Apple iOS vs. GrapheneOS Security Comparison Between August 2022 and Q3 2024

To say that smartphones have come a long way in a short amount of time would be the understatement of the century! Just two decades ago, we were mostly using our mobile phones to make calls and send text messages. Remember the Nokia 3310? It was practically indestructible and its battery lasted seemingly forever, but it didn’t do much beyond the basics.

Everything changed in 2007 when Steve Jobs introduced the first iPhone. It wasn’t just a phone—it was a sleek, little computer with a touchscreen and a whole new way of using apps. This set off a tech race, and very soon Android phones from brands like Samsung, HTC, and LG were competing fiercely.

Early smartphones had minimal security features, but the growing threats of malware, phishing, and data breaches demanded more robust solutions. Now-a-days, security is a major focus. Modern smartphones come equipped with advanced biometric authentication methods like fingerprint sensors and facial recognition, which have significantly improved device security.

Operating systems regularly update to patch vulnerabilities. And the two major app stores have strict policies that minimize the risk of malicious software. Data now gets protected using encryption while it is still on the device and when sent over the internet. Additionally, other security apps and features help people manage their passwords, detect threats or even maintain privacy, some of which we’ll go over shortly.

In spite of this progress, due to increasing complexity in cyber threats, security measures must quickly adapt and updates from CI/CD pipelines must be deployed as fast as humanly possible. There are also new risks with the integration of AI and machine learning into smartphones because these technologies can be used against us if not properly secured. As we enter the 5G era and beyond, our mobile device’s security becomes more important than ever before.

Current smartphones are no longer just devices for communication; they are indispensable for both personal and professional lives. As we grow more dependent upon them, cybersecurity assumes a critical role. The journey of smartphones over the past 20 years shows remarkable technological advancements but also underscores a persistent struggle to defend our digital life in an increasingly interconnected world.

Fast forward to 2024, and we have two primary choices when it comes to choosing a mobile device: Google Android or Apple iOS. Android is open source while Apple iOS is completely closed source which is a night and day perspective from the angle of cybersecurity. However, what most people don’t realize is that the world of Android “forks” is becoming increasingly sophisticated. Forking iOS is not allowed by Apple, which prevents this security model from being developed for iPhone. One of the many Android forks we’re looking at in this article is GrapheneOS. Take a look at this CVE list of iOS:

Section 01: Apple iOS Vulnerabilities Compromising System Integrity

• March 2024: CVE-2024-1580 – Integer overflow in the CoreMedia and WebRTC components, leading to arbitrary code execution. Source
• March 2024: CVE-2024-23225 and CVE-2024-23296 – Zero-day vulnerabilities in the iOS Kernel and RTKit allowing arbitrary kernel read and write capabilities, bypassing kernel memory protections. Source
• May 2023: CVE-2023-32373 – WebKit use-after-free vulnerability in iOS, macOS, and other Apple products, leading to code execution. Source
• April 2023: CVE-2023-28206 – Out-of-bounds write vulnerability in IOSurfaceAccelerator, allowing code execution with kernel privileges. Source
• February 2023: CVE-2023-23529 – WebKit type confusion vulnerability in iOS, macOS, and other products, leading to code execution. Source
• December 2022: CVE-2022-42856 – Type confusion vulnerability in iOS, leading to code execution. Source
• October 2022: CVE-2022-42827 – Out-of-bounds write vulnerability in iOS and iPadOS kernel, allowing code execution with kernel privileges. Source
• September 2022: CVE-2022-32917 – Unspecified vulnerability in Apple kernel, allowing code execution with kernel privileges. Source
• August 2022: CVE-2022-32894 and CVE-2022-32893 – Out-of-bounds write vulnerabilities in iOS and macOS, leading to remote code execution. Source

As you can see there are quite a few dangerous CVEs since August 2022 that affect all iOS devices including iPad and iPhone. The worst vulnerability among the listed iOS vulnerabilities is the March 2024 zero-day vulnerabilities (CVE-2024-23225 and CVE-2024-23296). These allow arbitrary kernel read and write capabilities, bypassing critical kernel memory protections. This gives attackers full control over the device by manipulating the core operating system. The zero-day nature of these vulnerabilities means they were actively exploited before being patched, increasing the risk to users. Below is a list of serious stock Android vulnerabilities during the same time frame.

Section 02: Stock Android Vulnerabilities Compromising System Integrity

• July 2023: CVE-2023-21250: A critical security vulnerability in the Android System component affecting Android versions 11, 12, and 13, which could enable remote code execution. Source
• March 2023: CVE-2023-28578: Multiple vulnerabilities in Google Android OS, including those that could allow for remote code execution, potentially leading to system compromise. Source
• August 2022: August 2022 Security Bulletin: A critical vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed. Source
• July 2024: July 2024 Security Bulletin: A critical security vulnerability in the Framework component leading to local escalation of privilege with no additional execution privileges required. Source
• April 2024: April 2024 Security Bulletin: A high-severity vulnerability in the System component that could lead to local escalation of privilege. Source
• September 2022: September 2022 Security Bulletin: A high-severity vulnerability in the Framework component leading to local escalation of privilege with no additional execution privileges needed. Source

As you can see here, there are much fewer and much less severe CVEs affecting stock Android during the same timeframe as the analysis of iOS in Section 01. The worst vulnerability among the listed stock Android vulnerabilities is the August 2022 Security Bulletin, which allows remote code execution over Bluetooth without requiring additional execution privileges. However, its severity is somewhat mitigated by the need for physical proximity to the target device, as the attack relies on Bluetooth rather than internet-based methods seen in CVE-2024-23225 on iOS.

Let’s take a look at how GrapheneOS will further set things apart from iOS and stock Android in the hardened GrapheneOS environment:

Section 03: The only Android vulnerabilities between August 2022 and Q3 2024 that might affect GrapheneOS, according to my analysis

• July 2023: CVE-2023-21250: This vulnerability involves an out-of-bounds write in the Bluetooth component, potentially leading to remote code execution. Given that this issue affects core Android components, it is likely to impact GrapheneOS as well. Source
• March 2023: CVE-2023-28578: This vulnerability involves memory corruption in Qualcomm’s Core Services, which can lead to device hijacking. Since GrapheneOS runs on devices using Qualcomm chips, it is also likely affected. Source

As you can see, GrapheneOS is MUCH safer than iOS and considerably more safe than stock Android. Although…

Section 04: Can’t have your cake and eat it too: What’s missing from GrapheneOS that you get with a stock Android?

• RCS SMS messaging: Text messaging with encryption on your primary phone number. Workaround: don’t use text messaging for sensitive data, look at Signal vs Telegram
• Google Pay/Wallet using NFC Wireless payments at the credit card terminal
• Call Screen and Hold for Me: Automated call handling features available on Pixel devices.
• Now Playing: Automatic music recognition on the lock screen.
• Pixel Stand fast charging: Optimized charging when using a Pixel Stand.
• Weather Info on Lock Screen: Real-time weather updates directly on the lock screen.

TL;DR: iPhones and iPads have experienced several critical vulnerabilities affecting system integrity, with multiple CVEs from August 2022 to March 2024, leading to arbitrary code execution and bypassing kernel protections. In contrast, GrapheneOS is highlighted as a more secure option with no remote code execution CVEs during the same time frame, despite lacking features like RCS messaging and Google Pay. iOS had multiple high-severity CVEs in this period, whereas GrapheneOS is considered more secure but misses some common Android features. Moreover, stock Android is more secure than Apple iOS according sources of CVE analysis.

An idea for a future article? Blackberry vs GrapheneOS for a leading mobile cybersecurity fortress.