Mobile Security Smackdown: iOS vs. Android vs. BlackBerry vs. Windows Phone
Tom Spring and Ramin Edmond
What's the most secure smartphone? It's a simple question that gets more complicated the more you scratch at the surface.
In the BYOD era, where nearly half of companies have reported mobile-device-related data or security breaches and 64 percent of companies have no BYOD policies, according to security firm Veracode, mobile security is a growing imperative for solution providers looking to protect the networks they manage. That puts the BYOD burden on IT and solution provider partners to ensure mobile best practices over the ragtag assortment of devices employees drag into the office.
While there are dozens of handsets and tablets to consider, it boils down to four mobile OS platforms: Apple's iOS vs.Google's Android vs. BlackBerry vs. Microsoft's Windows Phone.
[Related: Horror Stories: Top 5 BYOD Threats ]
Apple's iPhone and iPad have the widest adoption in the enterprise, according to the mobile device management (MDM) companies CRN interviewed for this story. Theodora Titonis, vice president of mobile at Burlington, Mass.-based Veracode, credits Apple's success to its iron-fisted control over the device hardware, software and ecosystem of apps -- along with additions such as iOS 7's new content and application management APIs.
Android, the most popular mobile OS platform on the planet, has made huge gains in the enterprise despite antivirus vendors pointing out the litany of malware attacks on Android devices. Chief Android backer Samsung has championed the OS, heavily publicizing its SAFE (Samsung Approved For Enterprise) extensions and Knox security platform built into some of its Android devices to warm the OS' appeal to businesses.
Microsoft with its Windows Phone 8 smartphone OS offers unique capabilities such as integration with Active Directory, giving MDM companies the ability to better administer and assign policies to groups of users. There is, of course, native Active Sync support as well. And security experts say that Windows Phone 8 has made huge strides in offering much more robust application sandboxing.
Then there's BlackBerry, which still has enormous respect among solution providers for its myriad security capabilities, such as its BBM service and security features in its retooled BES 10 management server. There is Exchange Active Sync support now and additions such as Balance technology that lets companies create a partition on a BlackBerry 10 device to keep personal and work apps and data separate.
"Consumers have a tendency to gravitate toward what's bright and shiny in the mobile world," Veracode's Titonis said. But that doesn't always add up to safe. "The BYOD onus is on the end user to make the right decision for them on smartphones and tablets and using them safely."
She said the signal-to-noise ratio is pretty low when it comes to the hype surrounding mobile threats to security and privacy.
"It's time to take a deep breath when considering what the most secure mobile platform is," Titonis said. Even the most secure mobile OS can't prevent a security IT nightmare if a user doesn't use their device with common sense, she added.
That sentiment was shared by Jerry Zigmont, owner of MacWorks, an Apple partner based in Madison, Conn. "I don't think there is one phone that is any more secure than the other." Zigmont, however, said Apple and iOS 7 have a slight edge over Android, Windows Phone 8 and BlackBerry.
NEXT: Apple Tops Security, Say Most Experts And VARs
Apple Tops Security, Say Most Experts And VARs
Mobile security experts and solution providers agree. They say Cuepertino, Calif.-based Apple has the edge because it owns so much of the mobile stack -- from the application layer (App Store), operating system (iOS), hardware (iPhone/iPad) but not the infrastructure layer (wireless carriers).
"iOS is the most secure because attention to security is focused at the app level as much as it is at the operating system level," said Ira Grossman, CTO of end user and mobile computing at Cleveland-based MCPc, a national solution provider specializing in mobile solutions with its Anyplace Workspace.
"If you don't have a secure app, it doesn't matter how secure the operating system is," Grossman said. "So the fact that the Apple Store is curated, that provides a level of security that you don't get today with the standard Android app store."
But just because Apple enforces tight oversight on its App Store doesn't necessarily give it an advantage over its competitors when it comes to app security. According to Veracode, Apple mobile applications represent as many potential risks as its closest competitor Android when it comes to some of the largest threat vectors.
In an analysis of thousands of Apple and Android apps used by its clients, Veracode found a nearly equal number of insecure cryptographic storage issues on apps where a hacker could steal financial or stored credentials off an app. Veracode also found an equal exposure to application error handling that could lead to cross-site scripting attacks where a script drawn from a website is allowed to run and can be used to steal information or potentially cause other malicious code to run on the handset.
"Apple has evolved furthest up the security stack. Every application is sandboxed, meaning storage and memory are isolated. It has the most control over patching," said one large security expert at a large mobile device management firm who asked not to be identified.
Patch level management and control over update deployment is a crucial advantage Apple has over its Android rival, according to many MDM companies. When it comes to Apple, which pushes out its own patches directly to users, it can mean security vulnerabilities are patched in a matter of 24 hours.
