For years, iOS has maintained an iron grip on its reputation as the most secure mobile operating system, but Android 10’s new granular controls over app permissions and increased efforts toward security updates are a noticeable improvement.
Both Android 10 and iOS 13 (released Thursday) have new security features that up the ante by giving you more control over how often apps can access your location, ways to stop apps from scanning nearby Bluetooth and Wi-Fi networks to guess your location, and a new sign-in method for third-party apps.
Here’s how the two measure up.
Winner: iOS 13
When it comes to keeping your mobile device secure, your first and easiest line of defense is to keep your OS up to date. This defense alone, as Kaspersky Labs notes, can stop entire families of malware in their tracks.
When it comes to getting updates from the mothership to your palm, Apple still maintains the kind of control over its manufacturing chain, carrier network contracts and underlying code to make it happen quickly and effectively. While some users still uphold the tradition of complaining about iOS’ notorious lack of customization, Apple’s highly patrolled walled garden has also ensured iPhone users largely stay ahead of malware without having to think about it.
A hopeful sign, however, came for security-minded Android fans in May, when Google Senior Director for Android Stephanie Cuthbertson told Google I/O attendees that Android security updates will finally be automated.
“Your Android device gets regular security updates already, but you still have to wait for the release and you have to reboot when they come. We want you to get these faster,” she said.
The process will happen in the background much like Google updates its apps, and will no longer require you to reboot your phone.
While it’s great to hear Android security modules will get updates even if your OS isn’t, that still doesn’t solve Google’s enormous problem with delayed OS updates.
Manufacturers and carrier networks release their own customized versions of Android on their own schedule (often not at all), meaning people generally aren’t updating their Android phones. With surges in mobile malware in the Google Play Store, Google’s moves to push security updates couldn’t come sooner.
But letting AT&T or Verizon stall on giving your OS an update is the tradeoff Google made long ago in exchange for a dominant US market share that’s now eroding as people flee from escalating security threats.
Winner: Android 10
Outside of keeping your OS updated, the biggest threat to your mobile security comes from apps that demand excessive permissions to access your phone’s data — and then leak it.
While the velvet rope of the strictly controlled App Store is largely credited with keeping out the malware riff-raff that affects a disproportionate number of Android users, iPhone users are not immune to attacks.
Just this June, researchers from Positive Technologies found more iOS apps than Android apps had security weaknesses. In August, after taking a year-long beating in the press for pervasive malware in its Play Store, Google got to push back when it found security flaws in the iPhone which it said let websites hack away for years.
But iOS 13’s mandatory privacy tool, Sign In, goes a long way to help Apple save face and maintain its reputation. The security feature uses your Apple ID, not your email address, to verify your credentials while logging into your apps. It also means no more using Facebook to log into a shady-looking quiz you found online, and no more creating fake email addresses to try new services (Sign In will create a throwaway for you).
But Android 10 isn’t out of the race here.
It’s got an entirely new dedicated Privacy section in its Settings app where you can monitor and then block permission requests from any app. Why does Facebook need your location data? It doesn’t. Permission denied.
Previously, tracking Android app permissions was frustratingly difficult. But a one-click reject button for each item in a condensed list? That’s the kind of control I want if I’m working in Google’s open-source playground.
Not-quite-buried in the new Android 10 menu is the Advanced section. The intuitive grouping puts common security concerns in one place to control instead of spread out across multiple menus: Lock screen information display, Google’s Autofill service, Activity information and how you want your device to handle advertising requests.
While this control over permissions is an improvement, malware apps with no permissions are still able to piggyback on other apps you’ve afforded permissions. That alone led researchers in July to discover more than 1,000 apps in Google Play Store stealing users’ data.
It begs the question: How good are Android 10’s permission controls if Google Play Store apps are the problem?
Winner: Android 10
Another privacy boost for both OSes comes in the form of new location-blocking options.
iOS 13 graciously offers the option of sharing photos without sharing your location data. The option to strip private location data from a photo while in the Photos app means each picture no longer leaves a data trail when it makes its way across social media, email or messages — all while the photo can still be geotagged privately.
And the process is simple: Select a photo (or photos) you want to share in the Photos app, then tap on Options at the top of the screen and turn off Location under the section labeled Include.
Android 10 is on par. To strip location data prior to sharing a photo, go to your Android phone’s Photos app, tap the menu and select Settings, then tap Remove geo location.
Android 10 is making its own strides here, though. While previous versions only allowed you to say yes or no to an app’s location request, Android 10 is taking a more granular approach to geolocation controls. Now you’ll have three options: Deny permissions, accept them, or let an app access your location information only while you’re actively using the app.
No more Bluetooth sniffing
Once you turn off permissions for an app to access your location via GPS, it can still start sniffing around for Bluetooth and Wi-Fi signals. Once it finds them, it can quickly parse out your location. Worse yet, Bluetooth is increasingly becoming a vulnerability, as smart home connections outpace security fixes.
Thankfully, both Android 10 and iOS 13 offer you control over which apps are allowed to sniff out Wi-Fi and Bluetooth signals nearby.
Winner: iOS 13
On the surface it might seem like a novelty built around the need for a social convenience, but Android 10’s Wi-Fi password feature could be a great security measure. The new feature lets you create a QR code for your Wi-Fi network that your guests can scan to join it. Make your password as strong as you can, and never worry about forgetting it or having to slowly spell it out for your friends.
But Apple wins the bonus round in a landslide, thanks to iOS 13’s expanded HomeKit security features, created now that its smart home platform HomeKit is gaining support for secure routers and encrypted home-security cameras. You want control over whether your smart fridge is talking to your other appliances? You got it. The potential for a culinary mutiny aside, bulkheading your data is the best way to shore up security.
The crown jewel here for Apple fans is that HomeKit cameras will soon have encrypted video capabilities and iCloud storage, and all HomeKit Secure Video that gets uploaded will be encrypted.
We could have used that technology back in January.
Deals we love
Price drops on our favorite products
CNET may get a commission from these offers.