Slashdot Mirror
Ask Slashdot: Most Secure Mobile OS?
Lexta writes "So I'm contemplating my next smartphone purchase, and I've been a little put off by all of the security exploits posted on Slashdot over the last few months, particularly for Android. So, what's the most secure stock standard (not jailbroken) mobile OS?"
Both Android and iOS have been plagued with exploits. Android has tons of trojans, while iOS has remote exploits (most of those iPhone jail breaking methods are based on remote root exploits). The only current smartphone OS that is safe against exploits and vulnerabilities is Windows Phone 7. Microsoft has really improved their security within the last 5 years - even on the desktop Windows most exploits are against third party apps like Flash or Java, not Windows itself.
So, if you want to get a smartphone that is safe against exploits and malware, Windows Phone 7 is your only answer. I would suggest some of the Nokia phones - people have been really happy with them.
We need a way to moderate articles.
Thousands of years and it's never been broken.
RIM's OS, especially due to the way they handle communications, is by far (as far as I know) the most secure OS. And neither iOS nor Android look particularly secure to me, since every other week you see some news of them getting exploited.
iOS has yet to have a breach in the wild. There is the PDF exploit in the past, but that has yet to be used for anything other than a jailbreak, and that is long since fixed.
There has yet to be a single compromise of an iPhone in the wild. Labs, yes. However, Joe Schmo with his 4S has nothing to worry about whatsoever.
Contrast that to Android where two taps can turn one's phone into a spam machine, not to mention slurp up every single byte and hand it to an overseas organization.
Give it a try. Developer friendly, fast, the UI experience is really nice and, most important, not made by the Google creeps!
--
mchurch
You only have two choices if you want a decent software selection for your smartphone (which is crucial, I'd say): iOS and Android. Of these two, iOS has to be named the more secure one by just looking at the amount of malware buzzing around Android.
http://www.schneier.com/blog/archives/2012/03/nsas_secure_and.html
Security is something that people who need or want it, will have to pay for.
Most people do not care.
I understand if that's not really on the table for you, but it is the most secure.
RIM has concentrated on security for quite a while. Their tablet OS and next generation Blackberry will use QNX, which is a long running embedded OS.
Too bad their security doesn't have as popular an app store...
Normally I'd otherwise shit all over symbian, but, why not Symbian? Years on the market, it should've been proven one way or the other by now.
Also, what level of paranoia are we talking? State or industry secrets? Personal paranoia?
Non impediti ratione cogitationus.
The BlackBerry J2ME OS is by far the most secure OS out right now in terms of e-mail, for the simple fact that it tunnels corporate e-mail through its NOC and that is encrypted with triple DES the entire way. As far as handhelds go, I see about 1000 BlackBerry's a week in the course of work, and I've never seen a BlackBerry virus. Although doing some hardening testing with Windows Phone 7, I can say I am generally very impressed with it as well as the active-sync client.
If it is not jailbroken it is DEFINITELY not secure. With carrier spyware and apps that are not under your control, the first step to security is making it YOURS and yours alone.
Once you are to that point, then you can BEGIN evaluating the core OS for security.
Digital is, by definition, imperfect. Analog is the way to go.
What is your threat model? Do you use it for websurfing? Download lots of kewl apps? For the latter, from which app store?
I suspect that iOS is a bit more vulnerable on the web browser side, as android has a fair bit better sandboxing which means an exploit of the browser takes more work to fully p0wn the phone, while in iOS-land, 'p0wn the brower == p0wn the phone'
But OTOH, Apple is a much better curator: with only the official App store, and with bad-actor app-developers and apps a rarity, the Apple App Store is very safe.
Android? Not so much. Even the official Google store seems to rely too much on the Android sandboxing to keep users safe (when users just say 'ok' to anything needing scary permissions), and other App Stores are a vile abomination.
Finally, anything that doesn't say "Nexus" on it should be considered end-of-lifed before you buy it. Apple patches things for a long time, so old vulnerabilites shouldn't worry their user base. But Android phones, since they are pretty much EOL'ed right from the start, often never receive critical browser and related security patches, security patches which, due to the open nature, can pretty much be reverse engineered by a competent exploit developer.
