Which is the most secure smartphone? Not the iPhone it appears...

happygeek

You might be forgiven for thinking that the iPhone is the most secure of the smartphone choices, especially if you've opted for a 5S or above with that fingerprint reader for secure ID and iOS 8 as the most robust of operating systems. Forgiven, but wrong; despite the claims from Apple that iOS is designed with advanced security technologies built in rather than bolted on. If you go by the results of the annual PWN2OWN hacking competition which was held in Tokyo last week, then iOS fell behind Android and to add to the jaw-dropping amongst many pundits Android in turn fell behind Windows Phone which proved the hardest to hack platform of all.

It's not been the best of months for Apple as far as iOS security reputation goes. First the security researchers disclosed the Masque Attack which has the potential to leave business users at risk. Essentially, this means that apps distributed using enterprise provisioning profiles are not subject to the normal Apple security review process roadblocks, and malicious apps can be installed over the top of (and replacing) genuine ones if they share the same bundle identifier. Apple has rather waved this off as a non-event, but if you read the FireEye disclosure report you will see that the company claims to be aware of in the wild attacks taking place.

And then came the Mobile PWN2OWN 2014 results, with a South Korean team managing to pwn the iPhone 5S by way of the Safari browser on the very first day with a two-vulnerability combo that enable a full Safari sandbox escape to take place. Not good, not good at all, although you could argue that it's the browser at fault rather than the OS; something of a non-argument really though if the sandbox was escaped and device control lost.

Android phones performed better, but still suffered at the hands of the exploit teams. On the second day two teams were able to demonstrate successful attacks against the Samsung Galaxy S5. The first was by a Japanese group which used NFC as the attack vector, the second by a South African team also exploiting NFC. However, these were actually Samsung-specific vulnerabilities rather than Android ones per se. The LG Nexus 5 also succumbed to a couple of vulnerabilities as demonstrated by a UK team which used NFC to force Bluetooth pairings. Unlike the iOS attacks, none of these allowed total control over the devices.

OK, so while it could be argued that the reason Windows Phone did so well was that only one team targeted it that would be a flawed assumption. Teams only target devices at the competition proper if they have been able to uncover working zero-day exploits in the lab. If they have not, then they don't enter as there is no point. One competitor managed to aim an exploit at the browser on a Lumia 1520 but only got as far as the cookies and couldn't actually break out of the sandbox. A pretty impressive result, if you ask me (as a non-Windows Phone user I should add.)

Obviously, when it comes to the bad guys, they target the devices which will reap the biggest return on their efforts. So while all the exploits were immediately disclosed to the vendors at PWN2OWN, because these are not the bad guys, that doesn't mean that zero-days don't exist out there for all platforms. What the results do reflect, I suspect, is that less effort is being put into Windows Phone devices as they have a much lower market share and so the profitability of successful attack is equally lower than the market leaders.

460 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

nRg6ExWxsJ8JzX 14 Newbie Poster

PWN2OWN isn't really representative though. It's a bit like the historical claims about Apple laptops being secure due to the lack of exploits: mostly this was just down to the tiny userbase, and the economics of researching a minority OS. As the userbase grew, so did the attention.

There are few exploits for the Windows phone today, because there are few users of the Windows phone...

commented: awsome username +14
Kelly Burby 44 Posting Pro

I seemed to agree with the above poster as currently windows devices haven't that much user over their platform is the reason why it's on top ! I am sure it will lower down once the number increases. But for the time I am giving my vote to Windows.

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

Actually, the 'fewer users' argument doesn't apply to PWN2OWN. As I said in the news story itself:

while it could be argued that the reason Windows Phone did so well was that only one team targeted it that would be a flawed assumption. Teams only target devices at the competition proper if they have been able to uncover working zero-day exploits in the lab. If they have not, then they don't enter as there is no point

Yes, there are fewer exploits out there for Windows Phone due to fewer users, but researchers have a financial incentive to find vulnerabilities no matter what the installed user base is. The fact of the matter is that they didn't, and for now at least that's good news from the security posture of the OS perspective.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.