X

iOS 13 vs. Android 10: Which OS is more secure?

Apple maintains its iron grip on security, but Google is gaining ground, especially with Android 11 around the corner.

Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
Rae Hodge
6 min read
ios-13-iphone-xs-max

iOS 13's walled garden, or Android 10's open-source sandbox?

Jason Cipriani/CNET

For years, iOS has maintained an iron grip on its reputation as the most secure mobile operating system, but Android 10's granular controls over app permissions and increased efforts toward security updates are a noticeable improvement. Plus, the upcoming Android 11 (currently available as a developer preview) further shows Google is making more headway with its latest privacy-focused features.

Both Android 10 and iOS 13 have security features that up the ante by giving you more control over how often apps can access your location, ways to stop apps from scanning nearby Bluetooth and Wi-Fi networks to guess your location, and a new sign-in method for third-party apps.

Read more: 3 new Android 11 privacy features are giving iOS a run for its money

Here's how the two measure up. 

Updates

Winner: iOS 13

When it comes to keeping your mobile device secure, your first and easiest line of defense is to keep your OS up to date. This defense alone, as Kaspersky Labs notes, can stop entire families of malware in their tracks. 

When it comes to getting updates from the mothership to your palm, Apple still maintains the kind of control over its manufacturing chain, carrier network contracts and underlying code to make it happen quickly and effectively. While some users still uphold the tradition of complaining about iOS' notorious lack of customization, Apple's highly patrolled walled garden has also ensured iPhone users largely stay ahead of malware without having to think about it.

A hopeful sign, however, came for security-minded Android fans in May 2019, when Google Senior Director for Android Stephanie Cuthbertson told Google I/O attendees that Android security updates will finally be automated

"Your Android device gets regular security updates already, but you still have to wait for the release and you have to reboot when they come," she said. "We want you to get these faster."

The process will happen in the background much like Google updates its apps, and will no longer require you to reboot your phone. 

While it's great to hear Android security modules will get updates even if your OS isn't, that still doesn't solve Google's enormous problem with delayed OS updates

Manufacturers and carrier networks release their own customized versions of Android on their own schedule (often not at all), meaning people generally aren't updating their Android phones . With surges in mobile malware in the Google Play Store, Google's moves to push security updates couldn't come sooner. 

But letting AT&T or Verizon stall on giving your OS an update is the tradeoff Google made long ago in exchange for a dominant US market share that's now eroding as people flee from escalating security threats.

Watch this: Android 10 privacy settings: Everything to know

Permission control 

Winner: Android 10 

Outside of keeping your OS updated, the biggest threat to your mobile security comes from apps that demand excessive permissions to access your phone's data -- and then leak it. 

While the velvet rope of the strictly controlled App Store is largely credited with keeping out the malware riff-raff that affects a disproportionate number of Android users, iPhone users are not immune to attacks. 

In June 2019, researchers from Positive Technologies found more iOS apps than Android apps had security weaknesses. In August, after taking a year-long beating in the press for pervasive malware in its Play Store, Google got to push back when it found security flaws in the iPhone which it said let websites hack away for years. 

But iOS 13's mandatory privacy tool, Sign In, goes a long way to help Apple save face and maintain its reputation. The security feature uses your Apple ID, not your email address, to verify your credentials while logging into your apps. It also means no more using  Facebook to log into a shady-looking quiz you found online, and no more creating fake email addresses to try new services (Sign In will create a throwaway for you).

But Android 10 isn't out of the race here. 

It's got an entirely new dedicated Privacy section in its Settings app where you can monitor and then block permission requests from any app. Why does Facebook need your location data? It doesn't. Permission denied. 

Previously, tracking Android app permissions was frustratingly difficult. But a one-click reject button for each item in a condensed list? That's the kind of control I want if I'm working in Google's open-source playground. 

Not-quite-buried in the new Android 10 menu is the Advanced section. The intuitive grouping puts common security concerns in one place to control instead of spread out across multiple menus: Lock screen information display, Google's Autofill service, Activity information and how you want your device to handle advertising requests.
While this control over permissions is an improvement, malware apps with no permissions are still able to piggyback on other apps you've afforded permissions. That alone led researchers in July 2019 to discover more than 1,000 apps in Google Play Store stealing users' data

It begs the question: How good are Android 10's permission controls if Google Play Store apps are the problem?

Android 10 beta's best new tricks from Google I/O 2019

See all photos

Geotracking

Winner: Android 10 

Another privacy boost for both OSes comes in the form of new location-blocking options.

iOS 13 graciously offers the option of sharing photos without sharing your location data. The option to strip private location data from a photo while in the Photos app means each picture no longer leaves a data trail when it makes its way across social media, email or messages -- all while the photo can still be geotagged privately. 

And the process is simple: Select a photo (or photos) you want to share in the Photos app, then tap on Options at the top of the screen and turn off Location under the section labeled Include.

Android 10 is on par. To strip location data prior to sharing a photo, go to your Android phone's Photos app, tap the menu and select Settings, then tap Remove geo location. 

Android 10 is making its own strides here, though. While previous versions only allowed you to say yes or no to an app's location request, Android 10 is taking a more granular approach to geolocation controls. Now you'll have three options: Deny permissions, accept them, or let an app access your location information only while you're actively using the app. 

No more Bluetooth sniffing 

Winner: Tie

Once you turn off permissions for an app to access your location via GPS, it can still start sniffing around for Bluetooth and Wi-Fi signals. Once it finds them, it can quickly parse out your location. Worse yet, Bluetooth is increasingly becoming a vulnerability, as smart home connections outpace security fixes. 

Thankfully, both Android 10 and iOS 13 offer you control over which apps are allowed to sniff out Wi-Fi and Bluetooth signals nearby. 

Bonus round

Winner: iOS 13

On the surface it might seem like a novelty built around the need for a social convenience, but Android 10's Wi-Fi password feature could be a great security measure. The new feature lets you create a QR code for your Wi-Fi network that your guests can scan to join it. Make your password as strong as you can, and never worry about forgetting it or having to slowly spell it out for your friends.

But Apple wins the bonus round in a landslide, thanks to iOS 13's expanded HomeKit security features, created now that its smart home platform is gaining support for secure routers and encrypted home-security cameras. You want control over whether your smart fridge is talking to your other appliances ? You got it. The potential for a culinary mutiny aside, bulkheading your data is the best way to shore up security. 

The crown jewel here for Apple fans is that HomeKit cameras will soon have encrypted video capabilities and iCloud storage, and all HomeKit Secure Video that gets uploaded will be encrypted. 

We could have used that technology last year.

Read more: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)

14 hidden iPhone features in iOS 13 you need to know about

See all photos

Originally published last year. Updated periodically with new information.