RSA CONFERENCE -- San Francisco -- Conventional wisdom would say Apple iPhone would be hands down more safe for business users than Android, but a security researcher found Android a close second to iPhone if it's a Google Nexus or Samsung Knox version phone.
Chet Wisniewski, senior security advisor at Sophos, here today released findings of his hands-on research on privacy and security implications of iOS, Android, and Windows smartphones for business users in his session "Mobile Security Shootout -- Which Smartphones Are Up to the Task?" "I would have no reservation using Apple iOS [for business] as long as you're going to use something to manage them and make a conscious decision on what goes on the phone," he said in an interview with Dark Reading last week prior to RSA.
"Android is mostly a thumbs up with a slight reservation: do you bring your own or choose it for the users? If you're going with Samsung Knox or Nexus, I have no reservations. They are on equal footing with iPhone," he says.
It's the BYOD Androids that are problematic. "If you have old Androids, or ones with seven layers of gunk on top, it becomes hard to know your risk profile," he says. "If I were an organization, I wouldn't look at BYO. You should choose your own [for users] then you can manage and restrict apps."
Wisniewski found the Windows phone a bit riskier for enterprises. "Until Windows 10 phone" comes out, he says, "I'd probably hold off on Windows myself."
That's because Windows 10 promises more control and improved API support, he says.
Wisniewski's smartphone experiment included three phones--all with their default settings: the Google Nexus 6 version 5.0.1; Apple iPhone 6+ iOS version 8.2; and Nokia Lumia 635 Windows 8.1.
"What surprised me was the increasing adoption of Windows Mobile among IT people. We're not seeing it deployed among thousands of employees, but seeing IT guys giving it to the IT staff," he says. "It's pretty darn good: it has an intuitive interface, the battery life is good, it's good quality, and more affordable than an iPhone. IT people like to try everything … I've enjoyed playing with it."
But he also found the Windows phone gathers the most user and phone information. "That's more sensitive for a business environment," he says.
He says he found it sends the phone user's keystrokes back to Microsoft for purposes of improving the keyboard software, or layout. But Wisniewski says while Microsoft isn't trying to grab passwords or anything nefarious, that information could accidentally get swept up in the reporting. "That was really disconcerting," he says. "I wouldn't want my potentially sensitive data sent off to a server and hoping Microsoft wouldn't lose it or whatever."
Another red flag was that the Windows phone encourages the use of the WiFi Sense feature, which collects logins from WiFi hotspots the user logs into and then automatically shares that information with friends, and logs onto open hotspots. "It sees a Starbucks connection on its own, accepts its licensing agreement, and connects you to it," he says. "If a friend of yours has a Windows phone, it will send your username and password and send them to your Comcast WiFi with their credentials."
The Android phone he tested leaks location information quite a bit, he says. "Apple doesn't without explicit permission," he says.
Wisniewski loaded apps on the phones that typical users might have for business as well as personal use: Facebook, Facebook Messenger, Pinterest, SnapChat, Twitter, a password managers and even Candy Crush Saga and a flashlight app.
Interestingly, the Flashlight app for iOS connected to 18 different networks within a minute after he fired up the app, and 14 ad networks. "It leaked my public and private IP addresses even though it wasn't given location permission. It grabbed my battery status, memory utilization … whether I was on WiFi or cellular, and the carrier that issued me my phone and sent that to the ad networks."
Battery status may not be sensitive information for a business user to have leaked, he says, but all of this data adds up. "All of this ad tracking does add up over time. It's a big data puzzle they put together. One app contacting 14 networks starts to build a profile I'm not comfortable with," he says.
The Android smartphone flashlight app, meanwhile, connected to 8 different ad networks. "It transmitted 7 megabytes of data in over one minute," he says.
The real difference among the security of smartphone platforms, he says, is the level of control the business has over them. "Separation [of business and personal data] is important … what processes do you allow on that device?"