"Even the BlackBerry doesn't have all the security features that the iPhone has," Joost Pol, the CEO of Certified Secure told ZDNet upon winning the $30,000 cash prize in the Pwn2Own contest. "With code signing, the sandbox, ASLR and DEP, the iPhone is much, much harder to exploit," Pol said. And Charlie Miller, famous for his own iPhone hacks, has also publicly admired the security features built into Apple's phone.
And the security of Apple devices extends beyond the code. Experts note that the company's top-down control model has advantages over the decentralized ecosystem that Google created with its open source Android platform.
Apple may not be any faster than Google to address critical vulnerabilities in its mobile operating system, but it's far more efficient in distributing those updates to its massive, global user base. Unlike Google, Apple was able to throw its weight around and wrest control for updating its devices away from carriers. The result is that iOS updates stream directly from Apple to iOS devices via its iTunes application, bypassing the carriers whose networks the phones connect to. The result: iOS devices are far more likely to be running the latest and most secure version of their operating system than Android devices.
"Apple got a lot of things right," said mobile security expert Jon Oberheide of the firm Duo Security. "They've done a much better job in the software update category – they have just a handful of hardware platforms that are all controlled by them and they control the software, too. So it's much more reasonable for them to provide updates."
In contrast, Google makes and manages the underlying Android operating system, but partners with a panoply of mobile carriers and OEM hardware makers to provide a wide range of different Android phone makes and models. As a result, any software update has to follow a torturous path from Google to the handset maker, and then out to customers via the various mobile carriers.
With little incentive to patch the mobile devices their customers use, it is no surprise that mobile carriers have a poor record of distributing software updates that repair critical security holes in mobile operating systems or applications, Oberheide said. Instead, they wait months or even years to disseminate Android updates to their customers.