iOS has full W^X (aka DEP), Android does not. This prevents JITs on iOS, but it also makes exploits more complex. iOS also has full ASLR (even kernel-level ASLR likely coming in 6.0), Android doesn't to the same extent. iOS also has a more restrictive an low-level sandbox, which denies access to many kernel interfaces; Android has a sandbox, but less restrictive. iOS also has app review; with Android, malware could (and has) easily enter the user-facing market. All code that runs on iOS must be signed by Apple, this significantly hurts exploit development as all code must be written using "gadgets" from existing, signed code. Android will run anything.
Android also has the issue of updates: most Android 2.x phones are not going to ever get the improvements in later versions.
iOS has full W^X (aka DEP), Android does not. This prevents JITs on iOS, but it also makes exploits more complex. iOS also has full ASLR (even kernel-level ASLR likely coming in 6.0), Android doesn't to the same extent. iOS also has a more restrictive an low-level sandbox, which denies access to many kernel interfaces; Android has a sandbox, but less restrictive. iOS also has app review; with Android, malware could (and has) easily enter the user-facing market. All code that runs on iOS must be signed by Apple, this significantly hurts exploit development as all code must be written using "gadgets" from existing, signed code. Android will run anything.
Android also has the issue of updates: most Android 2.x phones are not going to ever get the improvements in later versions.
More technical info: http://www.trailofbits.com/resources/mobile_eip-04-19-2012.p...