researchers consistently say the opposite: both platforms have strengths and weaknesses. iOS has a strong sandbox and strong hardware security, but slow patch cycles and opaque code quality. Android has a
larger attack surface and more malware, but faster patching for many components and better transparency. Security is not a scoreboard. It is a system.

The only meaningful way to compare security is by looking at real-world exploited vulnerabilities, patch timelines, exploit mitigations, and code quality. When you look at those metrics, the picture is mixed, not
one-sided.

So yes, you and I use different definitions of "security." You are using malware statistics. I am using CISA KEV data, Project Zero research, patch velocity, exploit mitigations, and code quality. Those are the metrics used by actual security professionals.

Cite required.

As an anecdote, and given you hold project zero in such high regard, it was interesting to note that the latest google chrome high severity (and
exploted in the wild) vulnerability was found by Apple security researchers (together with the google team). https://www.securityweek.com/apple-patches-two-zero-days-tied-to-mysterious-exploited-chrome-flaw/

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.sys.mac.advocacy

Chris wrote:

No serious security expert claims "iOS is way more secure".
There isn't one in the entire world, in fact, that you can find.

Except the Isreali army.

We responded to that false equation long ago already, Chris.
You completely misrepresented what the IDF said and what it means.

You seem to have no comprehension that "choosing" a platform is not the
same thing as saying it's "way more secure", particularly since plenty of companies have chosen Android as their platform for security also.

If you want to take up your false claims that iOS is "more secure" than
Android simply because the IDF chose it, then let's start a new thread.
From: Marian <marianjones@helpfulpeople.com>
Newsgroups: misc.phone.mobile.iphone,comp.sys.mac.advocacy
Subject: What does it really mean when an entity chooses iOS
or Android as their main platform?
Date: Mon, 22 Dec 2025 11:10:02 -0700
Organization: BWH Usenet Archive (https://usenet.blueworldhosting.com)
Message-ID: <10ic1hq$2ckt$1@nnrp.usenet.blueworldhosting.com>

It's obvious why.
There isn't a professional security researcher on the planet who says that.

Only Isreali army intelligence. Who know a thing or two.

Chris, you're being confused by two very different things.
a. platform selection,
b. and comparative security claims.

When an organization standardizes on iOS or Android, that decision is
almost never a blanket endorsement of one platform being "way more secure."

At a technical level, platform choice reflects a combination of:

Ecosystem control and supply-chain assurance
Some entities prefer Apple's vertically integrated hardware/software
stack. Others prefer Android because it allows custom ROMs, hardware
diversity, or integration with existing secure supply chains.

Device management and policy enforcement
MDM/EMM capabilities differ between platforms. Some organizations
need Apple's supervised-mode restrictions; others need Android
Enterprise's work-profile isolation or OEMConfig extensibility.

Customization and hardening requirements
High-security environments often deploy hardened Android builds
(e.g., AOSP-based, GrapheneOS-style, or vendor-hardened enterprise
variants) because Android's architecture allows deeper modification
than iOS. That flexibility is a feature, not a security flaw.

Operational constraints
Procurement pipelines, existing tooling, developer ecosystems,
and mission-specific apps all influence platform choice.
None of these equate to "this OS is more secure."

That's why your IDF example doesn't support your claim.
The IDF did not assert that iOS is "way more secure."

They made a platform decision based on their operational and architectural needs. Meanwhile, many other militaries, intelligence agencies, and critical-infrastructure organizations choose Android-based hardened devices
for equally valid security reasons.

If you want to argue that iOS is categorically more secure than Android,
that's a separate technical debate, which is one that involves sandbox
models, update cadence, exploit markets, kernel attack surfaces, and OEM fragmentation.
From: Marian <marianjones@helpfulpeople.com>
Newsgroups: misc.phone.mobile.iphone,comp.sys.mac.advocacy
Subject: What does it really mean when an entity chooses iOS
or Android as their main platform?
Date: Mon, 22 Dec 2025 11:10:02 -0700
Organization: BWH Usenet Archive (https://usenet.blueworldhosting.com)
Message-ID: <10ic1hq$2ckt$1@nnrp.usenet.blueworldhosting.com>

But it's not something you can infer from a single organization's
procurement choice.

It's only Apple marketing that implies that.
Not serious researchers.

You are apparently attempting to reduce a very complex subject to a single >> metric (malware prevalence), and that is not how security professionals
evaluate operating system security. Malware rates are not the definition of >> security. They are one symptom of a much larger system.

Here are some of the much more complicated facts that matter:

CISA KEV data does not show iOS as "way more secure." When you query the
CISA Known Exploited Vulnerabilities database, iOS and Android have roughly >> similar numbers of actively exploited CVEs over time. That is the only U.S. >> government maintained list of real-world, in-the-wild exploited
vulnerabilities. It does not show iOS as dramatically safer.

As we've discussed before the KEV cannot be used to make any extrapolation
or implication. It is an extremely narrow view of the landscape ignoring
96% of known vulnerabilities.

Chris, I think it's clear that you are misrepresenting the data in KEV.
No one is claiming the KEV represents the entire vulnerability landscape.
a. Of course it does not.
b. It is intentionally narrow.
That is the whole reason it is useful in this specific context.