So, my ranking: Nexus Phone > (slightly) iPhone >>> generic "Android" phone
Test your net with Netalyzr
Since they're true GNU/Linux platform...
There is no such thing as a secure mobile OS. They are all broken six ways from Sunday.
Security is a pattern of behavior as much as anything else. If you're serious about security and you need to use your phone for work, you need to use your phone only for work - never connect it to anything else, download any applications, visit any websites, etc.
If all you want is the ability to visit random websites and download random apps or games, do those things and don't use your phone to store or input sensitive information (e.g. logging into an online banking website or the email account you use for banking, storing passwords, etc.)
I mean, nobody here believes in security-through-obscurity any more do we? Windows phone and Blackbery, are perceived as secure, and are certainly security audited by their vendors. However, WebOS could actually be a lot less code to go through, and thus easier to audit than Android. Android has the disadvantage of being a target of opportunity, due to its commercial success. WebOS is basically dead, and there is no currently shipping hardware that is likely to keep shipping much longer, and no new devices planned. It's... a security-lovers dream platform. (Sarcasm only slightly intentional here.) Warren
I could not possibly agree with you more.
If you're really that bothered, maybe go for a phone that does phone calls, texting and some light web browsing with very little scope for crapware to get on board?
"I bless every day that I continue to live, for every day is pure profit."
When it comes to OS, least used is always most secure
This is a loaded question. The "least" secure OS is the one that everyone has because it's the best target. Not because of shoddy code, but because it's got the juiciest payoff for hackers. The most secure phone is, don't own a phone. If you insist on owning a phone, get one based on whether it meets your usage needs, and then deal with the security as it comes. A corporate-based phone (Blackberry) is going to make corporate security more of a priority than usability. A user-based phone (iPhone, Android) is going to make ease of use a higher priority than iron-grip security.
Also remember you usually only hear about exploits *after they have been patched*. So if you're hearing more patches about Android, then that means only that - that it's getting patched more, not that it's less or more secure. Don't base how secure you think something is upon how often it's patched. That's a logical fallacy.
There was a time when the most secure (consumer) desktop OS was the Mac -- because there were so few in service that the bad guys spent all their time and effort on Windows. By that measure, the most secure mobile environment is Windows Phone 7.
The sentiment "all of the security exploits posted on Slashdot over the last few months" is moot. The fact of the matter is that no matter what device you use, you will be vulnerable to exploits. Ultimately, it boils down to how vigilant you are about updating, how often your phone's vendor provides updates, and how little or how much common sense you apply when using your phone.
Most android phones get one or two updates over the life of their phone. iPhones get updates as well, but I'm not certain of the frequency. Microsoft is probably the most vigilant about updating, just as they are about Windows on the PC, but again I don't have specific numbers, having been an Android user since my first smartphone.
That being said, applying a little common sense will go a long way, just as with your PC. Firstly, setup a screen lock password. Don't use a pin, don't use a pattern, use an actual password, and use one with numbers, symbols, and both upper and lower case letters. Secondly, only download from the authorized app store for whatever phone you get. Don't root/jailbreak/modify your phone to get access you don't need. Before downloading an app, wait a couple of days, or a week, if its a brand new app, to see if some news comes out about it being malicious. Do your homework on the app before downloading, check the permissions the app is requesting before downloading, and learn what the permissions it is asking for actually do when you grant that.
Lastly, if you're worried about security, it goes without saying to only browse sites that you know to be safe (slashdot, cnn, etc), don't use a search engine, and don't click links in emails, even from friends.
Arm yourself with knowledge, and you will be fine regardless of what platform you choose.
Side note: a lot of the exploits you read about here are exploits for users that want to root/jailbreak/modify their phone. This isn't malicious, it is the phone user applying an exploit to their own phone to get access to things the manufacturer locked them out of. I personally do this so that I can have more frequent updates of my Android phone. Since phone vendors don't seem to be concerned with providing updates, users take it upon themselves to turn the patches google provides into usable/flashable form, which in my opinion, makes your phone more secure.
People throw around the term 'secure' all the time ... what does that mean in this instance?
