The Actual Privacy Differences Between Mobile Operating Systems
“iPhone protects your privacy.” “Android puts you in control.” Every mobile OS markets itself as privacy-respecting. But what do they actually do when you’re not looking?
Researchers have studied this question empirically, and the findings are more nuanced than either Apple fans or Google fans want to hear. Neither major platform is privacy-respecting by default. Both collect significant telemetry. The differences are real but narrower than marketing suggests.
What iOS Actually Sends
Apple positions privacy as a core differentiator, and they’ve made real architectural decisions that matter. App Tracking Transparency (ATT) genuinely reduced cross-app tracking. On-device processing for many Siri and photo features is real. The Secure Enclave hardware is well-designed.
But iOS phones home frequently. A 2021 study by Professor Douglas Leith at Trinity College Dublin found that iPhones send data to Apple approximately every 264 seconds when idle. This includes:
- IMEI and hardware serial number
- WiFi MAC address
- Location data (even when Location Services is set to “off” for Apple, location is inferred from nearby WiFi access points)
- Telemetry data about usage patterns
- SIM and phone number information
Apple can tie this data to your identity. They say they anonymise it, but the identifiers included (IMEI, serial number) are permanently linked to you.
iCloud compounds this. If you use iCloud (which most iPhone users do), your photos, messages, contacts, health data, and device backups are on Apple’s servers. Apple added Advanced Data Protection in late 2022, which enables end-to-end encryption for most iCloud categories — but it’s opt-in, and most users haven’t enabled it.
What Android Sends
Stock Android (Pixel phones) sends even more telemetry. The same Trinity College study found Pixels contacting Google servers roughly every 255 seconds when idle, transmitting:
- IMEI, hardware serial number, SIM serial
- WiFi MAC address
- Device identifiers (Android ID, RDID)
- Telemetry and usage data
- Current cell tower and nearby WiFi (for location inference)
Google’s data collection is more extensive in scope because Google services are deeply integrated into Android. Google Play Services — which runs on essentially all non-custom Android phones — maintains persistent connections and collects location data, app usage data, and device state information continuously.
Samsung phones add another layer. Samsung’s OneUI sends telemetry to Samsung’s servers in addition to Google’s. You’re sharing data with two companies instead of one, and Samsung’s data practices have historically been less transparent than Google’s.
The Privacy Settings Reality
Both platforms offer privacy controls. The question is how effective they are.
iOS: Turning off analytics sharing, disabling personalised ads, and restricting location access to “While Using” reduces but doesn’t eliminate data collection. The Trinity College research found that even with all privacy settings maximised, iPhones still sent considerable telemetry to Apple. The phone needs to communicate with Apple’s servers for basic functionality — push notifications, iMessage, time synchronisation — and metadata from these connections is collected.
Android: Google’s privacy dashboard provides granular controls, and you can disable or limit many collection categories. But some data collection is tied to Google Play Services, which can’t be disabled without breaking most apps. The “opt-out” model means privacy requires active effort from the user, and Google’s defaults are permissive.
Both platforms make it impossible to achieve zero data collection while maintaining normal functionality.
GrapheneOS: The Privacy-First Alternative
GrapheneOS is a security and privacy-focused mobile OS built on Android Open Source Project (AOSP). It runs on Pixel hardware but removes all Google services.
The privacy improvements are substantial and measurable:
No Google telemetry. GrapheneOS doesn’t include Google Play Services. No persistent connections to Google servers. No advertising ID. No location sharing with Google.
Minimal phone-home behaviour. GrapheneOS contacts its own servers for connectivity checks and updates, but the telemetry is minimal and auditable (the entire OS is open-source).
Sandboxed Google Play (optional). If you need Google apps, GrapheneOS lets you install Google Play Services as a regular sandboxed app rather than a privileged system service. It works but has no special permissions — it can’t access data from other apps or run background processes with elevated privileges.
Per-app permission controls. More granular than stock Android. Network access can be revoked per-app (stock Android doesn’t allow this without workarounds). Storage scoping is stricter.
The trade-offs are real. Some apps don’t work without Google Play Services (banking apps are hit-or-miss). Push notifications through Google’s Firebase Cloud Messaging don’t work without Play Services (though alternatives exist). Setup requires flashing firmware, which isn’t difficult but isn’t consumer-friendly.
For people working in security consulting or privacy-sensitive roles, firms like Team400 have noted that mobile device telemetry is increasingly relevant to enterprise security assessments, particularly when employees use personal devices for work.
Comparative Telemetry Summary
| Category | iOS | Android (Pixel) | Samsung | GrapheneOS |
|---|---|---|---|---|
| Idle telemetry interval | ~264 sec | ~255 sec | ~200 sec | Minimal |
| Hardware IDs sent | Yes | Yes | Yes | No |
| Location inference | Yes | Yes | Yes | No |
| Data recipients | Apple | Google + Samsung | GrapheneOS (minimal) | |
| Ad tracking ID | IDFA (can reset) | GAID (can delete) | GAID | None |
| E2E encrypted backup | Opt-in | Limited | Limited | N/A (local) |
What This Means for You
If you’re choosing between iOS and Android purely on privacy grounds, neither is clearly superior. Apple collects less data overall, but the difference is smaller than Apple’s marketing implies. iOS has better defaults (ATT, for example), but the baseline telemetry is still significant.
If you’re willing to put in effort, Android gives you more room to customise — and GrapheneOS on a Pixel represents the strongest consumer privacy option available in a mobile OS.
For the majority of people, the practical privacy steps that matter most aren’t about OS choice:
- Review and restrict app permissions regularly
- Enable Advanced Data Protection on iCloud if using iOS
- Disable personalised advertising
- Use a VPN on untrusted networks
- Be selective about which apps you install
- Prefer apps that work without accounts when possible
The mobile OS privacy conversation is important, but it shouldn’t distract from the bigger picture: the apps you install and the services you use often collect far more data than the OS itself. A privacy-focused OS running Instagram and TikTok doesn’t achieve much.
Pick the OS that works for your needs. Then focus on the apps, permissions, and behaviours that actually determine how much data you’re sharing.