It's also not obvious to me that clearpath is more secure than android, mostly because I can't actually find any information about what it is, there's only marketing jargon :/
CVE entries are both a function of security and interest. My github projects don't have any CVEs, not because they aren't woefully insecure to anyone who bothers to investigate deeply, but because no one cares.
"Android" is installed on more devices than any other OS in the world. So it stands to reason that there would be more interest in finding exploits in android than in OS's that are often airgapped or locked away behind firewalls.
It is also very seldom updated, my dummy GitHub projects have more updates than many common Android brands, so whatever security Pixel devices sell, it is hardly a reflection of what most consumers outside North America get to use.
Which isn't a reflection on Google's security practices, but that of cell phone companies. My OS is secure and, if third party vulnerability prices are anything to go by, as or more secure than any other consumer OS. That would reflect well on the Android security teams.
It definitely is, an OS is as secure as consumers get to use it, not a some experimental lab in Mountain View.
So if Google doesn't care what the OEMs do with Android, it definitely shows that Google doesn't care about security on Android as a whole, as long as it can write blogs about how perfect the security in Pixel devices looks like, which by the way are on sale just in a couple of selected tier 1 countries.
That isn't caring about security, what Apple does, it is caring about it.
> It definitely is, an OS is as secure as consumers get to use it, not a some experimental lab in Mountain View.
"my parents pockets" isn't an experimental lab, I don't think.
> So if Google doesn't care what the OEMs do with Android
I don't think I said this.
> That isn't caring about security, what Apple does, it is caring about it.
Open ecosystem, maximally secure ecosystem, pick 1. Android offers equal security to iOS if one chooses to pursue it. That most OEMs don't give a shit about security reflects badly on those OEMs, there's only so much any software provider can do.
Let me correct it for you, from those of us that aren't attached to Google.
"That most OEMs don't give a shit about security reflects badly on Google security polices".
Google can go ask Microsoft how it does make OEMs play by the rules, or legal about how to properly write contracts that enforce such security practices.
Until it happens, how secure a Pixel device might be in theory and Google blog posts, isn't representative of the Android that 90% of the world actually gets to use.
> Google can go ask Microsoft how it does make OEMs play by the rules
OEMs of what? All the custom forks of windows floating around? The mobile device market doesn't work anything like the deskop market, and you know that.
Unless you're suggesting that the drivers for the networked, LED-light-toting hyper-gaming mouse you can get from Razer is more secure than OEM Android, because that's the closest things I can come up with, and it's laughable.
We're well off track though, the original question was if there was a more secure (implied consumer) os. You mentioned two non consumer OSs, so I think it's safe to say that the answer is no.
Because it has 80% of the market share world wide, so any flaw makes it more worthwhile, specially given the lack of updates.
Any zero days found in Android devices will never be fixed, other than on Pixel and a couple of selected flagship handsets, while everyone else will be naked with their devices.
Thus brokers will have a gold mine on their hands, being able to target thousands of devices without their owners being able to protect themselves, just like Windows XP before SP2 was released.
Sou you agree that more people are looking at Android than at clearpath, and so the number of zero days found isn't necessary representative of the implicit security, but instead is also a function of interest, which is what I said like 8 posts upthread, and which point you disagreed with it.
I can't tell if you have a point you're making, or if you're just trying to disagree with me :/
That’s a frankly foolish way of measuring security. It doesn’t come in quatloos. CVEs aren’t inverse security points, especially if different systems have different communities or levels of scrutiny.
