Security practitioners like me shy away from absolutes. That being said, I do not have a problem drawing some comparisons across the leading mobile device platforms, specifically Symbian, BlackBerry, iOS, Windows Mobile 7 and Android.
I am not a smart device programmer, although I understand the architecture principles. I have quite a bit of experience securing mobile devices using Mobile Device Management solutions and I am a key contributor to Fiberlink’s MaaS360 MDM solution strategy and architecture.
I have blogged a few times about mobile device security, in particular, my blog “Passcode, Wipe and Device Encryption – The Holy Trinity of Mobile Device Management” calls out what I feel is required to be responsible when it comes to securing devices.
Here are the some links to the blogs I have written.
- The security architecture of the platform
- The ability of the device to be secured, controlled and managed
- The vulnerability profile and threat landscape
Number One - BlackBerry – There is no question that the RIM/BlackBerry solution is the gold standard, and far and away the most secure mobile device platform. It has an architecture built from the ground up for security, includes military-grade encryption and has the most robust security and management platform available. While I would characterize the threat landscape as moderate–in that there are ways to get malware onto a BlackBerry and the BlackBerry App Store is still maturing–there have been few real vulnerabilities, and the tools to secure the devices can easily address most of the real threats should an enterprise choose to use them.
Number Two - Symbian – It might be on the way out, but like the BlackBerry, it has a strong enterprise and carrier heritage, and a strong OS architecture, and there are a myriad of quality tools that do a great job of securing and managing Symbian based devices. There have been a few vulnerabilities over the years, but the threat landscape is low and getting lower as the popularity of the platform wanes. The device also offers robust Exchange/ActiveSync integration and policy support, which helps secure the device for its most common use case, messaging.
Number Three - Apple iOS 4 – Apple devices represent the breakpoint between the consumer device and the enterprise device. While the BlackBerry- and Symbian-based devices are clearly enterprise, Apple, Android, Windows Phone and others are clearly consumer. This provides additional management challenges, but the security posture of the device can still be measured in the same manner.
To summarize, the iOS platform is pretty good and getting better. While the OS is not built for security, recent additions like full block, file-level encryption with an imminent FIPS 140-2 certification and the new Mobile Device Management API have helped. Mobile Device Management solutions, such as MaaS360, are now providing a good set of capabilities to secure and manage iOS devices. There have been a few vulnerabilities, but Apple’s ability to close them quickly helps. Obviously, the popularity of the platform provides a significant threat landscape, but the Apple Application Certification process helps greatly in mitigating malware threats. However, the ability to easily jailbreak a device is an issue.
Number Four - Windows Mobile 7 – The new OS from Microsoft does not appear to be architected with security in mind, but is still largely an unknown. We do know that the device does not yet support full device encryption which, in many circles, would disqualify it for enterprise adoption. As well, the ability to secure and control the device is limited to a very small set of ActiveSync polices. Given Microsoft’s track record, we can expect a plethora of vulnerabilities and it will also be a huge malware target as adoption increases. Microsoft will have to structure application qualification and storefront functionality to mitigate these threats as well as to provide enterprise class tools and APIs. Basically, I have it in the number four spot because the attention factor is so low at the moment.
Number Five - Android – A complete mess. The Android operating system is not built with security in mind and is adding security capabilities at a snail’s pace. Device encryption is still not embedded. The OS is heavily influenced by carriers who are interested in making money in the consumer market and are not focused on enhancing the device enterprise posture. Device manufactures now see the need to add in security and management capabilities outside the community, further adding to the confusion and fragmentation. Solutions for managing, securing and controlling Android devices are limited by what the Android platform can support and allows. In addition, the vulnerability and threat landscape is growing each day. While Google has been aggressive about removing malware from the app store and some carriers are limiting where a user can download an application, malware is and will continue to be a real concern on the Android.
Based on the above, what can be done to secure these devices and what is important to concentrate on first?
I think my blogs speak pretty well on that. Basically, it is really a question of being responsible and applying best practice principles. Enforce a passcode policy, ensure the device supports full encryption and be sure to have the ability to wipe the device if it is lost or stolen. Other than that, stay current on Smart Device security, malware issues, and have a comprehensive written policy about the use of personal and consumer devices in the enterprise.