I’ve read the articles regarding both hardening(?) Android and iOS. I also noticed that the Android page used to say, as I remember, that the only recommended phone operating system was GrapheneOS and using anything else was “at your own peril”. Though, I can’t find that disclaimer anymore.
Most of the recent posts on the forum seem to lean iOS over mainstream Android in the wake of faltering confidence in GOS/3rd part Android ROM’s due to the internal hardship of both GOS and CalyxOS this year. GOS lost it’s senior developer back in April of 2025 and CalyxOS’s most recent blog post as of this post states that their President and Senior Developer have both left the project and no updates will be posted for the foreseeable future. Calyx goes so far as to recommend you NOT USE Calyx until future notice due to the inability to ship updates at this time.
This all makes me revisit the guides and the forums to see what the current general consensus is. Since security/privacy is a moving target, I’m looking for the current target if you will.
Seeing the forum posts seem to favor iOS over mainstream Android (Samsung/Google/Asus/Sony/etc) I’m interested in the why. Off the top of my head, I can’t imagine a reason to justify one over the other that isn’t immediately discounted by a reason to use the other hand. It really seems to me that they’re both equally bad in basically every way.
So, why do people seem to be more comfortable trusting Apple over trusting the readily available, mainstream Android phones? And is there any true documentation to backup this trust?
So, why do people seem to be more comfortable trusting Apple over trusting the readily available, mainstream Android phones? And is there any true documentation to backup this trust?
One of GrapheneOS’s senior developers was conscripted into the Ukrainian war effort. Their involvement with GrapheneOS in a senior dev capacity is on hold indefinitely it seems: https://xcancel.com/GrapheneOS/status/1969887274637676808#m.
I’m a GrapheneOS Evangelist, but I think iOS just has the consumer pull they always had – “It just works”.
Apple is a tricky company for privacy. Some things they do well, and other times they show contempt for consumer privacy.
Their malicious compliance with alternative app stores, and general business model shows they want consumer choice to be as limited as possible. Being able to drop everything and ditch a service should be a high priority in digital privacy, as policies and local laws change constantly.
It’s a shame, because they make some great products. I used to buy old Macbooks and install Linux before they nuked that into the earth.
Anyway, I’m rambling.
Apple gets a lot of the technical aspects of privacy right, which is what a lot of people focus on. Encryption, app permissions, trackers, etc.
Stock android, and especially vendors like Samsung, have too many 3rd parties involved on the device for it to be trustworthy. I hate how bloated anything other than Stock Android is, and it’s nigh-impossible to clean out the junk services.
I think Apple just has a “cleaner” experience that most people find attractive. It’s also easier to guide people on Apple products because they’re all very much the same.
Writing a guide on android would need to consider the UI variance between vendors.
I think its because you only have to trust Apple, meanwhile the alternative means you have to trust Google and the phone manufacturer itself, making it easier to fracture your personal data into “trusting” multiple parties that arent too keen in actually keeping you private.
Mind you Apple is guilty of also not being private sometimes. Other times, they too seem to care and push privacy forward, causing a cascade of privacy advancements in the industry - but also causing the privacy offending personalities and companies to adapt and play the cat and mouse game, just to get back and make their old business model viable again somehow.
On the one hand, “you only have to trust Apple”. Yet, that also means putting all your eggs in one basket. And while, in terms of privacy, I’m unaware of any major sins such as data leak; on the front of consumer trust Apple should be chief among sinners considering their colored record of putting out bad hardware and purposefully breaking old hardware to get you to buy new.
It seems to me that having different vendors, while it increases the risk surface, it also spreads out that risk burden. Provided you don’t give all your information to all the vendors. It seems like this is a half dozen one way 6 the other problem.
I don’t think this is the main reason people have switched to Apple though. I think the main reason is that Apple and GrapheneOS are currently the only two mobile vendors (IMO) that are developing high-security features and enabling them by default for their users.
Take Google for example, who typically have cutting-edge advancements developed by their security researchers, which GrapheneOS takes heavy advantage of, but even the Google Pixel line often doesn’t. It’s because Google as an overall company does not give a shit about security or privacy, they just have some internal groups that do. It’s not making it to product a lot of the time. When Apple’s security team launches something it gets widespread usage, because security and privacy have some level of buy-in at the product level you simply do not see with other commercially available products.
A lot of people in this community also trust GrapheneOS when it comes to topics of mobile security, and they are on the record many times saying that iOS is the second place option behind GrapheneOS.
Obviously the best choice is usually to just stick with our Android recommendations and there are many reasons to generally recommend against iOS, but in a comparison to mainstream Android it is no real contest that Android is just trash.
For me, this is exactly it. I chose Apple primarily because of the general security track record. As @_TrustyRocinante mentioned above, their technical privacy designs are also much better than stock Android, although I don’t believe their actual practices are that much different from Google’s, when it comes right down to it. Yes, they have this refrain that they’re ‘not in the business of selling data’ to mean they have no incentives to collect it, but let’s face it, there are many, many more incentives to mass-collecting personal data even if you don’t sell it. I have no more trust in Apple than Google on this front.