That gives Apple the edge over Android, they say, as Android relies on wireless carriers to push out their patches and OS updates to fix security flaws in the Android OS. Making matters worse for Android users is the fragmentation of the Android OS where hardware and OS version numbers can sometimes require a unique patch for each flavor of Android OS.
Unlike with Apple, Android users run a hodgepodge of Android variant OSes. Exasperating matters for Android users is that carriers have a track record of dragging their feet when it comes to rolling out patches to customers. Even MDM vendors say they have trouble managing them all.
NEXT: Android: A Close Second In Security
Android: A Close Second In Security
But that's not to say Android isn't secure. Android has a host of built-in security features. Android hardware makers such as Samsung also have customized versions of Android running on its hardware with advanced security measures such as the Samsung Knox mobile security platform.
Knox is Samsung's big enterprise play, and it's recognized as the great Android hope when it comes to security in the enterprise. However, to take advantage of the platform a business must first have enterprise-level management of a Knox-enabled handset. The platform relies on virtualization that creates a full separation of work and personal data on mobile devices.
For these reasons, Ojas Rege, vice president of strategy at MDM vendor MobileIron, Mountain View, Calif., said Android security and manageability is nearing parity with Apple. "Android adoption is definitely increasing. The key to security is a sandboxed application architecture where the data in an enterprise app cannot be compromised by another app. iOS is the most tightly sandboxed. But more secure versions of Android, like Samsung Knox, are as well."
BlackBerry: Can It Turn Things Around?
Then there is BlackBerry. With its BlackBerry Enterprise Server it offers hundreds of security tools for the risk-conscious enterprise.
"BlackBerry is the most secure. That's the only reason why they are still alive," said Steven Kantorowitz, president of CelPro Associates, a BlackBerry partner based in New York. "That's why governments use them and even [President Obama]."
If nostalgia and respect could drive market share, Waterloo, Ontario-based BlackBerry would reign over Apple tomorrow, but many in the industry see the mobile OS as on its last leg. That has triggered a developer exodus and mobile management companies turning resources to other platforms.
"BlackBerry lost its innovative lead. The OS is no longer a consideration," Veracode's Titonis said.
By the numbers alone, BlackBerry's future looks bleak. MobileIron's Rege said BlackBerry share among the businesses it works with has been dropping rapidly.
According to a recent MobileIron survey, half of the companies that manage BlackBerry phones said they plan on dropping support in the next 12 months. In the financial services industry, 44 percent of the mobile devices are BlackBerry. According to MobileIron, that number is expected to decrease to 30 percent in the next 12 months.
"We put close to zero resources on BlackBerry," said Rege. It's the lack of consumer demand that is driving nails in BlackBerry's coffin, not its security, he said.
BlackBerry CEO John Chen, however, begs to differ with the naysayers. At Mobile World Congress in February, Chen told conference attendees that BlackBerry has a shot at clawing back to smartphone relevance with a new high-end QWERTY smartphone called BlackBerry Classic, slated to launch later this year.
In an interview with USA Today, Chen said of the BlackBerry Classic: "It's an updated and enhanced version of one of our most popular and successful products called the Bold. It will include a keyboard and a good touch screen, very fast Internet, Web-browsing capability and multimedia capability. But also it will be very productive and very secure."
Chen has long stated BlackBerry is the most secure platform when it comes to the handset and messaging (both email and BBM) with security central to the company's road map.
NEXT: Windows Phone 8: A Force To Be Reckoned With
Windows Phone 8: A Force To Be Reckoned With
Research from ComScore shows that Android and Apple now hold more than 93 percent of market share (Android with 52 percent vs. Apple's 41 percent), with Windows Phone 8 (3.4 percent) and BlackBerry (2.9 percent) competing for the third spot.
While Microsoft, Redmond, Wash., battles for single-digit market share, its edge over BlackBerry is tight integration with the enterprise.
"Windows Phone is a core part of our offering because we think it has strong potential in the enterprise," said MobileIron's Rege.
Security experts say that Windows Phone 8 has significantly improved its application sandboxing. Rege said Windows Phone 8 supports fewer MDM policies compared with iOS and that means vendors such as MobileIron can't provide the same level of control over the OS.
"The Windows Phone 8 is fully capable of supporting information workers, just not those needing to meet high-level regulatory or security requirements," said Ryan Smith, lead threat engineer at mobile security startup Mojave Networks, San Mateo, Calif.
For those reasons, coupled with user demand, Windows Phone 8 lands at the end of most security experts lists. That's not to say most MDM vendors don't support Windows Phone 8, because most do.
Where BlackBerry comes up short on potential, Microsoft's Windows Phone 8 oozes with possibilities. Mobile security is a moving target, Smith said. Through Microsoft's reach into the enterprise and its budding Nokia handset division, the security story could change by Microsoft's next mobile OS release, he said.
This article originally appeared as an exclusive on the CRN Tech News App for iOS and Windows 8.