Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

4/24/2015
02:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Smartphone Security Shootout

Researcher compared Apple iOS, Android, Windows smartphones for business use privacy and security.

RSA CONFERENCE -- San Francisco -- Conventional wisdom would say Apple iPhone would be hands down more safe for business users than Android, but a security researcher found Android a close second to iPhone if it's a Google Nexus or Samsung Knox version phone.

Chet Wisniewski, senior security advisor at Sophos, here today released findings of his hands-on research on privacy and security implications of iOS, Android, and Windows smartphones for business users in his session "Mobile Security Shootout -- Which Smartphones Are Up to the Task?" "I would have no reservation using Apple iOS [for business] as long as you're going to use something to manage them and make a conscious decision on what goes on the phone," he said in an interview with Dark Reading last week prior to RSA.

"Android is mostly a thumbs up with a slight reservation: do you bring your own or choose it for the users? If you're going with Samsung Knox or Nexus, I have no reservations. They are on equal footing with iPhone," he says.

It's the BYOD Androids that are problematic. "If you have old Androids, or ones with seven layers of gunk on top, it becomes hard to know your risk profile," he says. "If I were an organization, I wouldn't look at BYO. You should choose your own [for users] then you can manage and restrict apps."

Wisniewski found the Windows phone a bit riskier for enterprises. "Until Windows 10 phone" comes out, he says, "I'd probably hold off on Windows myself."

That's because Windows 10 promises more control and improved API support, he says.

Wisniewski's smartphone experiment included three phones--all with their default settings: the Google Nexus 6 version 5.0.1; Apple iPhone 6+ iOS version 8.2; and Nokia Lumia 635 Windows 8.1.

"What surprised me was the increasing adoption of Windows Mobile among IT people. We're not seeing it deployed among thousands of employees, but seeing IT guys giving it to the IT staff," he says. "It's pretty darn good: it has an intuitive interface, the battery life is good, it's good quality, and more affordable than an iPhone. IT people like to try everything … I've enjoyed playing with it."

But he also found the Windows phone gathers the most user and phone information. "That's more sensitive for a business environment,"  he says.

He says he found it sends the phone user's keystrokes back to Microsoft for purposes of improving the keyboard software, or layout. But Wisniewski says while Microsoft isn't trying to grab passwords or anything nefarious, that information could accidentally get swept up in the reporting. "That was really disconcerting," he says. "I wouldn't want my potentially sensitive data sent off to a server and hoping Microsoft wouldn't lose it or whatever."

Another red flag was that the Windows phone encourages the use of the WiFi Sense feature, which collects logins from WiFi hotspots the user logs into and then automatically shares that information with friends, and logs onto open hotspots. "It sees a Starbucks connection on its own, accepts its licensing agreement, and connects you to it," he says. "If a friend of yours has a Windows phone, it will send your username and password and send them to your Comcast WiFi with their credentials."

The Android phone he tested leaks location information quite a bit, he says. "Apple doesn't without explicit permission," he says.

Wisniewski loaded apps on the phones that typical users might have for business as well as personal use: Facebook, Facebook Messenger, Pinterest, SnapChat, Twitter, a password managers and even Candy Crush Saga and a flashlight app.

Interestingly, the Flashlight app for iOS connected to 18 different networks within a minute after he fired up the app, and 14 ad networks. "It leaked my public and private IP addresses even though it wasn't given location permission. It grabbed my battery status, memory utilization … whether I was on WiFi or cellular, and the carrier that issued me my phone and sent that to the ad networks."

Battery status may not be sensitive information for a business user to have leaked, he says, but all of this data adds up. "All of this ad tracking does add up over time. It's a big data puzzle they put together. One app contacting 14 networks starts to build a profile I'm not comfortable with," he says.

The Android smartphone flashlight app, meanwhile, connected to 8 different ad networks. "It transmitted 7 megabytes of data in over one minute," he says.

The real difference among the security of smartphone platforms, he says, is the level of control the business has over them. "Separation [of business and personal data] is important … what processes do you allow on that device?" 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/30/2015 | 11:14:42 PM
Re: No BlackBerry in this so-called "security shootout"
Incidentally, I'm interested to see if Silent Circle's purportedly ultra-secure smartphone can make any major penetration in the market.

Alas, functionality and features seem to trump security in the consumer market -- which in turn informs and impacts the enterprise market.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/30/2015 | 11:10:07 PM
Re: No Commercial Solutions Are Secure
@digitallachance: Good for you for making me defend the claim.  (Truly.  Not sarcastic.)  I double-checked and it appears that I was apparently relying on reports that in turn relied upon misleading/untrue assertions.

