XPost: misc.phone.mobile.iphone   
   From: marianjones@helpfulpeople.com   
      
   Tyrone said:   
   >>  e. You and I use completely different definitions of phone "security"   
   >>     etc.   
   >   
   > Yes.  I use multiple sites (some that YOU provided in your attempt to show   
   > that Android is more secure) that ALL show that the vast majority of security   
   > issues/malware happen on Android.  You use a single site that says iOS had 3   
   > more zero-day patches than Android last year.  Even with that, iOS is STILL   
   > way less likely to be infected. Thus, iOS is way more secure than Android.   
   >   
   > So obviously, you are going to continue your absurd, undocumented claims.  No   
   > one is shocked. As you stated, ignoring facts is not what adults do.   
      
   No serious security expert claims "iOS is way more secure".   
   There isn't one in the entire world, in fact, that you can find.   
      
   It's obvious why.   
   There isn't a professional security researcher on the planet who says that.   
      
   It's only Apple marketing that implies that.   
   Not serious researchers.   
      
   You are apparently attempting to reduce a very complex subject to a single   
   metric (malware prevalence), and that is not how security professionals   
   evaluate operating system security. Malware rates are not the definition of   
   security. They are one symptom of a much larger system.   
      
   Here are some of the much more complicated facts that matter:   
      
   CISA KEV data does not show iOS as "way more secure." When you query the   
   CISA Known Exploited Vulnerabilities database, iOS and Android have roughly   
   similar numbers of actively exploited CVEs over time. That is the only U.S.   
   government maintained list of real-world, in-the-wild exploited   
   vulnerabilities. It does not show iOS as dramatically safer.   
      
   Zero-day exploitation rates do not show iOS as "way more secure." Google   
   Project Zero's annual reports show that Apple repeatedly ships code that   
   has never been fuzzed or tested with modern techniques. Project Zero has   
   publicly stated that Apple's code quality and testing coverage lag behind   
   industry best practices. Again, this is not my opinion; it is documented   
   research.   
      
   iOS's monolithic update model slows down patch deployment. Before Rapid   
   Security Responses existed, any fix to any system component required a full   
   OS rebuild and full QA cycle. That is why iOS historically took longer to   
   patch certain classes of bugs. Android's modular architecture (APEX,   
   Mainline, Play Services) allows many components to be patched   
   independently. Update speed is a major part of security.   
      
   Malware statistics do not prove OS-level security.   
   Malware prevalence is heavily influenced by:   
    a. market share   
    b. sideloading behavior   
    c. user behavior   
    d. distribution channels   
    e. regional differences   
      
   Furthermore, mere economic incentives for attackers Malware rates do not   
   measure kernel security, sandboxing, exploit mitigations, patch velocity,   
   or code quality. They measure user exposure, not OS architecture.   
      
   No serious security expert claims "iOS is way more secure."   
      
   Security researchers consistently say the opposite: both platforms have   
   strengths and weaknesses. iOS has a strong sandbox and strong hardware   
   security, but slow patch cycles and opaque code quality. Android has a   
   larger attack surface and more malware, but faster patching for many   
   components and better transparency. Security is not a scoreboard. It is a   
   system.   
      
   The only meaningful way to compare security is by looking at real-world   
   exploited vulnerabilities, patch timelines, exploit mitigations, and code   
   quality. When you look at those metrics, the picture is mixed, not   
   one-sided.   
      
   So yes, you and I use different definitions of "security." You are using   
   malware statistics. I am using CISA KEV data, Project Zero research, patch   
   velocity, exploit mitigations, and code quality. Those are the metrics used   
   by actual security professionals.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)