Even though 95% and 99% of phones were vulnerable and many never got patched, there was really no problem because few were affected?

I live in a neighborhood that has never had a reported break in. Does that mean I’m not more vulnerable if I leave my door unlocked and post a huge sign outside letting everyone know?

There are many layers of security in modern OSes. Apple ignores many of them to the peril of their customers, and it shows in the results. In your example, many Android devices left the door unlocked but had a security guard. Apple locked the door but the lock on the door allowed many other keys to work.

What security guard? There was no security that kept Android from being vulnerable. It would have been just as easy for someone to infect the Android build chain.

Even if you look at something like the way that third party keyboards work on Android, it’s a security nightmare.

On iOS, users have to explicitly go into settings to add a third party keyboard and even then it doesn’t have network access by default. The user has to go back into settings to enable the keyboard to have network access and then they get a big scary warning. Android users happily install keyloggers.

Also, even after you both install the keyboard and give the keyboard network access, iOS still switches back to the default keyboard when entering passwords.

> What security guard? There was no security that kept Android from being vulnerable.

Blocking exploits in the Play Store, among other things. Why do you think Stagefright was never exploited?

> It would have been just as easy for someone to infect the Android build chain.

We were just talking about reproducible builds.

> Keyboard nonsense.

Android also displays a scary warning for keyboards.

Stage fright didn’t involve having an app in the Play store. The review process is non existent, and static analysis tools wouldn’t catch it anyway.

> Stage fright didn’t involve having an app in the Play store.

If the MMS app and the browsers were updated to filter Stagefright exploits (on Android, unlike iOS, system app updates do not require an OS update and happen through the Play Store, one of many things Android gets right and iOS gets wrong), the only way to exploit it is by publishing your own app to the Play Store and getting somebody to install it and hoping that the device doesn't have an selinux policy that limits the privileges of the exploit. The Play Store can trivially block apps that don't use an approved wrapper library for media that filters Stagefright exploits.

Back then the built in Web view that apps embedded was built into the OS as was the browser. You remember that Chrome wasn’t the browser for apps back then.

Also, what’s the differences between updating the OS from Apple’s servers and hypothetically updating an app from Apple’s servers. Are you trying to turn a weakness that Google can’t just press a button and allow every single Android worldwide to receive an OS update into a strength?