Skip to content

Mobile Operating Systems: Security and Privacy Compared

Your mobile OS shapes what data gets collected, what apps can access, and what protections are actually possible. Here's how the main options compare.

πŸ“– The Basics

What It Is

Your mobile operating system controls what data your device collects, what permissions apps can access, what gets transmitted to whom, and what you can install or modify. iOS is built by Apple, a company with its own data interests and prominent hardware business. Android is built by Google, which earns the majority of its revenue from advertising. The defaults they ship with reflect those origins, but things get quite interesting when you move beyond defaults.

How It Works

Stock iOS

Apple has some genuine privacy strengths at the OS level.

  • App Tracking Transparency requires apps to ask explicit permission before tracking you across other apps and websites.
  • The permission model is well enforced: location (including approximate-only), microphone, camera, contacts and more all require explicit user consent.
  • Apple has a broader design philosophy of processing sensitive operations on-device rather than in the cloud, which shows up across multiple features like Apple Wallet (done on-device on iOS, but Google's version is handled in the cloud).

Additionally, Apple has put real engineering effort into more advanced privacy & security features like iCloud's Advanced Data Protection (E2EE in most of iCloud) and Lockdown Mode (a hardened version of their OS designed to prevent government-sponsored spyware, which has been shown to be incredibly effective, with Apple stating in March 2026 that it still has no record of a successful spyware compromise on any device with Lockdown Mode enabled).

But there are some real limitations:

  • iOS is a closed ecosystem. Apps come exclusively from the App Store on standard devices (with limited EU exceptions under the Digital Markets Act).
  • Telemetry continues even with analytics disabled by default. Apple's privacy protections apply most forcefully to third parties, but not to what Apple itself collects through its own services.
  • Apple still doesn't treat VPNs as first-class citizens on iOS, with VPN leaks being a common side-effect.
  • Apple doesn't allow third-party browser engines on iOS, ultimately resulting in less powerful privacy browsers.
  • And finally, most of Apple's software is proprietary, so for some users that will supersede any potential benefits of the Apple ecosystem.

With that said, for many people, iOS with deliberate permission management & privacy practices can be a reasonable baseline. A DNS filter to block Apple telemetry, Lockdown Mode, iCloud Advanced Data Protection, and a careful set of privacy tools on top of that can take you quite far in the Apple ecosystem.

Stock Android

"Android" covers a wide range of manufacturer implementations. Google Pixel devices running stock Android are a clean baseline with less tracking than Samsung or carrier variants. But all stock Android variants still embed Google Play Services: a persistent background process with elevated system permissions that maintains an ongoing data connection to Google. It cannot easily be removed without fundamentally changing the OS.

Recent Android versions have improved meaningfully with features like auto-revoke, which removes permissions from unused apps; one-time grants, which offer temporary access; and on-screen indicators that flag active microphone and camera useβ€”but those still don't change the baseline data collection from Play Services. Additionally, Google designs a larger percentage of their ecosystem to be cloud-first, inherently putting more personal information online, whereas Apple leans towards local on-device processing when possible.

But beyond what each company collects from their own services, another practical difference is third-party tracking, or what each app you install is able to collect. Generally speaking: iOS has more aggressively restricted what apps and advertisers can observe across your device, but that doesn't mean there aren't stronger solutions available on Android.

Custom Android ROMs

Android's open-source foundation (AOSP) makes it possible to build alternative operating systems that make different choices about what to include, remove, and harden. These are generally called custom ROMs. One of the important choices they make is how to handle Google app compatibility:

  • Sandboxed Google Play (used by GrapheneOS) runs Google Play Services as an unprivileged user-space app. No elevated system access, no permissions beyond what it explicitly requests. You can still use most apps, but Play Services can't conduct the device-wide scanning it performs on stock Android.

  • microG (used by CalyxOS, /e/OS, and others) is an open-source reimplementation of Google Play Services. microG prioritizes open-source transparency and reducing Google code. Techlore's community project Plexus crowdsources which apps work with microG, so you can check before migrating.

  • No compatibility layer: nothing forces you to use one. Many ROMs (like LineageOS) ship without one. This is the cleanest option, but with the steepest compatibility cost. Plexus shows both a microG score and a fully degoogled (no compatibility layer) score for each app.

