Apple Inc.'s iPhone poses greater security risks than smart phones running Google Inc.'s Android, Research in Motion Ltd.'s Blackberry or Nokia Corp.'s Symbian operating systems, according to a recent survey conducted by San Francisco-based network security and compliance auditing firm nCircle Inc.
nCircle asked 257 IT professionals which smart phone platform carries the greatest security risk. The iPhone ranked first, with 57 per cent of respondents, followed by Android at 39 per cent, Blackberry at 28 per cent and Symbian at 13 per cent. The remaining nine per cent of respondents opted for the “other” category.
The findings are not surprising, said Andrew Storms, director of security operations for nCircle. “The iPhone continues to be a contentious topic for enterprises,” he said. The problem is partly historic and partly due to Apple’s “response mechanism,” he said.
Apple did not start off with a solid enterprise package or supportability, and while they continued to add features and flavours to make the system more enterprise-savvy, the company is generally “not a vocal bunch” with security compared to other companies like Microsoft Corp., he said.
Microsoft is very good at “providing a much more feel-good mentality” to users by letting them know they are working on issues, said Storms. “Apple is very much quite the opposite. They are that silent figure in the background, where you are not quite sure what it is they are thinking or what they are going to do next,” he said.
Storms didn’t say whether the iPhone is less secure or not. “Every device has its problems,” he said. “But as of yet, let’s just say that no one publicly has determined a way to subvert so much encryption or security mechanisms of the Blackberry compared to the iPhone.”
The annual Pwn2Own contest, which took place at the CanSecWest security conference in Vancouver last week, featured a similar mobile OS lineup. The mobile phone category targeted the Apple iPhone 3GS, RIM Blackberry Bold 9700, Nokia E72 device running Symbian and HTC’s Nexus One running Android.
Vincenzo Iozzo and Ralf Weinmann ran a successful attack on the iPhone through the Safari mobile browser. No one attempted to hack into the Blackberry or Android devices. One contestant registered to hack the Nokia, but did not show up to run the attack.
The iPhone was likely targeted by contestants because of Safari, which uses the Web kit library, said Aaron Portnoy, security research team lead at
TippingPoint, one of three brands owned by 3Com Corp. and sponsor of the Pwn2Own hacking contest.
“Safari on OS X also uses the Web kit library, so if you find a vulnerability on the desktop system, which generally is easier because you have more memory and more resources to actually research vulnerability, you can then port it to the iPhone and it is not as hard as, say, trying to approach the Blackberry or the Nokia, which are completely different operating systems with different browsers,” he said.
Portnoy wouldn’t generalize about smartphone security. “Each one is implemented entirely differently … they all have different sandboxing techniques that both have their pros and cons, so it’s definitely difficult to say one is more secure than another,” he said.
Charlie Miller, principal security analyst for Baltimore, MD-based consulting firm Independent Security Evaluators and three time winner of Pwn2Own, said he’s written exploits for both the iPhone and Android and finds the two roughly the same in terms of security risks.
“They both have problems and people have broken into both of them … you could argue which one is more secure or not, but I don’t really think there is that big of a difference,” he said.
There isn't a lot of malware out there for smart phones, said Miller. “If you start to see more malware on phones, I suspect you’ll see it on the iPhone as much as anything else. But at this point, you don’t see a lot to begin with,” he said.
It is a little more difficult to write malware and exploits for phones and the “bad guys” don’t have access to phones as easily as they do to computers, he said.
“Everyone has a computer and everyone has Windows on their computer … but if I want to write a piece of malware for Android, that means I have to an Android phone and that means maybe I have to have a year contract to buy this phone, and same with the iPhone,” he said.
Encryption is a big concern, according to Miller. Because there isn’t a lot of malware, the biggest risk is that you are going to lose your phone, and encryption is a way to stop that from being a problem, he said.
Miller won Pwn2Own in 2008, 2009 and 2010 for hacking into the Mac. This year, his attack directed a MacBook Pro running Safari 4 on Snow Leopard (Mac OS X 10.6) to an exploit on a Web site.
“I was able to run whatever commands I wanted on their computer, only they had no idea this was going on. Their browser was running perfectly fine,” he said.
Miller provided information on the coding error to TippingPoint, which will turn it over to Apple so the company can fix the bug and supply a patch.
(Read “iPhone falls in Pwn2Own hacking contest” and “Pwn2Own winner tells Apple, Microsoft to find their own bugs” for details on what happened at Pwn2Own.)
nCircle’s survey also found that 58 per cent of respondents have smart phone security policies in their organizations. Of these respondents with smart phone security policies, 65 per cent said the policies were enforced by their organizations.
The upside is that enterprises do understand the risks and they are putting policies and procedures in place, said Storms. “Embracing it is probably the best and first route right now and part of embracing it is setting those policies and procedures and educating the public,” he said.
A battle over whether or not to support the iPhone continues to take place between executive teams who like the iPhone’s features and security teams who question how the iPhone fits into their compliance model, he said. “The topic is still very heated and it’s still 50/50,” he said.
Encryption is probably the biggest hurdle enterprises face with the iPhone, said Storms. Enterprise users have confidential information and intellectual property on their phones, he said. “We need to fully ensure that the data is fully encrypted and can’t be easily subverted,” he said.
Storms anticipates Apple will address the security issues this year. “Apple generally has two or three decent releases a year. We are hoping the next release will be this summer and we are all looking forward to seeing what will be in there,” he said.
All this attention on iPhone security may turn to Apple’s favour down the road, according to Storms. “If we have all these people trying to break into the iPhone, it may end up being Apple’s golden hour. The iPhone may end up being the most secure device because so many people are trying to break into it,” he said.
Follow me on Twitter @jenniferkavur.
