1. Forum
  2. Newsgroups
  3. comp.sys.mac.advocacy

  • What are the merits of the claim that iOS is "way more secure"?

    From Marian@marianjones@helpfulpeople.com to misc.phone.mobile.iphone,comp.sys.mac.advocacy on Mon Dec 22 12:15:53 2025
    From Newsgroup: comp.sys.mac.advocacy

    Chris wrote:
    Before Rapid
    Security Responses existed, any fix to any system component required a full >> OS rebuild and full QA cycle. That is why iOS historically took longer to
    patch certain classes of bugs. Android's modular architecture (APEX,
    Mainline, Play Services) allows many components to be patched
    independently. Update speed is a major part of security.

    Malware statistics do not prove OS-level security.
    Malware prevalence is heavily influenced by:
    a. market share
    b. sideloading behavior
    c. user behavior
    d. distribution channels
    e. regional differences

    Furthermore, mere economic incentives for attackers Malware rates do not
    measure kernel security, sandboxing, exploit mitigations, patch velocity,
    or code quality. They measure user exposure, not OS architecture.

    No serious security expert claims "iOS is way more secure."

    Security researchers consistently say the opposite: both platforms have
    strengths and weaknesses. iOS has a strong sandbox and strong hardware
    security, but slow patch cycles and opaque code quality. Android has a
    larger attack surface and more malware, but faster patching for many
    components and better transparency. Security is not a scoreboard. It is a
    system.

    The only meaningful way to compare security is by looking at real-world
    exploited vulnerabilities, patch timelines, exploit mitigations, and code
    quality. When you look at those metrics, the picture is mixed, not
    one-sided.

    So yes, you and I use different definitions of "security." You are using
    malware statistics. I am using CISA KEV data, Project Zero research, patch >> velocity, exploit mitigations, and code quality. Those are the metrics used >> by actual security professionals.

    Cite required.

    You were given the cites, Chris. You not reading them, and then claiming
    they don't exist, is not conducive to an adult conversation, now is it.

    Chris saying "cite required" is not a meaningful response when the points I listed are well-established, widely documented facts in public technical sources.

    Here are related references, all of which you have been shown before.

    iOS patching model before Rapid Security Responses
    Apple publicly documented that system components could not be updated independently prior to RSR. Any fix required a full OS rebuild and full QA cycle. This is why Apple introduced RSR in the first place.
    Apple documentation:
    <https://support.apple.com/en-us/HT213825>

    Android modular updates (APEX, Mainline, Play Services)
    Google documents that Android components such as media frameworks,
    networking stacks, DNS resolver, time zone data, and others are updated independently of the OS image.
    Google documentation:
    <https://source.android.com/docs/core/ota/apex>
    <https://source.android.com/docs/core/ota/mainline>

    Malware statistics do not measure OS security
    Every major security vendor (Kaspersky, ESET, Lookout, NCC Group, etc.)
    states that malware prevalence is driven by market share, sideloading, user behavior, and distribution channels. This is standard threat-modeling, not controversial.

    Real-world exploited vulnerabilities
    The CISA Known Exploited Vulnerabilities catalog is the only US government maintained list of vulnerabilities confirmed to be exploited in the wild.
    It does not show iOS as dramatically safer than Android.
    CISA KEV:
    <https://www.cisa.gov/known-exploited-vulnerabilities-catalog>

    Project Zero research on iOS code quality
    Project Zero has repeatedly documented that multiple iOS and WebKit 0-days exploited in the wild were simple, shallow bugs that modern fuzzing would
    have caught, strongly implying that the affected code had not been systematically tested.
    Project Zero references:
    <https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html>
    <https://googleprojectzero.github.io/0days-in-the-wild/rca/webkit.html>

    Security researchers do not claim "iOS is way more secure"
    This is not a controversial statement. Public talks at Black Hat, DEF CON, USENIX Security, and academic papers consistently describe both platforms
    as having different strengths and weaknesses. No credible researcher treats malware statistics as a proxy for OS-level security.

    So the citations are right there. These are standard, public, technical
    sources used by actual security professionals. If you disagree with any of them, then engage with the substance.

    Simply repeating "cite required" does not move the conversation forward
    in any way that would be considered meaningful in adult tech discourse.
    --
    Security is not one thing - it's a chain of very many things.
    Anyone claimoing one thing is security - simply doesn't understand it.
    If they can't understand it, then no meaningful conversation is possible.
    --- Synchronet 3.21a-Linux NewsLink 1.2