Some Custom ROM Options

Platform OS Data Collection Open Source 3rd-Party Tracking Control App Ecosystem & Play Services Verified Boot Compartmentalization Device Compatibility Gov Spyware Protection Easy E2EE
iOS πŸ”΄ Apple πŸ”΄ Closed source 🟒 Strong (ATT enforced) πŸ”΄ App Store only (limited EU exceptions) 🟒 Enforced πŸ”΄ None 🟑 Apple devices only 🟒 Lockdown Mode (confirmed blocks spyware) 🟒 iCloud ADP (backups, photos, notes)
Stock Android πŸ”΄ Google Play Services 🟑 AOSP open, Play Services closed 🟑 Improving πŸ”΄ Play Services generally required; full store access + sideload 🟒 Enforced (Varies) 🟒 Work profiles + User Accounts 🟒 Wide range of devices 🟑 Android "Advanced Protection" πŸ”΄ No OS-level E2EE; app-level only
GrapheneOS 🟒 Minimal, auditable 🟒 Open source 🟒 Strong, per-app controls 🟒 Play Services sandboxed; full store access + sideload 🟒 Enforced + hardened 🟒 Private Spaces + Work profiles + User Accounts 🟑 Pixel only (+ Motorola announced) 🟒 Memory hardening, duress passwords, auto-reboot πŸ”΄ No OS-level E2EE; app-level only
CalyxOS 🟒 Minimal, auditable 🟒 Open source 🟒 Good controls 🟑 microG (locked-down spoofing, system-integrated) 🟒 Enforced 🟒 Work profiles + User Accounts 🟑 Pixel, Fairphone + some others 🟑 Minimal additional hardening πŸ”΄ No OS-level E2EE; app-level only
/e/OS, LineageOS, iodΓ©OS 🟒 Minimal, auditable 🟒 Open source 🟒 Good controls 🟑 Varies, typically microG or no compatibility layer 🟑 Varies by ROM + device 🟒 Work profiles + User Accounts 🟒 Widest range incl. older & non-Pixel 🟑 Minimal additional hardening, potentially weaker πŸ”΄ No OS-level E2EE; app-level only

What Your OS Enables Downstream

Your operating system determines a lot more than just telemetry; it shapes everything your device is capable of doing. The clearest way to see this is that each platform unlocks things the other simply can't.

Android opens up capabilities that don't exist on iOS: an official, well-maintained Tor Browser release, the F-Droid open-source app ecosystem, browsers with extensions, and work profiles that create completely isolated environments for compartmentalization. iOS, in turn, offers things Android has no OS-level equivalent for: iCloud with Advanced Data Protection extends end-to-end encryption across backups, photos, and notes in a way no Android ecosystem matches. Lockdown Mode also offers top-tier security with a single toggle.

These downstream differences can often have more practical privacy impacts for individuals than the baseline spec sheets imply, because they decide which protections are even available to you in the first place.

The interoperability effect is also real: if your family uses iMessage and you switch to Android, their conversations with you may drop back to SMS, reducing privacy for everyone in those threads. Privacy is partly a social system. The platform you choose affects which protocols you can realistically maintain with the people in your life. The right approach is almost always holistic and balances technical competency, with practical safety, with interoperability across people in your life.

🎯 Why It Matters

A 2021 study by Trinity College Dublin measured what freshly reset, account-free smartphones actually transmit at baseline. They found that both iOS and Android sent data to Apple and Google before any account was signed in, any app was opened, or any analytics sharing was enabled. Neither company disputed the transmission. The researcher's conclusion: "Currently there are few, if any, realistic options for preventing this data sharing" on stock iOS or Android.

This is the starting position. Before you install any app, before you make any choices about your browser or search engine or messaging app, your device is already maintaining an ongoing data relationship with the company that built the OS. Every app you install, every permission you grant, every network connection your apps make happens on top of this baseline.

The OS matters because it determines the terms under which everything else operates. A VPN tunnels your traffic, but the OS still knows what domains your apps connect to. An encrypted messaging app secures your communications, but the OS controls what system-level access that app has. A privacy-respecting browser limits fingerprinting, but if the OS is restricting your browser engine, browser-level protections will be restricted.

