Are iPhones riskier than Android, Blackberry & Nokia phones?

All this attention on iPhone security may turn to Apple's favour down the road

iPhones appear to pose greater security risks than Android, Blackberry and Nokia smart phones, but is this really the case? An nCircle survey says yes, security expert Charlie Miller says not necessarily, and Pwn2Own sponsor TippingPoint won't say.

Apple Inc.'s iPhone poses greater security risks than smart phones running Google Inc.'s Android, Research in Motion Ltd.'s Blackberry or Nokia Corp.'s Symbian operating systems, according to a recent survey conducted by San Francisco-based network security and compliance auditing firm nCircle Inc.

nCircle asked 257 IT professionals which smart phone platform carries the greatest security risk. The iPhone ranked first, with 57 per cent of respondents, followed by Android at 39 per cent, Blackberry at 28 per cent and Symbian at 13 per cent. The remaining nine per cent of respondents opted for the "other" category.

The findings are not surprising, said Andrew Storms, director of security operations for nCircle. "The iPhone continues to be a contentious topic for enterprises," he said. The problem is partly historic and partly due to Apple's "response mechanism," he said.

Apple did not start off with a solid enterprise package or supportability, and while they continued to add features and flavours to make the system more enterprise-savvy, the company is generally "not a vocal bunch" with security compared to other companies like Microsoft Corp., he said.

Microsoft is very good at "providing a much more feel-good mentality" to users by letting them know they are working on issues, said Storms. "Apple is very much quite the opposite. They are that silent figure in the background, where you are not quite sure what it is they are thinking or what they are going to do next," he said.

Storms didn't say whether the iPhone is less secure or not. "Every device has its problems," he said. "But as of yet, let's just say that no one publicly has determined a way to subvert so much encryption or security mechanisms of the Blackberry compared to the iPhone."

The annual Pwn2Own contest, which took place at the CanSecWest security conference in Vancouver last week, featured a similar mobile OS lineup. The mobile phone category targeted the Apple iPhone 3GS, RIM Blackberry Bold 9700, Nokia E72 device running Symbian and HTC's Nexus One running Android.

Vincenzo Iozzo and Ralf Weinmann ran a successful attack on the iPhone through the Safari mobile browser. No one attempted to hack into the Blackberry or Android devices. One contestant registered to hack the Nokia, but did not show up to run the attack.

The iPhone was likely targeted by contestants because of Safari, which uses the Web kit library, said Aaron Portnoy, security research team lead at TippingPoint, one of three brands owned by 3Com Corp. and sponsor of the Pwn2Own hacking contest.

"Safari on OS X also uses the Web kit library, so if you find a vulnerability on the desktop system, which generally is easier because you have more memory and more resources to actually research vulnerability, you can then port it to the iPhone and it is not as hard as, say, trying to approach the Blackberry or the Nokia, which are completely different operating systems with different browsers," he said.

Portnoy wouldn't generalize about smartphone security. "Each one is implemented entirely differently ... they all have different sandboxing techniques that both have their pros and cons, so it's definitely difficult to say one is more secure than another," he said.

Charlie Miller, principal security analyst for Baltimore, MD-based consulting firm Independent Security Evaluators and three time winner of Pwn2Own, said he's written exploits for both the iPhone and Android and finds the two roughly the same in terms of security risks.

"They both have problems and people have broken into both of them ... you could argue which one is more secure or not, but I don't really think there is that big of a difference," he said.

There isn't a lot of malware out there for smart phones, said Miller. "If you start to see more malware on phones, I suspect you'll see it on the iPhone as much as anything else. But at this point, you don't see a lot to begin with," he said.

It is a little more difficult to write malware and exploits for phones and the "bad guys" don't have access to phones as easily as they do to computers, he said.

"Everyone has a computer and everyone has Windows on their computer ... but if I want to write a piece of malware for Android, that means I have to an Android phone and that means maybe I have to have a year contract to buy this phone, and same with the iPhone," he said.

Encryption is a big concern, according to Miller. Because there isn't a lot of malware, the biggest risk is that you are going to lose your phone, and encryption is a way to stop that from being a problem, he said.

Miller won Pwn2Own in 2008, 2009 and 2010 for hacking into the Mac. This year, his attack directed a MacBook Pro running Safari 4 on Snow Leopard (Mac OS X 10.6) to an exploit on a Web site.

"I was able to run whatever commands I wanted on their computer, only they had no idea this was going on. Their browser was running perfectly fine," he said.

Miller provided information on the coding error to TippingPoint, which will turn it over to Apple so the company can fix the bug and supply a patch.

nCircle's survey also found that 58 per cent of respondents have smart phone security policies in their organizations. Of these respondents with smart phone security policies, 65 per cent said the policies were enforced by their organizations.

The upside is that enterprises do understand the risks and they are putting policies and procedures in place, said Storms. "Embracing it is probably the best and first route right now and part of embracing it is setting those policies and procedures and educating the public," he said.

A battle over whether or not to support the iPhone continues to take place between executive teams who like the iPhone's features and security teams who question how the iPhone fits into their compliance model, he said. "The topic is still very heated and it's still 50/50," he said.

Encryption is probably the biggest hurdle enterprises face with the iPhone, said Storms. Enterprise users have confidential information and intellectual property on their phones, he said. "We need to fully ensure that the data is fully encrypted and can't be easily subverted," he said.

Storms anticipates Apple will address the security issues this year. "Apple generally has two or three decent releases a year. We are hoping the next release will be this summer and we are all looking forward to seeing what will be in there," he said.

All this attention on iPhone security may turn to Apple's favour down the road, according to Storms. "If we have all these people trying to break into the iPhone, it may end up being Apple's golden hour. The iPhone may end up being the most secure device because so many people are trying to break into it," he said.

Follow me on Twitter @jenniferkavur.

Join the PC World newsletter!

Error: Please check your email address.

Tags securityiPhonesmartphonesRIM BlackBerry

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jennifer Kavur

ComputerWorld Canada
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?