What Smartphones Should I Consider If I Care About Security?


Ten years ago, the idea of viruses and malware being installed on a cellphone seemed far-fetched. People were explicitly aware of PC viruses, but who would want to attack Nokia candy-bar phones? Did the performance of Snake really matter that much anyway? What a difference a decade makes. These days, you probably have far more valuable information on your smartphone than on your home computer. Smartphones contain almost all facets of your digital self: your text messages, your email, your contacts, your social media accounts, your location, your web-browsing history, your banking info, your fingerprint, your photos, your heartrate, and maybe even your phone calls.

This trove of personal information is a valuable resource for those with bad intentions. Also, most forms of two-factor authentication rely on your phone, making access to your smartphone the key to breaking into other accounts. With the recent revelations from WikiLeaks’s so-called “Vault 7” and the near-constant news of other security leaks, it should be clear that criminals and governments are hoarding security vulnerabilities for iOS and Android to get access to your information. Yet security is often overlooked when purchasing a smartphone. Perhaps it’s time to consider how secure a smartphone is, in addition to how good a camera or how fast a processor it has.

Is iOS or Android More Secure?

When considering what smartphone to get, the first consideration to have is whether to go with an iOS or Android phone. It often assumed that iOS is much more secure than Android. However, this is not entirely true. No operating system is invulnerable, and neither iOS nor Android is inherently more or less secure than the other. Apple and Google are both constantly patching security holes in their operating systems. In fact, most of the security exploits that were leaked recently by WikiLeaks are already fixed on iOS and Android, and the rest of the leaked exploits are sure to be fixed soon for both. An updated phone is a secure phone, and the longer it takes for a smartphone to get patches for known security problems, the more vulnerable it is.

The main reason iOS has a good reputation for security is that when Apple fixes bugs in iOS, it can push the fixes out to all iPhones immediately. This is because Apple retains the ability to update all its phones directly, regardless of the iPhone’s carrier. Android is much more decentralized—phone manufacturers and carriers like to modify Android, which makes it impossible for Google to push out security patches directly to most Android phones. However, there are a few Android phones that do get security updates straight from Google.

Apple iPhones and Google Pixel Phones Get Security Patches First

If security is your main concern when shopping for a smartphone, then it’s hard to go wrong with an iPhone or Pixel phone. Both the iPhone and the Pixel (as well as the Nexus) get OS updates directly from the companies that make the OS. So, as soon as Apple or Google patch security flaws, you can be confident you will have them if you are using one of these smartphones, even if you purchase them at a carrier store. Of course, neither of these phones is exactly cheap (though the Nexus 5X is a very good deal), so if you want something different, you should look at OEM Android phones from other manufacturers.

LG Google Nexus 5X 32GB Smartphone

Android Fragmentation and Security

Android’s greatest strength is its flexibility; manufacturers can adapt it to do almost anything they want with it. This comes with a bit of a downside, though: Google can’t update other companies’ phones directly. And lazy companies have led to huge amounts of Android Fragmentation, or inconsistency between different versions of the OS on different devices. Google is doing what it can to try and pressure phone manufacturers to issue updates more frequently, though, as of March 2017, 66% of Android devices were running a version of Android more than two years old, and only a little more than half of the top 50 Android devices received any sort of security update in the last quarter of 2016.

This really isn’t Android’s fault—or Google’s. The open source nature of the OS allows phone manufacturers the ability to modify and tweak Android in many ways to make their devices unique (as well as carriers, and we will get to this later). You may be familiar with Samsung’s often maligned Touchwiz, HTC’s Sense, or LG’s Optimus UI. These customizations add many features customers value, like Samsung Pay, HTC’s Blinkfeed, or Sony’s Stamina mode. But the flip side is that, the more phone manufacturers customize Android to make their phones stand out, the harder it is for them to implement the security patches or OS updates issued by Google. Still, reputable Android phone manufacturers do exist, and most do a decent job of keeping their unlocked and unbranded phones up to date.

Unbranded OEM Phones Get Updates Second

If you don’t want an iPhone or a Pixel phone but still care about security, then getting an unlocked and unbranded phone from a manufacturer you trust is the best way to go. Many Android phone manufacturers try to release security patches relatively quickly; some only a week or two behind when Google releases them on the Pixel. Google has highlighted the Android phones that received 2016 security updates the fastest in a report, which include the ASUS ZenFone 3, LG V20, OnePlus3, Samsung Galaxy S7, and Sony Xperia X Compact.

ASUS ZenFone 3 Deluxe 5.7"

One thing you may notice is that all the phones in Google’s report are high-end, which is a bit of a pattern with Android. Because of the work involved in the updating process, many Android phone manufacturers decide it’s not worth the cost or effort to issue security updates to their budget Android phones regularly. Budget phones will often get security updates late, and usually only receive about a year of support. Even Android flagships rarely receive support for more than two years. So, if you care about security, recent flagship Android phones are the safest route.

Carrier-Branded Android Phones Get Updates Last, if at All

From a security standpoint, the worst way to go is purchasing a carrier-branded Android phone. US carriers also modify the Android operating system to add carrier-specific features. Sometimes they add interesting features, such as Wi-Fi Calling or VoLTE (Voice over LTE). But, often, they add things nobody wants, like a carrier logo when you turn on your phone or some useless apps you can’t delete. Even worse, carriers occasionally install things on phones that are themselves security risks. In 2011 it was discovered that the diagnostic software Carrier IQ installed on many US Android phones was sending every keystroke you typed unencrypted to the carriers. Today, many US carrier Android phones come with a piece of software called DT Ignite that allows carriers to install any app they want without your permission.

DT Ignite

These carrier-specific Android tweaks also add an additional step before any phone receives security patches or OS updates. First, Google releases the patches to the Android phone manufacturers, then the Android phone manufacturer must give their updated version of Android to carriers, who then must ensure each patch works with their now-twice-modified version of Android running on their phones. This lengthy process ensures that carrier phones are almost always behind on updates, if they receive updates at all. Typically, only flagship phones get security updates on carrier-branded phones, but even then, you still must deal with the possible security holes introduced by some of the customizations carriers make.

You may wonder why companies like Verizon and AT&T muck with security so much, and really the answer is simple: people keep buying phones from them, anyway. Until it hurts their wallet, their behaviors won’t change. Luckily, you have the option to purchase unbranded phones from B&H, as well as many other retailers. So, if you care about security, you really should steer clear of your local carrier’s store, unless you are going to be picking up an iPhone or Pixel.