Smartphone Security Shootout

  /     /     /  
Publicated : 22/11/2024   Category : security


Smartphone Security Shootout


Researcher compared Apple iOS, Android, Windows smartphones for business use privacy and security.



RSA CONFERENCE -- San Francisco -- Conventional wisdom would say Apple iPhone would be hands down more safe for business users than Android, but a security researcher found Android a close second to iPhone if its a Google Nexus or Samsung Knox version phone.
Chet Wisniewski, senior security advisor at Sophos, here today released findings of his hands-on research on privacy and security implications of iOS, Android, and Windows smartphones for business users in his session Mobile Security Shootout -- Which Smartphones Are Up to the Task? I would have no reservation using Apple iOS [for business] as long as youre going to use something to manage them and make a conscious decision on what goes on the phone, he said in an interview with Dark Reading last week prior to RSA.
Android is mostly a thumbs up with a slight reservation: do you bring your own or choose it for the users? If youre going with Samsung Knox or Nexus, I have no reservations. They are on equal footing with iPhone, he says.
Its the BYOD Androids that are problematic. If you have old Androids, or ones with seven layers of gunk on top, it becomes hard to know your risk profile, he says. If I were an organization, I wouldnt look at BYO. You should choose your own [for users] then you can manage and restrict apps.
Wisniewski found the Windows phone a bit riskier for enterprises. Until Windows 10 phone comes out, he says, Id probably hold off on Windows myself.
Thats because Windows 10 promises more control and improved API support, he says.
Wisniewskis smartphone experiment included three phones--all with their default settings: the Google Nexus 6 version 5.0.1; Apple iPhone 6+ iOS version 8.2; and Nokia Lumia 635 Windows 8.1.
What surprised me was the increasing adoption of Windows Mobile among IT people. Were not seeing it deployed among thousands of employees, but seeing IT guys giving it to the IT staff, he says. Its pretty darn good: it has an intuitive interface, the battery life is good, its good quality, and more affordable than an iPhone. IT people like to try everything … Ive enjoyed playing with it.
But he also found the Windows phone gathers the most user and phone information. Thats more sensitive for a business environment,  he says.
He says he found it sends the phone users keystrokes back to Microsoft for purposes of improving the keyboard software, or layout. But Wisniewski says while Microsoft isnt trying to grab passwords or anything nefarious, that information could accidentally get swept up in the reporting. That was really disconcerting, he says. I wouldnt want my potentially sensitive data sent off to a server and hoping Microsoft wouldnt lose it or whatever.
Another red flag was that the Windows phone encourages the use of the WiFi Sense feature, which collects logins from WiFi hotspots the user logs into and then automatically shares that information with friends, and logs onto open hotspots. It sees a Starbucks connection on its own, accepts its licensing agreement, and connects you to it, he says. If a friend of yours has a Windows phone, it will send your username and password and send them to your Comcast WiFi with their credentials.
The Android phone he tested leaks location information quite a bit, he says. Apple doesnt without explicit permission, he says.
Wisniewski loaded apps on the phones that typical users might have for business as well as personal use: Facebook, Facebook Messenger, Pinterest, SnapChat, Twitter, a password managers and even Candy Crush Saga and a flashlight app.
Interestingly, the Flashlight app for iOS connected to 18 different networks within a minute after he fired up the app, and 14 ad networks. It leaked my public and private IP addresses even though it wasnt given location permission. It grabbed my battery status, memory utilization … whether I was on WiFi or cellular, and the carrier that issued me my phone and sent that to the ad networks.
Battery status may not be sensitive information for a business user to have leaked, he says, but all of this data adds up. All of this ad tracking does add up over time. Its a big data puzzle they put together. One app contacting 14 networks starts to build a profile Im not comfortable with, he says.
The Android smartphone flashlight app, meanwhile, connected to 8 different ad networks. It transmitted 7 megabytes of data in over one minute, he says.
The real difference among the security of smartphone platforms, he says, is the level of control the business has over them. Separation [of business and personal data] is important … what processes do you allow on that device? 

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Smartphone Security Shootout