Pegasus, iPhone and Android: iPhone is still the safest phone even if it is not 100 per cent safe

With a majority of Pegasus infections confirmed by Amnesty International found on the iPhone, the question many people have is this: Is an Android phone safer than an iPhone? The question, largely, is no. Though exceptions apply.

Story highlights
  • Most of the confirmed Pegasus infections are on the iPhone. 
  • But Amnesty International, which did forensics, also says that this is because logs are available on iPhone. 
  • Against targeted attacks, neither iPhone nor an Android phone is safe. 

There is a big question many smartphone users, particularly those who believe that they can be spied upon because of their prominent position in society, have on their minds right now. Is an Android safer than the iPhone, a device with which Apple claims to sell users better privacy and data safety? The question is relevant because of the Pegasus spyware, through which an estimated 50,000 people have been targeted, including hundreds of people in India. It has been found on several iPhones by Amnesty International, which carried out forensic investigation for some targeted phones.

Now before we move to the safety and security of the iPhone vs Android, let's talk of the facts. And the facts are:

-- Amnesty International says that Pegasus has been used to potentially target around 50,000 phone numbers in the last several years.

-- Pegasus is a spyware created by NSO Group, a company based in Israel. The government of Israel categorises Pegasus as a weapon. Its export to other countries -- there are potentially 45 countries, including India, which have used Pegasus -- has to be cleared by government officials on a case-to-case basis.

-- Amnesty International has carried out a forensic examination of 67 phones to find if they were infected or attacked with Pegasus. It found conclusive evidence that 37 of these were attacked with Pegasus.

-- Of the 37 phones, 34 were iPhones. In total, 24 of these 37 phones showed evidence of a successful Pegasus attack. While the 13 other phones showed evidence of attack but no conclusive proof that the attack was successful.

-- Amnesty International has said that some of these iPhones were new recent models like the iPhone 11 and the iPhone 12, and some of them were running the latest iOS 14.6 software. Some of them were hacked as recently as the second week of July.

-- Amnesty largely blames security bugs iMessage that helped NSO Group hack into the compromised iPhones.

Beyond facts is analysis

"Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO's spyware has successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised," says Danna Ingleton, Deputy Director, Amnesty Tech.

So, does this mean a damning verdict on the security of the iPhone? It does, more so because Apple has popularised the idea in recent years of iPhone being much more secure and safe than Android phones. But does this mean that Android phones are safer than iPhones? No, not at all.

The reason why Amnesty singles out the iPhone in its analysis is because of two reasons:

1- Given all the talk from Apple about the security of the iPhone and iOS, many people, particularly those who have reasons to be under some surveillance, believe that iPhone will keep their privacy and data safe. Because this is contrary to what Amnesty found in its forensic tests, the group is highlighting it.

2- Android phones, Amnesty founds, are poor at retaining security logs. So, Amnesty believes that even if they were compromised by Pegasus, finding conclusive proof is more complicated than what is possible in the case of the iPhone. Here is what Amnesty notes: "Thousands of Google Android phones were also selected for targeting, but unlike iPhones their operating systems do not keep accessible logs useful for detecting Pegasus spyware infection."

Where does that leave users? First of all, let's hear what apple is saying about the Amnesty findings and Pegasus. In a statement to India Today Tech, Ivan Krstic, head of Apple Security Engineering and Architecture, says: "Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place... Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data."

The key part here is "attacks like the ones described", and I will come back to it.

Think of baseline security in the iPhone

But the other takeaway here is that Apple is saying that it has better baseline security in iPhone than what other phones offer. And Apple is most likely right. Android phones, because of their fragmentary nature, and because of all custom software that tens of phone makers put in their phones are less secure in general. There are more viruses, trojans, spyware and adware targeting Android phones than the iPhone. More rogue apps have been found in the Android Play Store compared to the iOS App Store. Once on the phone, a rogue app or an adware has more chances to collect users data on an Android phone.

At the same time, the fragmentary nature of the Android world means that most Android phones are not even going through the kind of forensic and security assessment that iPhones are put through from time to time. In other words, even if an Android phone from Brand A is safe, there is no guarantee that an Android phone from Brand B will be equally safe.

Amnesty didn't say it, but the reality is that the world of Android phones, when it comes to privacy, data integrity and safety is like Wild Wild West. Google has some of the top cybersecurity researchers and the company is undoubtedly capable of creating the safest mobile operating system or smartphones in the world. But most Android phones are not Google phones. They are Samsung, Xioami, Realme, OnePlus, Vivo, Nokia, Motorola phones. And so messy is the whole scene, both in terms of hardware and software, that it is nearly impossible to audit the security of Android phones.

Is there a safer Android phone?

The only way an Android phone can be safer than the iPhone is if an Android phone is completely wiped of its software and then made to run a "security focussed" custom version of Android. Let's call this version Android S, where S stands for safety. This is something that cannot be done with the iPhone. On the iPhone, one is limited to what Apple decides to give or not give to you.

The problem, however, is that creating a phone with Android S is nearly impossible. There is no Android S available in public. In fact, creating a "safe" version of Android will take a huge amount of resources, skills and focus that only big government organisations or a billion-dollar company will be capable of.

Instead, right now, the Android phones that are available are the Android phones running MIUI, OneUI, OxygenOS and so on and so forth. These are almost always as buggy and full of loopholes as an iPhone, or rather even more.

But what if there is an Android S? Even then, Android is unlikely to be safer than the iPhone. Reason? Targeted attack. Against something like Pegasus, there is no 100 per cent safety. In software, and even in hardware, there are always bugs. There are bugs that are known, and there are bugs that are unknown. Spyware like Pegasus, which are result of millions of dollars of research, will always find one or two of these unknown bugs and they will exploit them.

In other words, what this means is that to be absolutely safe, or rather as safe as possible, one has to do what Edward Snowden was doing in 2013 when he was on the run after unmasking the surveillance programme of NSA in the US. To avoid surveillance, Snowden was putting phones in the freezer in a refrigerator.

This is also why recently when someone asked Robert Baptiste, a French security researcher known in India for his Aadhaar exploits, which is better iPhone or Android, he said: "At this level, it doesn't matter... (but) iOS (is better) because the entry barrier to hack someone is higher."

This is the same argument that Apple has made in its statement about the vulnerability of the iPhone and Pegasus. Of course, this doesn't mean that Apple can't do more. It must, because people have higher expectations from an iPhone. But it is also wrong to say that the iPhone is less secure against Pegasus than an Android phone.