The KEV is the only US government maintained list that tracks
vulnerabilities that are actually being exploited in the wild.

It filters out the noise and focuses on the subset that matters for
real-world operational risk. That makes it appropriate for comparing
practical exposure between platforms.

Saying "the KEV ignores 96 percent of known vulnerabilities" is not an
argument against using it. That is simply a description of its purpose.

Most CVEs are never exploited, never weaponized, and never used against
real targets. Counting every CVE equally is a poor way to measure security because it treats theoretical bugs the same as actively exploited ones.

If your claim is that iOS is "way more secure," then the KEV is exactly the kind of dataset you should be able to point to.

It reflects real exploitation, not hypothetical attack surfaces.

And when you look at that data, iOS and Android show broadly similar levels
of exploited CVEs over time. That directly contradicts the idea that one platform is dramatically safer than the other.

If you want to argue that the KEV is not the right metric, that is fine,
but then you need to provide a better one. Simply dismissing the only authoritative exploited-in-the-wild dataset because it does not support
your conclusion is not a technical argument that is logically tenable.

Here's the thread where you can argue what KEV is and what it isn't.
From: Marian <marianjones@helpfulpeople.com>
Newsgroups: misc.phone.mobile.iphone,comp.sys.mac.advocacy
Subject: What does the CISA KEV database say about Android/iOS
known critical exploits?
Date: Mon, 22 Dec 2025 11:20:58 -0700
Organization: BWH Usenet Archive (https://usenet.blueworldhosting.com)
Message-ID: <10ic26a$1pu9$1@nnrp.usenet.blueworldhosting.com>

Zero-day exploitation rates do not show iOS as "way more secure." Google
Project Zero's annual reports show that Apple repeatedly ships code that
has never been fuzzed or tested with modern techniques.

Cite required.

Saying "cite required" to facts you've been provided many times already
is not a serious response here, Chris.

This has been linked multiple times already, and it is not some fringe blog post, it is Google Project Zero's own reporting.

The relevant cite is Google Project Zero's yearly writeups on 0-days
exploited in the wild, especially:

"0day In-The-Wild Exploitation in 2021" by Maddie Stone, Project Zero
<https://projectzero.google/2022/04/the-more-you-know-more-you-know-you.html>

In that report, Project Zero explicitly calls out that multiple iOS vulnerabilities which were exploited in the wild were in code that had
never been subjected to modern testing techniques such as coverage-guided fuzzing. They make the point that these bugs were "not technically sophisticated" and should have been caught by basic, systematic testing
before shipping, but were not. Apple is named explicitly in that context as
a vendor shipping code that had never been fuzzed or properly tested,
despite being widely deployed in security critical paths.

You do not have to take my word for it. Read the report yourself. The whole point of those "year in review" posts is to look at how 0-day exploitation happens in practice, and what it says about vendors' secure development and testing processes.

So to restate the original claim in precise terms:

Project Zero's own data and analysis show that multiple in-the-wild iOS
0-days were in code that had never been fuzzed or subjected to basic modern testing, which directly contradicts the idea that Apple is consistently
doing a clearly superior job of secure development compared to everyone
else.

If you want to argue that iOS is "way more secure," you need to engage with that actual evidence, not just demand a fresh "cite" every time the same
report is mentioned.

You ignoring all facts you're ignorant of does not make them go away.
From: Marian <marianjones@helpfulpeople.com>
Newsgroups: misc.phone.mobile.iphone,comp.sys.mac.advocacy
Subject: What did Google's project zero really say about Apple
never testing much of their iOS code?
Date: Mon, 22 Dec 2025 11:34:16 -0700
Organization: BWH Usenet Archive (https://usenet.blueworldhosting.com)
Message-ID: <10ic2v8$307u$1@nnrp.usenet.blueworldhosting.com>

Project Zero has
publicly stated that Apple's code quality and testing coverage lag behind
industry best practices. Again, this is not my opinion; it is documented
research.

Cite required.

Since we're striving for an adult conversation, I opened the thread noted
above to present the same cites you've been given multiple times, Chris.

Remember, to require cites over and over and over and over again, is not
what I consider an adult interaction to consist of. Nobody else would.

You need to read the cites before claiming they don't exist.
That's what adults should do, IMHO.

We will discuss exactly what Google said about iOS code not having
ever been tested in that thread.
From: Marian <marianjones@helpfulpeople.com>
Newsgroups: misc.phone.mobile.iphone,comp.sys.mac.advocacy
Subject: What did Google's project zero really say about Apple
never testing much of their iOS code?
Date: Mon, 22 Dec 2025 11:34:16 -0700
Organization: BWH Usenet Archive (https://usenet.blueworldhosting.com)
Message-ID: <10ic2v8$307u$1@nnrp.usenet.blueworldhosting.com>

iOS's monolithic update model slows down patch deployment.

Cite required.

For you to claim "cite required when you've been given them many times,
is not conducive to an adult discussion of what Google said about iOS.

See the recent aforementioned thread titled:
"What did Google's project zero really say about Apple
never testing much of their iOS code?"

