The problem with many Android devices is that when there's a security update in the Android OS, it typically doesn't go directly from Google (who makes Android) to you. Instead, it goes from Google to the device manufacturer who then releases it to you. This is different from Apple, where your iDevice gets automated updates directly from the Apple Mother Ship.
This lag opens the door to the Bad Guys. I've posted before about "Zero Day" vulnerabilities, where there is a known vulnerability without a released update. Android devices suffer from this (as do all devices), but the Google-Manufacturer-You release chain brings a new concept: the "N-Day" vulnerability:
A zero-day vulnerability is a software flaw known before a vendor becomes aware or fixes it, allowing it to be exploited in attacks before a patch is available. However, an n-day vulnerability is one that is publicly known with or without a patch.
For example, if a bug is known in Android before Google, it is called a zero-day. However, once Google learns about it, it becomes an n-day, with the n reflecting the number of days since it became publicly known.
Google warns that attackers can use n-days to attack unpatched devices for months, using known exploitation methods or devising their own, despite a patch already being made available by Google or another vendor.
So the key issue when choosing a more secure Android phone is how to minimize the value of N. The faster the turnaround at the device manufacturer, the less your risk.
There are two strategies you can choose here:
- Buy a Google branded Android device. I don't know if N=0 in this case but it's hard to see how any manufacturer could turn a patch around faster than the company that created the patch.
- Buy a device from a manufacturer that participates in the "Android One" program. N will not be zero here but the program tries to streamline the patching/update process.
Or you could buy an iDevice, but now the discussion has lurched into the theological.