You might be forgiven for thinking that the iPhone is the most secure of the smartphone choices, especially if you've opted for a 5S or above with that fingerprint reader for secure ID and iOS 8 as the most robust of operating systems. Forgiven, but wrong; despite the claims from Apple that iOS is designed with advanced security technologies built in rather than bolted on. If you go by the results of the annual PWN2OWN hacking competition which was held in Tokyo last week, then iOS fell behind Android and to add to the jaw-dropping amongst many pundits Android in turn fell behind Windows Phone which proved the hardest to hack platform of all.

It's not been the best of months for Apple as far as iOS security reputation goes. First the security researchers disclosed the Masque Attack which has the potential to leave business users at risk. Essentially, this means that apps distributed using enterprise provisioning profiles are not subject to the normal Apple security review process roadblocks, and malicious apps can be installed over the top of (and replacing) genuine ones if they share the same bundle identifier. Apple has rather waved this off as a non-event, but if you read the FireEye disclosure report you will see that the company claims to be aware of in the wild attacks taking place.

And then came the Mobile PWN2OWN 2014 results, with a South Korean team managing to pwn the iPhone 5S by way of the Safari browser on the very first day with a two-vulnerability combo that enable a full Safari sandbox escape to take place. Not good, not good at all, although you could argue that it's the browser at fault rather than the OS; something of a non-argument really though if the sandbox was escaped and device control lost.

Android phones performed better, but still suffered at the hands of the exploit teams. On the second day two teams were able to demonstrate successful attacks against the Samsung Galaxy S5. The first was by a Japanese group which used NFC as the attack vector, the second by a South African team also exploiting NFC. However, these were actually Samsung-specific vulnerabilities rather than Android ones per se. The LG Nexus 5 also succumbed to a couple of vulnerabilities as demonstrated by a UK team which used NFC to force Bluetooth pairings. Unlike the iOS attacks, none of these allowed total control over the devices.

OK, so while it could be argued that the reason Windows Phone did so well was that only one team targeted it that would be a flawed assumption. Teams only target devices at the competition proper if they have been able to uncover working zero-day exploits in the lab. If they have not, then they don't enter as there is no point. One competitor managed to aim an exploit at the browser on a Lumia 1520 but only got as far as the cookies and couldn't actually break out of the sandbox. A pretty impressive result, if you ask me (as a non-Windows Phone user I should add.)

Obviously, when it comes to the bad guys, they target the devices which will reap the biggest return on their efforts. So while all the exploits were immediately disclosed to the vendors at PWN2OWN, because these are not the bad guys, that doesn't mean that zero-days don't exist out there for all platforms. What the results do reflect, I suspect, is that less effort is being put into Windows Phone devices as they have a much lower market share and so the profitability of successful attack is equally lower than the market leaders.

About the Author

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

PWN2OWN isn't really representative though. It's a bit like the historical claims about Apple laptops being secure due to the lack of exploits: mostly this was just down to the tiny userbase, and the economics of researching a minority OS. As the userbase grew, so did the attention.

There are few exploits for the Windows phone today, because there are few users of the Windows phone...

commented: awsome username +14

I seemed to agree with the above poster as currently windows devices haven't that much user over their platform is the reason why it's on top ! I am sure it will lower down once the number increases. But for the time I am giving my vote to Windows.

Actually, the 'fewer users' argument doesn't apply to PWN2OWN. As I said in the news story itself:

while it could be argued that the reason Windows Phone did so well was that only one team targeted it that would be a flawed assumption. Teams only target devices at the competition proper if they have been able to uncover working zero-day exploits in the lab. If they have not, then they don't enter as there is no point

Yes, there are fewer exploits out there for Windows Phone due to fewer users, but researchers have a financial incentive to find vulnerabilities no matter what the installed user base is. The fact of the matter is that they didn't, and for now at least that's good news from the security posture of the OS perspective.