If you ever claim "cite required" again, then you're joining the ranks of
Alan Baker & Snit who use that childish trick all the time to avoid fact.

Before Rapid
Security Responses existed, any fix to any system component required a full >> OS rebuild and full QA cycle. That is why iOS historically took longer to
patch certain classes of bugs. Android's modular architecture (APEX,
Mainline, Play Services) allows many components to be patched
independently. Update speed is a major part of security.

Malware statistics do not prove OS-level security.
Malware prevalence is heavily influenced by:
a. market share
b. sideloading behavior
c. user behavior
d. distribution channels
e. regional differences

Furthermore, mere economic incentives for attackers Malware rates do not
measure kernel security, sandboxing, exploit mitigations, patch velocity,
or code quality. They measure user exposure, not OS architecture.

No serious security expert claims "iOS is way more secure."

Security researchers consistently say the opposite: both platforms have
strengths and weaknesses. iOS has a strong sandbox and strong hardware
security, but slow patch cycles and opaque code quality. Android has a
larger attack surface and more malware, but faster patching for many
components and better transparency. Security is not a scoreboard. It is a
system.

The only meaningful way to compare security is by looking at real-world
exploited vulnerabilities, patch timelines, exploit mitigations, and code
quality. When you look at those metrics, the picture is mixed, not
one-sided.

So yes, you and I use different definitions of "security." You are using
malware statistics. I am using CISA KEV data, Project Zero research, patch >> velocity, exploit mitigations, and code quality. Those are the metrics used >> by actual security professionals.

Cite required.

You were given the cites, Chris. You not reading them, and then claiming
they don't exist, is not conducive to an adult conversation, now is it.

Chris saying "cite required" is not a meaningful response when the points I listed are well-established, widely documented facts in public technical sources.

Here are related references, all of which you have been shown before.

iOS patching model before Rapid Security Responses
Apple publicly documented that system components could not be updated independently prior to RSR. Any fix required a full OS rebuild and full QA cycle. This is why Apple introduced RSR in the first place.
Apple documentation:
<https://support.apple.com/en-us/HT213825>

Android modular updates (APEX, Mainline, Play Services)
Google documents that Android components such as media frameworks,
networking stacks, DNS resolver, time zone data, and others are updated independently of the OS image.
Google documentation:
<https://source.android.com/docs/core/ota/apex>
<https://source.android.com/docs/core/ota/mainline>

Malware statistics do not measure OS security
Every major security vendor (Kaspersky, ESET, Lookout, NCC Group, etc.)
states that malware prevalence is driven by market share, sideloading, user behavior, and distribution channels. This is standard threat-modeling, not controversial.

Real-world exploited vulnerabilities
The CISA Known Exploited Vulnerabilities catalog is the only US government maintained list of vulnerabilities confirmed to be exploited in the wild.
It does not show iOS as dramatically safer than Android.
CISA KEV:
<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>

Project Zero research on iOS code quality
Project Zero has repeatedly documented that multiple iOS and WebKit 0-days exploited in the wild were simple, shallow bugs that modern fuzzing would
have caught, strongly implying that the affected code had not been systematically tested.
Project Zero references:
<https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html>
<https://googleprojectzero.github.io/0days-in-the-wild/rca/webkit.html>

Security researchers do not claim "iOS is way more secure"
This is not a controversial statement. Public talks at Black Hat, DEF CON, USENIX Security, and academic papers consistently describe both platforms
as having different strengths and weaknesses. No credible researcher treats malware statistics as a proxy for OS-level security.

So the citations are right there. These are standard, public, technical
sources used by actual security professionals. If you disagree with any of them, then engage with the substance.

Simply repeating "cite required" does not move the conversation forward
in any way that would be considered meaningful in adult tech discourse.

To move the conversation forward, in an adult manner, I opened this:
From: Marian <marianjones@helpfulpeople.com>
Newsgroups: misc.phone.mobile.iphone,comp.sys.mac.advocacy
Subject: What are the merits of the claim that iOS is "way more secure"?
Date: Mon, 22 Dec 2025 12:15:53 -0700
Organization: BWH Usenet Archive (https://usenet.blueworldhosting.com)
Message-ID: <10ic5d9$2mvn$1@nnrp.usenet.blueworldhosting.com>

As an anecdote, and given you hold project zero in such high regard, it was interesting to note that the latest google chrome high severity (and
exploted in the wild) vulnerability was found by Apple security researchers (together with the google team). https://www.securityweek.com/apple-patches-two-zero-days-tied-to-mysterious-exploited-chrome-flaw/

I'm aware of that and I was myself impressed that Apple found a bug
before someone else (not Apple) reported that bug (or exploited) it.

Apple finding a Chrome bug does not erase the Project Zero analyses.
It does not change the CISA KEV data.
It does not change the patch-velocity differences between the platforms.
It does not change the architectural differences in modular updates.

It does not address the actual argument at all.
--
If all people do is deny the facts, and require the facts to be cited
over and over again, and yet they don't read them, but still deny them,
then no adult conversaion will be possible with those kinds of people.
--- Synchronet 3.21a-Linux NewsLink 1.2