How Secure is Your Smartphone? Android, iOS, BlackBerry and Windows Phone Under Attack
April 4, 2012
As the adoption of smartphones grows rapidly, one of the biggest challenges facing the manufacturers, developers and, ultimately, users is not the threat of losing your phone, but the threat of someone stealing the personal data stored on your mobile phone.
Senior Director of Consumerization at Trend Micro, Cesare Garlati spoke to the IBTimes UK about this serious issue and made it clear that no matter what type of phone you own, you are in danger. “Every single platform is exposed to this, no platform is immune. Some are safer than others, but none are immune.”
Last year Garlati was looking for data on how safe or otherwise the four main smartphone platforms (Android, iOS, BlackBerry and Windows Phone) were, but couldn’t find what he was looking for. So he and Trend Micro set about conducting a survey** to find out which operating system was the safest, and more importantly, which is the least s
“I put together a framework of analysis where I had 18 categories between security and manageability and asked them [experts who he surveyed] to rank the four operating systems.”
Unsurprisingly, RIM’s enterprise-friendly BlackBerry OS is the safest of the four mobile operating systems. “BlackBerry is most manageable and secure for two reasons. One is that RIM, traditionally has been an enterprise vendor. Two, is that RIM and BlackBerry is the most mature, most stable and most enterprise friendly out there.”
While it’s no surprise that BlackBerry is the most secure operating system out there, what is surprising is just how far ahead of the rest it is. “When you look at the charts, they are vastly superior [to the other mobile operating systems].”
However, the system is far from perfect. Indeed Garlati spoke about an ex-NSA employee who released an app which stole all the data from your iPhone or iPad and managed to get it past the App Store gatekeepers. While iOS is still a relatively young piece of software, it has come a long way since launching in 2007, according to Garlati.
Next on the list is the newest operating system, Microsoft’s Windows Phone and the Redmond-based company is following the Apple model, by keeping strict control over the hardware, operating system and apps which appear in the WP7 Marketplace.
This operating system has been built with security in mind with features such as sandboxing, buffer overflow prevention and not having a file system, all of which were absent from Microsoft’s previous mobile OS, called Windows Mobile OS. Microsoft has completely reimagined the OS with completely new code and security more to the fore.
This leaves the world’s biggest smartphone operating system, Google’s Android which is currently in use on over 300 million devices around the world, as the least secure of the four.
One of the reasons the full survey has not been released yet is that someone complained that saying Android is the most unsecure was unfair, and that it would be better to say: “Android is the most exploited.”
The version of Android which was rated was Android 2.3, which was the latest smartphone version at the time of testing but Garlati says the survey should be carried out again using Android 4.0 (Ice Cream Sandwich). “What people don’t realise is that 4.0 is not an improved version of 3.0 [which was just for tablets].”
Garlati believes there are a number of reasons why Android is less secure than iOS, BlackBerry or Windows Phone 7. “One is that it’s less mature than iOS. Android has been around for 18 months. But I think there is something much deeper which I don’t think will change in three months or three years, which is the overall business model.”
Of course one of the major problems for Google is that it doesn’t make hardware and therefore Google doesn’t control the eco-system. There are numerous manufacturers out there making smartphones and tablets which run the Android operating system.
However, because Android is open source, manufacturers like Samsung, HTC and Sony can add their own touches to the basic Android code making it difficult to keep track of what versions are out there at any given time.
And even within a single manufacturer’s range of phones and tablets, you get different versions of the Android OS. “If you look at the Samsung Nexus S, which is the pure Google experience, it is different from the Samsung Galaxy Tab.”
The other issue with Android is regarding apps, and the fact that you can get an app from anywhere and install it on your phone without any restrictions from Google. In the Android settings menu, you can tick an option to let you install an application from any source, and while it’s unchecked by default, once you have enabled it you can upload an app from anywhere – be that a USB stick or even through the browser on your phone.
“By opening up to everyone and making it so incredibly easy for everyone to get a slice of the cake, they [Google] were able to catch-up [with Apple].”
In relation to the problems facing Google and Android, Garlati has heard grumblings from app developers: “I’ve been hearing this from many developers out there. It’s not clear how sustainable this model is because when you develop an application for Android, you are not only developing an application for Android, you are developing a set of applications for a set of operating systems and a set of target devices with different form factors and different underlying capabilities in terms of APIs.”
This means that an app which works well on one device may not work as well, or even at all, on a phone from another manufacturer. “So as a developer when you invest your money, this is relevant because it really segments your target audience.”
Garlati believes one of the major issues with security on mobile phones is a lack of awareness among the general public. “[There is a] total lack of education out there, especially in the consumer sector. The consumers need to be told that there is a real and serious threat in terms of security on your mobile phone and it’s an economical threat.”
What people don’t understand, Garlati says, is that the problem is not with the phone itself breaking or being stolen, but with the data on the phone getting into the wrong hands, including bank details and passwords. “By exposing your personal information, you are exposing yourself, your financial situation and your family situation.”
There has been exponential growth in terms of mobile malware in recent years. Malware is not the same as a traditional type of virus, whose aim was to disrupt your device.
Malware is part of a multi-billion pound cybercrime industry headed by organised crime groups who are investing heavily in sophisticated pieces of software which will steal your data without you even knowing.
However, while Android’s fragmentation may frustrate many, it is this very fact which Garlati believes will put cybercriminals targeting mobile phones off. Because there are so many versions of Android, compared to the single version of iOS, criminals will be more inclined to develop malware which will work on all iOS devices rather than a small subset of Android devices.
Garlati also said that he doesn’t expect to see things changing very quickly with Apple unwilling to change their closed eco-system set-up. He does however expect Google to pay more attention to the issue of fragmentation and has already initiated teh Android Bouncer feature in Android Market to try and monitor it for malicious apps. When it comes to Windows Phone, Garlati is less sure of what to expect as the OS is so new, it is hard to tell what will happen.
Garlati urges smartphone users to educate themselves about the possible risks involved and a simple way of doing this is to make sure to read just what information an app you are downloading is accessing on your device – especially when updating it, in case the developers have included something they shouldn’t have.
Researchers have successfully breached the Good Technology container. MDM software can only be as secure as the underlying operating system.