A new report crunched data about vulnerabilities in operating systems over the last 20 years and found that Android has had the most security vulnerabilities on a consistent annual basis for the last few years.
But, that shouldn’t freak you out.
The report was compiled by TheBestVPN using data from the National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce. TheBestVPN found that Android had the most vulnerabilities of any platform in 2019, 2017 and 2016. In 2018, Debian GNU/Linux claimed the top spot instead.
According to the data, Android has had a total of 2,563 vulnerabilities over its lifetime, with 414 total in 2019. However, the 414 vulnerabilities in 2019 are a decline for Android, which saw 843 in 2017 and 525 in 2016. Additionally, Debian Linux tops the list for most vulnerabilities in its lifetime at 3,067.
However, there are a few things to keep in mind here. The number of vulnerabilities on a platform doesn’t necessarily equate to it being unsafe. Open platforms like Android or Linux allow researchers to investigate and find vulnerabilities more easily than closed platforms. With Android, Google pushes out monthly security patches that fix many of these issues.
An Android spokesperson backed up that notion in a statement to Fast Company, saying:
“We’re committed to transparency and release public security bulletins monthly on issues that have been fixed in Android to harden the security of the ecosystem. We disagree with the notion that measuring the number of security issues fixed in an OS is any indication of the security of the platform. This is actually a result of the openness of the Android ecosystem working as intended.”
High number of vulnerabilities doesn’t mean it’s not safe
TheBestVPN listed Microsoft as the company with the most vulnerabilities, clocking in at 6,814 vulnerabilities since 1999. Considering how many people use Microsoft products, that certainly seems like a scary number. However, Microsoft also has a lower average vulnerability per product rating than many other companies at 12.9.
To compare, Apple has 4,512 total vulnerabilities since 1999 but a higher average of 37.9 vulnerabilities per product. Of course, there are several factors to consider here. Microsoft has more products than Apple, which would contribute to a lower overall average of vulnerabilities per product.
Google as a company also has a high average, with 4,572 total vulnerabilities since 1999 and an average of 54.4 vulnerabilities per product.
When you break things down by product, things get more interesting. For example, Mac OS X had a total of 2,212 vulnerabilities (Apple changed the branding to macOS in 2016, but it isn’t clear if TheBestVPN includes the new branding in this number). iOS, by comparison, had 1,655.
Along with Android topping the charts as the second most vulnerable OS, Google’s Chrome browser also had a high number of vulnerabilities at 1,858.
Ultimately, most platforms have a significant number of security vulnerabilities, and that number is growing as technology expands, new platforms are introduced and existing software becomes more complex. And while it can be concerning to see some platforms with high numbers of vulnerabilities, it’s worth remembering that open platforms like Android and Linux rely on communities to discover and disclose vulnerabilities and fix them. Closed platforms, on the other hand, may suffer from vulnerabilities for years without researchers discovering them because there are fewer people overall looking, and often it can be harder to perform research on those systems.
One such example could be iOS, which had five active exploits that malicious websites used to hack iPhones for years. However, Apple is also working to get more eyes on its platforms, in part thanks to a new bug bounty program that doles out cash rewards to researchers who find vulnerabilities in its platforms like iOS and macOS.