Is Android less secure than iPhone?

[KometStorm]

I've heard mixed answers from this question and was wondering what the hak5 community thought about it.

[Rkiver]

As Android is technically open source, it has the potential to be more secure as more people can help find holes and help plug them.

Closed source systems don't have that luxury, and also Apple as a whole are terrible about patching known security flaws.

[KometStorm]

Many people have told me that iPhone's are more secure than Androids just because Apple does not allow malicious applications in their app store.

With that said, if malicious apps are not much of a security concern than what is?

What exactly are these security flaws that you are referring to?

How would one go about exploiting those security flaws?

This is just for my own general knowledge :).

[Mr-Protocol]

The argument is a bit too broad.

Things to consider:

OS Version - Not all manufacturers/carriers allow newest Android OS updates or are extremely delayed. They can also modify the build. This also brings up the Google build server vs everyone else's which most likely will have a kernel version difference.

Storage - iPhone has encryption, Nexus devices enable encryption by default. Not all Android have encryption enabled by default.

When it comes down to it, latest and greatest Android and Apple are pretty much equally secure as far as we know. And that is the trick, you don't know it's broken until it's known. Just living in a blissful ignorance until someone is like "Here is some PoC code".

Both Google and Apple try and vet their apps for malicious activity. I know for a fact that some apps have gotten into both stores. One was a straight up backdoor for Apple devices. It would install, download remote code, and reverse shell to the creator's computer.

[Mr-Protocol]

Just found this: https://www.fireeye.com/blog/threat-research/2016/05/exploiting_cve-2016-.html

[cooper]

There's a really cool talk currently being given by Michael Jack and Kyle Bowes under the moniker "ISIS Online" which goes into how terrorist groups use social media, crypto and security to both get their message out without exposing themselves such that a missile moves back in. The one image from their talk that stuck was that of a big hole in the ground with a lot of rubble around it and the caption "ISIS safe house".

Apparently guides exist for ISIS folk on how to do opsec and they basically massively suck at following it. An interesting item that's in the guide is that ISIS fighters are told to not use iPhones because they're easy to track and impossible to secure (apparently this fear is so great, it's illegal to own one within the caliphate). The presenters found no real evidence to prove this belief and they actually believe that the US planted this bit of misinformation within their organization specifically because Android phones are, in general, easier to crack.

My advice to you would be to just pick either an iPhone or a Nexus as you get vendor-supplied up-to-date OS software as it becomes available so your phone is effectively as current as it can be. If you go with some wonky vendor that rebrands Android to work on their phone you're restricted to that vendor's (in)ability *COUGH*Samsung*COUGH* to keep their mods current for that phone. Oh, and whatever you do, DO NOT SIDE-LOAD OR JAILBREAK YOUR PHONE. Interesting little fact from the ISIS talk again - some of their most popular software is loaded onto fighters' phones via side-loading a file they grabbed from some website. Guess how secure this is...