Apple maintains its iron grip on security, but Google is gaining ground, especially with Android 11 around the corner.
Rae HodgeFormer senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
has maintained an iron grip on its reputation as the most secure mobile operating system, but Android 10's granular controls over app permissions and increased efforts toward security updates are a noticeable improvement. Plus, the upcoming Android 11 (currently available as a developer preview) further shows Google is making more headway with its latest privacy-focused features.
Both Android 10 and iOS 13 have security features that up the ante by giving you more control over how often apps can access your location, ways to stop apps from scanning nearby Bluetooth and Wi-Fi networks to guess your location, and a new sign-in method for third-party apps.
When it comes to keeping your mobile device secure, your first and easiest line of defense is to keep your OS up to date. This defense alone, as Kaspersky Labs notes, can stop entire families of
in their tracks.
When it comes to getting updates from the mothership to your palm,
still maintains the kind of control over its manufacturing chain, carrier network contracts and underlying code to make it happen quickly and effectively. While some users still uphold the tradition of complaining about iOS' notorious lack of customization, Apple's highly patrolled walled garden has also ensured iPhone users largely stay ahead of malware without having to think about it.
A hopeful sign, however, came for security-minded Android fans in May 2019, when Google Senior Director for Android Stephanie Cuthbertson told Google I/O attendees that Android security updates will finally be automated.
"Your Android device gets regular security updates already, but you still have to wait for the release and you have to reboot when they come," she said. "We want you to get these faster."
The process will happen in the background much like Google updates its apps, and will no longer require you to reboot your phone.
Manufacturers and carrier networks release their own customized versions of Android on their own schedule (often not at all), meaning people generally aren't updating their Android
. With surges in mobile malware in the Google Play Store, Google's moves to push security updates couldn't come sooner.
Watch this: Android 10 privacy settings: Everything to know
Winner: Android 10
Outside of keeping your OS updated, the biggest threat to your mobile security comes from apps that demand excessive permissions to access your phone's data -- and then leak it.
While the velvet rope of the strictly controlled App Store is largely credited with keeping out the malware riff-raff that affects a disproportionate number of Android users, iPhone users are not immune to attacks.
In June 2019, researchers from Positive Technologies found more iOS apps than Android apps had security weaknesses. In August, after taking a year-long beating in the press for pervasive malware in its Play Store, Google got to push back when it found security flaws in the iPhone which it said let websites hack away for years.
But iOS 13's mandatory privacy tool, Sign In, goes a long way to help Apple save face and maintain its reputation. The security feature uses your Apple ID, not your email address, to verify your credentials while logging into your apps. It also means no more using
to log into a shady-looking quiz you found online, and no more creating fake email addresses to try new services (Sign In will create a throwaway for you).
But Android 10 isn't out of the race here.
It's got an entirely new dedicated Privacy section in its Settings app where you can monitor and then block permission requests from any app. Why does Facebook need your location data? It doesn't. Permission denied.
Previously, tracking Android app permissions was frustratingly difficult. But a one-click reject button for each item in a condensed list? That's the kind of control I want if I'm working in Google's open-source playground.
Not-quite-buried in the new Android 10 menu is the Advanced section. The intuitive grouping puts common security concerns in one place to control instead of spread out across multiple menus: Lock screen information display, Google's Autofill service, Activity information and how you want your device to handle advertising requests. While this control over permissions is an improvement, malware apps with no permissions are still able to piggyback on other apps you've afforded permissions. That alone led researchers in July 2019 to discover more than 1,000 apps in Google Play Store stealing users' data.
It begs the question: How good are Android 10's permission controls if Google Play Store apps are the problem?
Android 10 beta's best new tricks from Google I/O 2019
Another privacy boost for both OSes comes in the form of new location-blocking options.
iOS 13 graciously offers the option of sharing photos without sharing your location data. The option to strip private location data from a photo while in the Photos app means each picture no longer leaves a data trail when it makes its way across social media, email or messages -- all while the photo can still be geotagged privately.
And the process is simple: Select a photo (or photos) you want to share in the Photos app, then tap on Options at the top of the screen and turn off Location under the section labeled Include.
Android 10 is on par. To strip location data prior to sharing a photo, go to your Android phone's Photos app, tap the menu and select Settings, then tap Remove geo location.
Android 10 is making its own strides here, though. While previous versions only allowed you to say yes or no to an app's location request, Android 10 is taking a more granular approach to geolocation controls. Now you'll have three options: Deny permissions, accept them, or let an app access your location information only while you're actively using the app.
No more Bluetooth sniffing
Once you turn off permissions for an app to access your location via GPS, it can still start sniffing around for Bluetooth and Wi-Fi signals. Once it finds them, it can quickly parse out your location. Worse yet, Bluetooth is increasingly becoming a vulnerability, as
connections outpace security fixes.
Thankfully, both Android 10 and iOS 13 offer you control over which apps are allowed to sniff out Wi-Fi and Bluetooth signals nearby.
Winner: iOS 13
On the surface it might seem like a novelty built around the need for a social convenience, but Android 10's Wi-Fi password feature could be a great security measure. The new feature lets you create a QR code for your Wi-Fi network that your guests can scan to join it. Make your password as strong as you can, and never worry about forgetting it or having to slowly spell it out for your friends.
But Apple wins the bonus round in a landslide, thanks to iOS 13's expanded
security features, created now that its smart home platform is gaining support for secure routers and encrypted home-security cameras. You want control over whether your smart fridge is talking to your other
? You got it. The potential for a culinary mutiny aside, bulkheading your data is the best way to shore up security.
The crown jewel here for Apple fans is that HomeKit cameras will soon have encrypted video capabilities and iCloud storage, and all HomeKit Secure Video that gets uploaded will be encrypted.