This is the one reason iPhone still beats Android on security

An iPhone side by side with a Google Pixel phone
(Image credit: Shutterstock)

There are a lot of factors that come into play when deciding between Android or iPhone but when it comes to security, Apple’s smartphones take the lead. As an Android user myself, this isn’t the easiest thing to admit but patch gaps continue to seriously hold back the security of the best Android phones.

Unlike with the best iPhones which receive security updates from Apple as soon as they become available, the same can’t be said for most Android phones with the exception of Google’s own Pixel devices. Instead, Android device manufacturers often wait weeks or even months before distributing the search giant’s previously released security updates.

In its annual 0-day vulnerability report, Google has acknowledged that patch gaps remain a problem for Android as a whole. This is because the Android ecosystem is much more complex than Apple’s with Samsung, Motorola, OnePlus and so many other different device manufacturers releasing and then having to provide updates for their respective smartphones.

To make matters worse, zero-day vulnerabilities that have been fixed by Google are then exploited by hackers as device manufacturers have yet to distribute and apply those patches to their own smartphones. Fortunately, there is a way to get around all this, though you do lose out on one of the best ways in which Android still beats iPhone: choice.

Zero-day vs n-day vulnerabilities

One phone with skull and crossbones on screen among several other clean-looking phones.

(Image credit: Marcos_Silva/Shutterstock)

For those unfamiliar, a zero-day vulnerability is a security flaw that is discovered before a company becomes aware of it or releases a patch to fix it. During this time, a zero-day can be exploited by hackers and other cybercriminals in their attacks.

An n-day vulnerability is a bit different and while it’s also a serious security flaw, information about it has been released publicly, though there may or may not be a patch available. As BleepingComputer points out, if a software bug is discovered in Android before Google finds out about it, it’s a zero-day. Though once Google does become aware of the flaw, it becomes an n-day with the letter ‘n’ representing the number of days that have passed since its discovery.

The problem here is hackers can use n-days instead of zero-days to launch attacks on vulnerable Android smartphones which have yet to receive the latest security updates from Google. For instance, the company’s Threat Analysis Group noted in its report that last year, “attackers didn’t need 0-day exploits and instead were able to use n-days that functioned as 0-days.”

By using known exploitation methods or developing their own, attackers can leverage n-days to launch attacks against unpatched Android smartphones for months even though Google has already patched them.

Patch gaps are a thorn in Android’s side

In addition to Android fragmentation where device manufacturers hold off on updating their phones with the latest version of Google’s mobile operating system, patch gaps are a huge problem for Android and they’ve been a thorn in its side for quite some time.

When the search giant does release a new Android security update, it can often take device manufacturers up to three months to make these patches available. Even then, this is only for the smartphone models they currently support and those with older Android phones, won’t get them at all.

The annoying thing here is even if you buy the latest smartphone from your favorite device manufacturer — let’s say like me it’s OnePlus and you pick up a OnePlus 11 for instance — you could end up waiting months for security updates despite having a brand new smartphone. During this time, you could fall victim to Android malware that exploits zero-days which have technically already been patched.

It’s also easier for hackers and cybercriminals to exploit zero-days which have been addressed by Google since technical details about them and even proof-of-concept exploits may have already been published by security researchers.

The case for Google’s Pixel phones

Google Pixel 7 Pro

(Image credit: Future)

Unlike other Android smartphones, Pixel phones like the Pixel 7, Pixel 7 Pro and the newly released Pixel Fold are the first to receive new security updates and patches as they’re made by Google. 

If getting the latest security updates in a timely fashion is important to you, then a Pixel might be the best choice for you. Still though, Google’s Pixel phones aren’t without their issues with the biggest one being much shorter battery life than devices from other manufacturers. Not having to wait for security updates or being able to try out Android 14 the second it becomes available certainly help make up for this though.

Even if you don’t have a Pixel, you can still keep your Android smartphone protected from hackers by installing one of the best Android antivirus apps. Likewise, if you’re on a tight budget, Google Play Protect comes pre-installed on most Android phones and scans both your existing apps and any new ones you download for malware.

If Google itself has come out and said that patch gaps are one of the biggest problems with its own operating system, I expect the company will figure out a way to address the issue once and for all at some point. Until then, you’re going to want to get an Android device with years of security updates like Samsung provides with its Galaxy smartphones or bite the bullet and get a Pixel. If you do decide to go that route, the Pixel 7A offers the most bang for your buck with security updates straight from Google. 

While an iPhone may be inherently more secure than Android due to Apple’s closed ecosystem, you won’t have nearly as many choices when picking out your next smartphone or when choosing how you want to use it.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.