In 2010, here were reports that RIM (as it was then known) had compromised and provided backdoor access to the Indian government.  e.g., articles.economictimes.indiatimes.com/2012-08-02/news/33001399_1_blackberry-enterprise-encryption-keys-corporate-emails

It turns out, however, that these reports were apparently a bit overstated.  www.theregister.co.uk/2012/08/02/rim_keys_india/

It appears that RIM arranged for a "lawful access" compromise -- but that there were no actual keys to give.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/30/2015 | 11:02:56 PM
Re: platform selection
@macker: It's really lamentable how many people/organizations continue to rely on SSNs as a security metric/identifier.  SSNs were originally intended to have more of a "username" function -- and now they are used as "passwords" (which is just silly for anything requiring more security than, say, a 1990s Geocities chat room).
digitallachance
50%
50%
digitallachance,
User Rank: Apprentice
4/30/2015 | 12:57:34 PM
No BlackBerry in this so-called "security shootout"
Seriously, I know how the consumers consider BlackBerry to be out of business and irrelevant, but anyone who cares about security will agree you can't talk mobile phone security without mentioning BlackBerry.  The president of the United States is not carrying an iPhone or an Android or a Windows phone.  Only BlackBerry has the high level of certification required for the US DOD to use those devices.

 

 

 
digitallachance
50%
50%
digitallachance,
User Rank: Apprentice
4/30/2015 | 12:50:58 PM
Re: No Commercial Solutions Are Secure
Joe,


Do you have any evidence that BlackBerry provided governments backdoors or is this just a conspiracy theory?
macker490
50%
50%
macker490,
User Rank: Ninja
4/30/2015 | 7:33:41 AM
Re: platform selection
Joe,--

to a point I think you are right: better user training will help.  but you are tackling a blizzard with a push-broom: the rapacious raiding of user computers for "big data" by the commercial sector -- and by government -- is simply stunning.

run NOSCRIPT on your browser for a while and note: when you access a site -- like this one -- how many connections do you actually acquire?    the crux of this is that reading the internet is like running down a dark alley: wear your boots; don't go barefoot.

extending this to "platform" -- or your hardware/software setup -- security needs to be addressed starting from the standpoint of the operating software.   your operating software must not allow itself to be affected by the actions of an application program -- whether by intent or by error.

but o/s security is only a start

in our online environment all of our usual identifiers -- name, address, date of birth, social security number, eMail address, mother's maiden name, ... are all compromised -- either in public bazarrs or out in the DarkNet

Which leads us to the need for Secure Computing in a Compromised Environment

the basic need is an identification that can be used in public but which at the same time can be controlled by the owner


Symmetric keys -- such as eMial address, Soc.Sec.Nr &c are not sufficient: once compromised -- they can be used by anyone.   we must move to Public Key Encryption to provide the AUTHENTICATION of documents that is critical to business requirements.

to do this we must begin by dispelling the MYTH that PGP or GmuPG -- is too difficult for "everyone" to use.  Properly packaged -- such as the ENIGMAIL plugin for Thunderbird -- anyone who can use Excel -- can easily use PGP/GnuPG

it's just another drop-down dialog box.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
4/29/2015 | 11:26:23 PM
Re: Both are vulnerable !
Funny how older tech is often more secure.

Maybe we should go back to typewriters and smoke signals.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
4/29/2015 | 11:24:04 PM
Re: No Commercial Solutions Are Secure
@Ian: After the Snowden revelations, would YOU trust a tech company on data privacy and data security if one of their biggest customers is the federal government?  ;)

(For that matter, should we continue to trust IBM?)  ;)
Blog Voyage
50%
50%
Blog Voyage,
User Rank: Strategist
4/28/2015 | 12:08:36 PM
Both are vulnerable !
In fact, iOS is just as vulnerable as Android. Both are more vulnerable than BlackBerry ever was, but that's not relevant today.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/27/2015 | 9:01:52 AM
Samsung Knox
I was curious during its inception how the Samsung KNOX security suite would perform. Is it still enabled by default on Samsung based phones or was that removed due to user gripes? If its not set as default I guarantee that the majority of users will not turn it on even if prompted.
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26088
PUBLISHED: 2020-09-24
A missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c in the Linux kernel before 5.8.2 could be used by local attackers to create raw sockets, bypassing security mechanisms, aka CID-26896f01467a.
CVE-2020-6153
PUBLISHED: 2020-09-24
An exploitable SQL injection vulnerability exists in the FavoritesService.asmx Web Service functionality of eDNA Enterprise Data Historian 3.0.1.2/7.5.4989.33053. A specially crafted SOAP web request can cause an SQL injection resulting in data compromise. An attacker can send an unauthenticated HTT...
CVE-2020-13521
PUBLISHED: 2020-09-24
Parameter psAttribute in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks.Specially crafted SOAP web requests can cause SQL injections resulting in data compromise. An attacker can send unauthenticated HTTP requests to trigger this vulnerability.
CVE-2020-15840
PUBLISHED: 2020-09-24
In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs.
CVE-2020-24365
PUBLISHED: 2020-09-24
An issue was discovered on Gemtek WRTM-127ACN 01.01.02.141 and WRTM-127x9 01.01.02.127 devices. The Monitor Diagnostic network page allows an authenticated attacker to execute a command directly on the target machine. Commands are executed as the root user (uid 0). (Even if a login is required, most...