For most everyday people, this doesn't mean an immediate OS change is required. The protections covered in earlier articles like encrypted messaging, DNS, permission hygiene, and aliasing provide real improvements regardless of OS. Maximizing what you can do on your current device is generally a better first step, and once you've implemented reasonable protections you can upgrade your OS once you're ready.

For higher-stakes situations, the OS choice becomes more important. Citizen Lab reported that iOS Lockdown Mode blocked BLASTPASS, a zero-click NSO Group exploit, and alerted against PWNYOURHOME, another Pegasus attack vectorβ€”with no confirmed bypasses post-activation. For people facing government-grade spyware as a realistic threat (journalists, activists, lawyers on sensitive cases), iOS Lockdown Mode has a documented track record against real attacks with zero signs of ever being bypassed. Similarly, for people whose priority is minimizing tracking infrastructure, reducing Google's footprint, and gaining compartmentalization capabilities, GrapheneOS on a supported Pixel is another solid path.

The right mobile OS depends entirely on what you're protecting against and what you're willing to trade in compatibility and convenience. The Threat Modeling article gives you the framework for working out which answer fits your situation.

πŸ’‘ Common Misconceptions

"Switching to a custom ROM makes you private."

It doesn't. It removes a category of OS-level data collection and gives you a cleaner foundation to build on. But you can still install invasive social media apps on a custom ROM. You can still grant invasive permissions to any app you install. You can install malware. The privacy outcomes you get from the OS swap are the ceiling, not the floor. What actually happens on the device still depends on what you install, how you configure it, and what accounts you're logged into.

"Keeping verified boot is always worth more than getting software updates."

This is one of the most common questions I get about older phones, and it's a genuinely tough spot to be in without an obvious win. Three things that are important to clear up:

  • Software updates are the OS-layer security patches (Android's updates, framework and kernel fixes). A custom ROM like LineageOS can keep these current long after the manufacturer quits, which is the main reason to install one on an abandoned device.
  • Firmware updates are the lower-level pieces (bootloader, baseband/modem, vendor blobs). These are rarely managed by a custom ROM, so they are normally frozen once the manufacturer stops pushing updates. That exposure is identical whether you stay on stock or switch, so it shouldn't drive your decision either way.
  • Verified boot is the chain of trust ensuring your device only boots untampered, signed software. Its core job is preventing persistent malware, the nasty stuff that survives reboots. Installing most custom ROMs requires unlocking the bootloader, which breaks it. But some allow you to re-lock your bootloader to still maintain verified boot.

This question comes out of the reality that ROMs prioritizing older devices tend to drop the verified boot requirement. So the question really boils down to which risk you'd rather reduce: patches lower the odds of being compromised in the first place, while verified boot limits the damage if you are (stopping a compromise from becoming permanent). I'm not going to claim to have the 'right' answer for everyone, but I do believe for most users with proper hygiene, they are more likely to get benefits from a custom ROM that includes real privacy benefits over staying on a frozen, outdated OS from their manufacturer...as long as they're aware of the risks. If your threat model puts a premium on tamper-resistance and boot integrity, the clean answer is a still-supported device, or GrapheneOS/CalyxOS on a Pixel where you don't have to choose at all.

"The OS swap is the first move you should make."

This is a misconception that I think needs some healthy pushback. I'm a strong believer that in practice, switching mobile operating systems is one of the later changes most people benefit from, not one of the earlier ones. A password manager, two-factor authentication, encrypted messaging, and aliases all deliver meaningful protection on your current device today, without changing platforms. They also have a second-order effect: every one of them makes a future OS migration easier. If everyone you message is on Signal already, switching to GrapheneOS or back to iOS doesn't break your social fabric. If your notes are in a cross-platform tool, switching doesn't strand your data. Doing the upstream work first makes the downstream choice cleaner when you get to it. Of course there's no 'right' order, but I don't think people need to be on a perfect operating system to still make a majority of gains on their journey.

"Mobile OS choice is a pure technical decision."

It isn't always the case, though I wish it was this simple! Your OS choice shapes what you can do downstream. If you switch from iMessage to a platform where iMessage doesn't exist, the conversations with the people in your life often drop down to SMS, reducing privacy for everyone in those threads. But if you switch from iOS to Android, you might gain work profiles, multiple Signal instances, and per-app VPN controlβ€”real capabilities iOS doesn't offer. These are just a few examples where the right OS can mean completely different things for different people. While specs can be important, I always encourage a holistic view of your entire tech stack and how an OS fits into it. For many people, this discussion can be limited simply by which phone you're able to afford and needing to pick the best OS for that cost point.

