You might be forgiven for thinking that the iPhone is the most secure of the smartphone choices, especially if you've opted for a 5S or above with that fingerprint reader for secure ID and iOS 8 as the most robust of operating systems. Forgiven, but wrong; despite the claims from Apple that iOS is designed with advanced security technologies built in rather than bolted on. If you go by the results of the annual PWN2OWN hacking competition which was held in Tokyo last week, then iOS fell behind Android and to add to the jaw-dropping amongst many pundits Android in turn fell behind Windows Phone which proved the hardest to hack platform of all.
It's not been the best of months for Apple as far as iOS security reputation goes. First the security researchers disclosed the Masque Attack which has the potential to leave business users at risk. Essentially, this means that apps distributed using enterprise provisioning profiles are not subject to the normal Apple security review process roadblocks, and malicious apps can be installed over the top of (and replacing) genuine ones if they share the same bundle identifier. Apple has rather waved this off as a non-event, but if you read the FireEye disclosure report you will see that the company claims to be aware of in the wild attacks taking place.
And then came the Mobile PWN2OWN 2014 results, with a South Korean team managing to pwn the iPhone 5S by way of the Safari browser on the very first day with a two-vulnerability combo that enable a full Safari sandbox escape to take place. Not good, not good at all, although you could argue that it's the browser at fault rather than the OS; something of a non-argument really though if the sandbox was escaped and device control lost.
Android phones performed better, but still suffered at the hands of the exploit teams. On the second day two teams were able to demonstrate successful attacks against the Samsung Galaxy S5. The first was by a Japanese group which used NFC as the attack vector, the second by a South African team also exploiting NFC. However, these were actually Samsung-specific vulnerabilities rather than Android ones per se. The LG Nexus 5 also succumbed to a couple of vulnerabilities as demonstrated by a UK team which used NFC to force Bluetooth pairings. Unlike the iOS attacks, none of these allowed total control over the devices.
OK, so while it could be argued that the reason Windows Phone did so well was that only one team targeted it that would be a flawed assumption. Teams only target devices at the competition proper if they have been able to uncover working zero-day exploits in the lab. If they have not, then they don't enter as there is no point. One competitor managed to aim an exploit at the browser on a Lumia 1520 but only got as far as the cookies and couldn't actually break out of the sandbox. A pretty impressive result, if you ask me (as a non-Windows Phone user I should add.)
Obviously, when it comes to the bad guys, they target the devices which will reap the biggest return on their efforts. So while all the exploits were immediately disclosed to the vendors at PWN2OWN, because these are not the bad guys, that doesn't mean that zero-days don't exist out there for all platforms. What the results do reflect, I suspect, is that less effort is being put into Windows Phone devices as they have a much lower market share and so the profitability of successful attack is equally lower than the market leaders.