My smartphone is a simple affair. I have a hardened Firefox as my default browser (uBlock Origin with JS disabled by default with HTTPS-Everywhere addon with EASE turned on).
I keep my app-count to a minimum. There are people who need every app imaginable, but that increases the attack surface of the phone. Try to minimize the amount of apps on your phone please!
Then of course all the usual OPSEC practices like not clicking on suspicious links in Whatsapp, E-mail or SMS always apply. You have to consider the human element of all this. So many people have been owned by fat-fingering some suspicious link in an SMS that then took over their phone.
But there is always the argument that: phones ship with malware anyway so you're pwned either way.
You can do a little more if you have root access, like use XPrivacyLua to restrict the amount of data and hardware apps like your browser have access to, and AdAway to block ads globally (protects you from app telemetry that shares data with third parties). You can also run a DoT server and point your phone there to protect your DNS queries from random WiFi networks you may have to connect to, or better run a VPN server and stay connected to it. Also whenever you can, always replace the OS that comes preinstalled with LineageOS (just makes sure everything works for your phone, like the camera and LTE). With the latest LineageOS you can also restrict internet access per app and per network type, though AFWall+ still gives better control over that. For the extremely suspicious apps you can install them on the work profile for extra isolation with Island (Play Store) or Insular (F-Droid).
This happened months ago but I still can't see much info. Also, I see check point reported 4-5 issues to qcomm, not 400.
To people complaining android never gets updates: Android has been providing monthly security updates for some years now. It is even possible that this was fixed even faster since modern android can update some system libraries right from the store (Project Treble announced in 2017)
400 vulnerabilities! Good luck getting any reasonable percentage of users to install these patches. The software update situation on Android is horrible.
Apple doesn't have a spotless record with security. However, they are significantly better at pushing updates. A large majority of eligible iOS devices install OS updates, and iOS devices tend to be eligible for updates for many years.
Additionally, because sales are much lower for iOS than Android, it's hard to get to the same scale. I don't know about iPad numbers, but 1 billion iPhones is about 5 years of sales, and five years is around where Apple stops providing updates (edit: as pointed out below, they're doing closer to 8 years from release now, but not all sales are from current model phones) and that combines with other factors and very few devices make it past five years of use.
The iPhone 6 and SE are still hugely popular in Asia. I see them everywhere, and there is a whole after market economy for repairs and parts replacement.
What is even more sorry is if you had bought a 100 dollar phone you could have bought a new phone every year for 10 years and had better protection. Which is totally wasteful.
I worked in both Android and ChromeOS orgs at Google. They way the leadership in each treated updates was very different.
ChromeOS devices are expected to be supported for 7 (or so) years. This is true even at the planning stage, which is why certain vendors are avoided as they cannot be reliably expected to provide support for that. There used to be a policy even that only upstreamed kernels can be shipped, as in: if the vendor does not upstream their kernel patches, no part of theirs can be in a ChromeOS device.
Very little thought about updateability was given in Android until about 2018(?)-ish, when project Treble started happening. And even then, that idea had existed for a while before it was implemented, and it took a long time to sell android leadership on it.
I keep my app-count to a minimum. There are people who need every app imaginable, but that increases the attack surface of the phone. Try to minimize the amount of apps on your phone please!
Then of course all the usual OPSEC practices like not clicking on suspicious links in Whatsapp, E-mail or SMS always apply. You have to consider the human element of all this. So many people have been owned by fat-fingering some suspicious link in an SMS that then took over their phone.
But there is always the argument that: phones ship with malware anyway so you're pwned either way.