Smartphone Security Winners & Losers

Post based on my interview with Jeanne Friedman, content manager for  RSA Conference.

In the mobile space the BYOD trend is becoming a minefield for IT administrators. Many companies have experienced a data breach as a result of an employee owned device accessing the corporate network. When the stakes are this high, corporate IT needs to know which platforms to allow and which to refuse.

Android is the most popular mobile platform in the world. It is also the most vulnerable to attack and in fact the most exploited. Contrary to common perception, Apple mobile devices are not immune to security flaws. And in fact less secure than Android if users “jail break” their devices – to escape Apple’s control.

As the Vice President of Mobile Security at Trend Micro, I wanted to get a thorough understanding of how secure and manageable these new mobile platforms are. This has been a recurring question, because the traditional mobile platforms, namely Nokia Symbian and RIM Blackberry, were actually designed for the enterprise. These days, the new mobile platforms – Windows Phone, Android and Apple iOS – are in fact quite different in terms of design criteria. The security and manageability requirements that the enterprise expects are still not key design factors.

So, what I wanted to do was to poll a group of independent mobile security experts and ask them to rank each mobile platform with regard to security and manageability. Sounds interesting? Can’t wait to know what mobile brands are the winners and losers?

Well, I don’t want to spoil the surprise for the people who will join my session at the RSA Conference 2012 in London. What I can tell you is that while I was running this study with the mobility experts, I also asked our marketing department to run a parallel survey to ask the very same question to the IT manager out there. Essentially, we wanted to compare perception (IT managers) versus reality (mobility experts). What I can tell you right now is that the answers we received from the experts are in fact quite different than the common perception among IT professionals. So, for the people who are interested in joining my session: you might think that some of the platforms out there are secure while the mobile security experts think quite differently. According to the experts, the new mobile platforms still have a long way to go in terms of manageability and security: as a group, consumer mobile platforms are not as secure and manageable as you may expect them to be.

But how about Android in particular? Are there any Android exploits that make organizations with BYOD policies the most vulnerable?

Let me start by sharing a key mobile security fact. Android is the number one platform in the world. It is also the most vulnerable to attack and in fact the most exploited. Whether you are an IT manager in charge of defining BYOD policies for your organizations or simple Android user, you need to be aware that the OS itself has been designed with strong security criteria and that there are some built-in security features that really make Android one of the most solid platforms in the market. However, the overall ecosystem around Android is quite different than the Apple iOS’ one. The main key difference is that Android is a truly open system. As such the Android Market – now Google Play – and the many websites where Android apps can be bought and download is open. This somehow removes some of the filters and some of the scrutiny that Apple excise on iOS.

Consumers – and IT managers in particular- need to understand that when you download an Android app, no one really checks what the application is actually going to do with your personal data, with the financial information you stored in your device and with the privacy of your communications and your text messages. I think this is really the key message really with regard to Android: very well designed in terms of built in security, but the ecosystem is probably too open to really grant the level of security and trust that consumers and IT professionals would expect.

On the other hand, there are vulnerabilities related to Apple jailbroken devices that also make companies vulnerable. Apple iOS is a wonderful piece of software, but it is no magic. As any software in the world, it has its own vulnerabilities. As proved release after release, there have always been some security flaws. Now, the good thing with iOS is that these security flaws haven’t been really exploited in a major way because of the additional scrutiny that Apple exercises on the ecosystem through the Apple App Store.

Now, jailbreaking is something quite different. I want to make this clear distinction. Not many people jailbreak their Apple devices and therefore the security of iOS as a platform, as a whole, is definitely very high. But many people do feel like the strict control that Apple exercises on the platform somehow constrains their choice. I respect that. Consumers value choice. Therefore they jailbreak, or if you want, “open up” the iOS system so that they can download and install whatever applications they want perhaps to personalize look and feel and the overall user experience.

By doing this, by opening up an alternative channel for the apps to get into the device, they skip the control that Apple otherwise exercises on the App Store. And they do get exposed. And we do have examples of malware, trojans and other exploits that specifically targeted Apple iOS jailbroken devices.

My message to Apple users out there is: Really think twice before you jailbreak your device because jailbreaking per se does not compromise the security of the system, but the end result is that you as an end user will be much more exposed to bad things. To the IT managers struggling with the Consumerization of IT, my message is quite different: Do not take the risk. Do not tolerate jailbroken devices on your network. That’s a risk that makes no sense to your organizations.