Does the OS keep apps away from data they shouldn't have access to? Does its browser have the best track-record on drive-by's etc.? Does it mean it has/hasn't been exploited in the wild or not (e.g. Safari is riddled with security problems, but how often is it pwned in the wild?)? Do you want to be able to click links wildly and not get infected (and unicorns and rainbows)? Good security policies and enforcement of them? Criteria for/review of apps in the mobile stores/markets?
So ... what does secure mean for you? Define that and then try ask slashdot again later.
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
They're all pretty close in terms on security features so it comes down to the one that's updated the quickest.
ayottesoftware.com
SYMBIAN
The old Blackberry OS (up to the latest, 7.1 coming out soon) has yet to be rooted or exploited. And the PlayBook qnx OS (completely different from the BBOS) had that dingleberry exploit a few months ago, but it too has since been plugged.
The number of exploits found in each mobile OS seem to be proportionate to that OS's market share. Note that found is the key word here. For the same reason that hackers prefer to find exploits for Windows instead of Mac, more holes are found and exploited in Android and iOS than in WP7 and Bada. It doesn't necessarily mean that WP7 and Bada have less holes, it's just that it's not (yet) worth anybody's effort to find them.
But if security really is the submitter's #1 factor for picking a smartphone (which seems a little far fetched), then I guess I'd recommend Bada. Good luck with that.
But TBH, I think the best way to stay safe regardless of which phone you own is to avoid dodgy apps and dodgy websites. Use common sense and you'll be fine with whatever phone you choose.
Slashdot: come for the pedantry, stay for the condescension.
I'm not sure if this is available in the States, but Samsung's Bada would probably be one of the most secure mobile OS at the moment. There are no exploits out in the wild and no way to root it unless you actually flash the firmware.
More information on security is available via this developer link.
Since TFS was probably submitted by someone in the US, we can only reluctantly recommend the phone he is not allowed to have. Nokia decided not to embarrass their Lumia models in the USA, UK, Japan, Germany by releasing the N9 in competition.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Wait until the end of this year, early next year. Windows 8 phones will be out, RIM is promising a new blackberry OS, ICS will be STANDARD on all new phones, and have security patches/updates, and Open webOS 1.0 will be out in the wild. Avoid Apple - just saying.
Sprint is planning on removing the iDEN towers from their network and older CDMA (RUMOR - CDMA2000 EV-DO revision 0 and above will be the lowest they will support soon) , LTE will have a lower power consuming chipset (If the rumors are true), and Sprint will also have duel LTE/WIMAX phones coming to market. It is not in most peoples interest to get locked into a new contract for a new phone at this moment. If you have to, meaning you don't own a smart phone, get an older smart phone from eBay for $50 or so, and wait. if you wait 6 months your cost average would be about $10 a month to figure out which path for the future your going to stick with. Once a person picks an OS, it's hard for most of them to convert. Just ask webOS and Blackberry users.
Microsoft may have gotten it right this time with windows 8, but real world use will make or break those claims. HP will push for open webOS to be freely distributed on phones, trying to regain on their investment through the APP store. RIM is all but dead now that the iPhone is corporate compatible, and Microsoft servers can do what blackberry servers charge to much for. The gold standard at the moment is Android, but they are fractured between to many different OS versions and updates.Once all the new products are to market it will be a lot easier to compare and decide. As long as you leave Bluetooth off except for when you use it, and are careful on what you download, you will be fine. On top of that, mobile virus scanners will be coming out. Avast is already considering making a free version and run it like they do their desktop software.
If your paying more for AT&T or Verizon... Why?
Yeah, like you're going to get an objective answer here. Slashdot doesn't have experts. It has OS bigots.
That being said, the most secure mobile OS is the one on the phone operated by someone who doesn't install ad-supported "free" apps, who password-protects the phone, doesn't load pirated software, and who enables remote wipe/locate-my-phone functionality.
Everybody gets what the majority deserves.
http://www.engadget.com/2012/03/01/nsa-builds-own-model-of-android-phone-wants-you-to-do-the-same/
Okay, so it's only off-the-shelf parts, but if you really want a mobile device that can earn the label "secure," (software ain't a thing w/o hardware) you're probably going to want something vetted by a security organization/company like....well...the NSA.
coding is life
Maemo / Meego Harmattan. Period. Full Stop.
