Josh Drake(the researcher who found the stage fright exploit) was interviewed on the last episode of the risky business podcast. His opinion is that iOS and Android are very similar in their level of security, but the barriers to entry in researching iOS causes security researchers to spend more time looking at android.
A state who can finance themselves around those barriers to entry may have similar exploits against iOS, but we're less likely to find out about them.
This is possibly one of the best reasons to use something like Cyanogenmod, giving you control over updates rather than waiting on manufacturers and mobile operators.
I'm currently using Cyanogenmod (on a Samsung Note 3) but have a problems where I really consider to switch back to the stock ROM:
- Battery life is reduced quite much, I spent quite some time finding the root cause with BatterBatteryStat, but in the end, it are just the core services which seem to use more power, there is no app in the background. With Cyanogenmod it discharges in the night for ca. 30% without doing anything and disable WLAN. When I still had the stock ROM I was out in the mountains for 5 days and could take almost 400 photos without recharging. SlimROM was much better in this regard, but they didn't had the PrivacyGuard and so far do not support the Note 3 on their newer ROMs.
- I tried to avoid Google Play, unfortunately a few apps depend on it (especially all the ones using Google Map). But my main problem is more that I've no idea how dangerous alternatives like Aptoide are. I accidentally downloaded some apps which were already fully unlocked, while only available for money on Google Play. I found a Java Program (http://www.onyxbits.de/raccoon) to download apps through a Google Account on your PC and then transfer it onto your phone, but this is somewhat cumbersome.
Supposedly the vulnerability is in stagefright, which is the Android framework responsible for audio/video encoding/decoding and playback. TextSecure doesn't do any pre-processing of received audio/video messages, so it seems unlikely that a vulnerability in stagefright could be triggered simply by sending audio/video to a TextSecure user.
TextSecure plays audio/video by handing it to the system's default media
player. If there's a stagefright vulnerability, it's possible that the
system's default media player is vulnerable. From TextSecure, that
interaction should only happen by physically tapping on an audio/video
attachment, then tapping through a warning dialog about insecure
playback. At that point, it's out of our hands.
It's a shame people are associating the name StageFright with the vulnerabilities instead of the media framework itself because it's possibly the best named library I've ever seen ;-)
I'm on a Samsung device, which means updates are pushed several months after Google pushes theirs. I'd love to go to CM, but then the camera quality is just downright awful because of a lack of TW drivers... Quite annoying
A state who can finance themselves around those barriers to entry may have similar exploits against iOS, but we're less likely to find out about them.