πŸ—£οΈ Henry's Take

I notice a lot of people tend to reach for OS swaps on both desktop and mobile first because it feels like the biggest move, and feeling like the biggest move feels like it's more impactful. But my experience is that the password manager, the second factor, the encrypted messenger, the aliases, and the encrypted storage upstream of the OS are what move the needle on day-one privacy outcomes. Once those are in place, then the OS migration becomes the natural next step rather than the leap that has to carry everything. These are also far more accessible starting points for everyday users.

I use a lot of devices across both ecosystems for different reasons. Professionally, the Apple ecosystem does something remarkable: it ships Lockdown Mode as a literal toggle that meaningfully hardens the device against government-grade spyware, and Advanced Data Protection extends end-to-end encryption across iCloud to a degree that no Android platform currently matches at the OS level. The only things not E2EE with ADP are Mail, Contacts and Calendarβ€”which Proton and Tuta are perfect swap-ins for.

On Android, custom ROMs are the right open-source choice in 2026. GrapheneOS in particular delivers serious hardening, per-app network controls, MAC randomization, memory hardening, duress passwords, auto-reboot, all on top of a sandboxed Google Play model. It's a strong option for users whose threat model values that kind of control and who are willing to accept Pixel hardware as the cost of entry. I also think that CalyxOS does a great job at maintaining base security, and introducing nice privacy benefits with larger device compatibility (I'm particularly a fan of the Fairphone!). Ultimately, custom ROMs are where you're going to find the highest degree of transparency for mobile devices in 2026.

I don't think I could write this section without mentioning the direction Android seems to be moving. Google's pressure on sideloading (with developer verification required even for sideloaded apps rolling out from 2026), the long-running migration of capabilities out of AOSP and into proprietary Play Services, development moving fully behind closed doors, and source releases slowing to twice a year...these are all making the custom ROM path structurally harder to sustain. So my hope is that mobile Linux options mature enough over the next few years to provide a genuinely independent foundation. Right now, custom ROMs are still the answer. But I am concerned over the real damage that Google can cause this open ecosystem given it still has a lot of influence over it.

When a regular person new to this asks me for a phone recommendation, I normally recommend a Pixel running stock Android with deliberate privacy tools, or an iPhone with ADP enabled and a small set of privacy-respecting apps installed. Either can be a meaningfully strong baseline. The iPhone always has Lockdown Mode waiting for them, and the Pixel always has a custom ROM waiting for them.

βœ… Henry's Picks

iPhone with Lockdown Mode and Advanced Data Protection enabled: the strongest practical baseline available for someone who isn't ready to leave the mainstream app and contact ecosystem. ADP brings end-to-end encryption to most of iCloud. Lockdown Mode has a real track record against government-grade spyware. Both ship in standard iOS and cost nothing extra.

Pixel running stock Android: the cleanest baseline Android, fewer manufacturer and carrier layers than other devices, and the hardware platform that supports nearly every privacy-focused custom ROM if you decide to migrate later. Supports Android Advanced Protection for higher security, and has a far more open ecosystem than what iOS currently provides.

GrapheneOS on a supported Pixel: the strongest privacy-and-security Android option. Sandboxed Play Services keep compatibility broad without giving Google system-level access. Per-app network controls, MAC randomization, memory hardening, duress passwords. Pixel-only historically; the Motorola partnership announced in early 2026 may expand hardware support over time.

/e/OS or LineageOS: for users on non-Pixel hardware where GrapheneOS isn't an option, or for extending the useful life of older devices that no longer get manufacturer updates. Meaningful improvements over manufacturer stock Android, with the tradeoff that verified boot and additional hardening vary by device. CalyxOS I'm still watching to see them resume regular updates.

Plexus: my open-source community project for checking whether the apps you depend on actually work on a degoogled Android setup. Worth checking before you migrate.

See the broader recommendation set at Techlore's SPA Tools.

πŸ”— Go Deeper

Related wiki articles:

Techlore content:

  • Go Incognito v2, Lesson 6.3β€”Mobile Operating Systems

External sources:

Found an error? Report it here β†’