"I have not seen a single case where a phone was updated because of a security bug rather than because a new Android version was available," says Nico Golde, one of the Technische Universität researchers.
On the other hand, Apple has a patch process for iOS that offers updates on a regular basis. Security-conscious iPhone and iPad users will have the latest patches on their devices. Yet, for the average user, Android's over-the-air update mechanism may be a better solution -- but only if the carriers and manufacturers can speed up fixes to their smartphones and tablets, says Accuvant's Miller.
"If you don't plug in your iPhone [into iTunes] all the time, you won't get the patches," he says. "I would almost have someone do it remotely, rather than count on the user to update."
Is anyone really looking to attack iOS?Windows users have to constantly be on the lookout for malware. Increasingly, so do Mac users. But smartphone users still don't have to face the same dangers, and that continues to be a major security benefit.
Although iOS has a lot of security going on underneath the hood, its safety could be due in large part to the fact that attackers have not focused on compromising the devices because there is no economic incentive to attack them, says Lookout's Mahaffey.
"Mobile devices are in the startup phase of the business of malware," he says. "Attackers are experimenting with business models, but we are not yet at the elbow in the curve." The psychology of the attackers will likely change, but figuring out when serious attacks will start targeting mobile devices, including the iPhone and iPad, is difficult.
The best example of a model of attacker's psychology may be a paper published in 2008, which used game theory to predict that attackers would start targeting Mac OS X when the devices reached a market share of approximately 16%.
Although predicting when attackers will take an increased interest in mobile devices would be interesting, it is more difficult than predicting the movement of malware from Windows to Mac OS X. The theory uses variables for market share and effectiveness of defenses, but assumes that each platform -- the PC and the Mac -- are of equal value to the attacker. That's not necessarily true for mobile devices.