In addition, I agree with @HauntSanctuary that at least I only have to sell (or rather, pay to give) my soul to Apple, and not also to an unknown amount of 3rd party companies. Sure, that’s technically “keeping all your eggs in one basket” but for these here eggs, that’s the least risky scenario. At least I presume Apple will jealously guard anything and everything they have on me, rather than just kind of throwing it around like Google does. Again, doesn’t mean they don’t sell it. But they do seem to be a bit more… discerning? As it does affect their bottom line, as well as their marketing and PR.
As for GOS, well, I haven’t gotten around to getting a Pixel yet. Maybe if I get a higher-paying job at some point (I did not buy my iPhone, and it is definitely not the newest model lol)
Begrudingly, in the forseeable future (that Pixels are no longer part of), iOS is the least terrible way of conducting normie transactions specifically involving mobile banking. I really want it to Graphene but until the announcement of a new device for them, Pixel+Graphene is somewhat bothersome to use already and removing sane support for the future makes it a no-go for me.
Trusting the least amount of companies seems to be the most sane way forward. Of those companies, that you have to trust, Apple is currently the least terrible as they seem to care about securing their walled garden.
People have suggested to me that I use web client based banking to have the option of using of Linux based phones and while I am aware that this is a terrible suggestion, security-wise, I may also go in the direction of a Linux phone out of spite. But I don’t have a specific Linux phone model in mind right now.
Now going back to the web based banking (as opposed to App based mobile banking), not all banks support those these days and would rather just want to just use phone apps provided by Apple, Google and even Huawei’s. Harmony OS..
I don’t think that using a bank’s website is any less secure than an “app.” Generally speaking, apps can collect far more information regarding the environment in which they run.
One thing that seems to be true, however, is that some banks in some foreign countries more or less require an app as second authentication factor to access their website. Some of these apps reportedly enforce Play Services/Integrity and don’t run on custom ROMs. If my bank imposed such an app and a practical alternative did not exist (such as moving to a competitor), I would buy the most affordable compatible Android device I can find, use it to run that essential app only, and keep it powered off in my drawer the rest of the time.
It’s not really, the only thing that is possibly a concern is if the computer is already compromised in some other way.
My understanding GrapheneOS is actually in better shape than it was a while ago, so, who really knows. I think they’re better position than other Android OSes as a result of those Google changes. As for the developers, I think they’ve picked up a few others. There are also more outside contributors too, especially in testing.
Apple vs stock Android has a number of privacy and security advantages.
App permissions are far more curtailed in iOS - the more locked down OS design means its much harder for apps to spy on things outside their sandbox
Data collection by Apple is far less than by Google….just compare data collected by Apple Maps to Google Maps as an easy and dramatic example
iMessage and FaceTime provides E2EE messaging (including key verification if turned on) and audio/video calls. Arguably these were the first widely used E2EE communication services available years before Signal ever came on the scene
Advanced Data Protection provides E2EE cloud storage/backups natively in the OS to include things like Photos and Notes. Its even cheap compared to alternatives like Proton Drive or Ente Photos
Lockdown Mode has a growing track record of being an effective counter to mercenary spyware. Thus far, no published/known attacks have been effective against it. And it just takes one toggle to turn it on.
Related to 4, Apple has a program focused on detecting such attacks and notifying the targets in addition to rapidly deploying security patches to all iOS users when a new vulnerability is discovered.
This is not to say that you could not get near this level with some effort of configuration of a stock Pixel device. But you wouldn’t reach parity and even trying is a lot harder than just flipping some options in settings in iOS.
The Hated One youtube channel put out a video and according to him Google and Apple has roughly the same data collection. Its just Apple doesnt share too much to third parties unlike Google. Apple is a trillion dollar company and you dont become a trillion dollar company by avoiding data analytics like the other BigTech.
I would argue that Apple still operates in China which means they currently are complying with local laws, meaning they hand out requested information from chinese users. We can only speculate how much data is given to the government routinely and by official request or if their local servers have the “correct” western implementation of E2EE. All I am saying is that had Apple been more firm in its privacy stance like in the west, they would have been kicked out long ago and their phones banned in China.
What I am interested in, are the things in countries surrounding China and those between the west and China like the Middle East. I am in one of those surrounding countries and I am unsure where my countries Apple Cloud server is, considering server hosting is absurdly cheap in places like Hong Kong and China. Several years ago, I was routed to a bilingual English and Chinese Apple Cloud login - so its probably located in China. Recently I am taken to its US servers, but now I question whether it is a sort of proxy server/VPN or not (with the main server back in China).
In regard to Apple in China it is important to point out that they simply do not offer their E2EE services where they are illegal. So China lacks ADP and even iMessage and FaceTime. I point out this nuance because it is important to recognize that when Apple cannot offer E2EE services the say so.
If you are not in China or the UK; all of Apples E2EE services are available.
The main issue with both iPhone and Android is that neither is under the user’s control. Even if you accept Apple’s privacy claims at face value, if a law such as chat control were to pass in the EU, Apple would absolutely push an update through the auto-update backdoor (which is rather a “frontdoor”) and start spying on you as requested.
Hence if you are about your privacy and freedom, you should only use devices that run free software, because it is owned by the users and there is no one a government can turn to to enforce compliance.