* Carthago Delenda Est *
WebOS is ok. The only exploit I recall is the SMS exploit that hit everyone else too. They were quick to fix it. It's linux, so you can easily write your own iptables rules, disble services, etc. No jailbreak required for this. It's an open platform by design, and HP/Palm supported its community rather than try to lock them out.
At some level, any code can be exploited, there is only managing risk, and some code is worse than others.
I don't think Android is necessarily the most secure piece of code ever written... but it is based upon a solid foundation, and if you are careful about what you do with it, there's no reason to assume it's going to get rooted like it's an unpatched win98 box on the inter-tube? Is there? For a lot of reasons, I made my choice Android, but I'm not under any illusions that it is un-hackable. I know that it's more complicated maybe than just "hackable" or not.. Location-awareness and privacy concerns being among the items that come to mind here..
I would like to see more data on how to secure your Android or iOS, personally, how to protect oneself from hackers is always good information to gather. Unfortunately phones are everywhere, and always connected. I think Google would need to be one of the major players here obviously, starting with the scanning of their app store, which they have already started doing I think. But more awareness, user training, and such would improve matters naturally.
I just gotta throw this in there: whomever said above that the iOS is unhackable remotely is obviously dangerously ill informed to be even visiting Slashdot, much less posting..
The more complex the OS, the more chance for exploits. The simpler the OS, the less chance for things to go wrong, and if they do, the less chance for whatever is doing it to get anything useful. Granted there are some really awful 'simple' phones out there, but in terms of running trojans you're not going to get much going on your very basic cheap and nasty non-smart phone in the way of malware if all it does is make phone calls and send text messages (and doesn't have MIDP).
... because no one uses it.
*bah*dump*dum*.. clash.
Almost all security comes down to social engineering. Any smart phone is open to attacks, and the primary attack path will generally be through the user. Don't install questionable apps. Don't visit unsafe websites; AFAIK, no mobile OSes are currently open to driveby attacks, but they have been in the past. (iOS in particular used to be; that was the basis of a way to jailbreak the iPhone.) Be alert to phishing and other types of trickery. Apply all relevant updates. Odds are, if you ever do get compromised, it will be because of something you did, not something inherent in the security - or lack thereof - of your device.
Was in James Cameron's pocket when he was 7 miles under the ocean.
"If any question why we died, Tell them because our fathers lied."
"put off by all of the security exploits posted on Slashdot over the last few months, particularly for Android" Funny you should single out Android because IOS has also had plenty of exploits and security holes despite (or maybe because of) Apple's walled-garden approach to software development, vetting, etc. I know this for a fact...I wrote a research paper on it.
I use it to SSH to my systems and I browse the web using Lynx. Bandwidth efficient and secure. Even the default Maemo from Nokia is more secure than most of the Android derivatives. I am not going to use an Android phone if I SSH to my servers anytime. Never failed me security-wise and I think it never will.
GM
The N900 and N9 are full blown Unix/Linux machines with all the bells and whistles that come with a non-neutered version of the GNU/Linux environment.
That being said, they support many Unix/Linux security mechanisms, but if you want proof, how about full disk encryption for starters?
jdb2
If you are going to make a decision based on the number of public exploits, then you probably should choose the most proprietary system you can find, where the bug report database is hidden from view.
Good luck with your security through obscurity, you'll need it.
Mod this up, not down.
The most secure OS for a mobile device is clearly the Campbell's Soup OS.
Get 2 empty soup cans, and tie a string between them.
Look, it can even run "multithreaded" apps!
--Joe
And just to show once again that there's no reason to single out Android among the other mobile platforms for security vulnerabilities, this slashdot article about an IPhone crack was released just one day later. http://apple.slashdot.org/story/12/03/27/212254/cops-can-crack-an-iphone-in-under-two-minutes
I hear this custom Android build is pretty secure, if you can get your hands on it of course.
Caveat Emptor is not a business model.
SymbianS60/SymbianQT TPM system from ground up, buffer overflow is eliminated by design. Capability based security, critical capabilites can not be granted by end user, just OEM, and platform.