New research into the security and manageability of mobile phone operating systems shows the two most popular - Android and iOS - both pose major risks to users and their employers.
Trend Micro, a global leader in cloud-based security software and services, today announced the release of new research comparing the ability of several different mobile platforms to meet the demands of use in the enterprise. Entitled, Enterprise Readiness of Consumer Mobile Platforms (PDF), the independent study promises an "impartial and objective evaluation" of today's four leading mobile operating systems: BlackBerry OS, Apple iOS, Windows Phone, and Android.
The results show that BlackBerry 7.0 clearly scored the highest, with an average of 2.89 across the framework of analysis including 60 security and management criteria organised in 12 categories. The three other platforms were all some distance behind BlackBerry OS, scoring as follows: Apple iOS (1.7), Windows Phone (1.61) and Android (1.37).
This new research will make interesting reading for IT departments at enterprises around the globe when the trend of consumerisation or Bring-Your-Own-Device is growing at a very fast rate - with up to 75 percent of US companies allowing their employees use their own phones, tablets and laptops for work and in most cases are even supplementing the cost of these devices.
Nigel Stanley, Practice Leader (Security) at Bloor Research and one of the report's authors, said: "Security people I work with are scared witless by consumerisation and the rapid adoption of these devices. Aside from the technical challenges, organisations need to understand the importance of a decent mobile device security policy and supporting user education."
This research was delayed as a result of complaints which said that calling Android the most unsecure was unfair, and that it would be better to say: "Android is the most exploited." The version of Android used in the survey was Android 2.3 (Gingerbread) even though version 4.x (Ice Cream Sandwich) is now available. This was done as 2.3 is still the most widely used version of and this in itself poses some problems.
"Although Android is now available in more recent versions (4.x), version 2.x is still the most widely deployed on existing and new handsets. This is a security risk in itself; there is no central means of providing Operating System updates, meaning that many users remain unprotected from critical vulnerabilities for a prolonged period," the report says.
On the plus side, Android is a privilege-separated operating system and applications can't access the network without prior consent. This means that apps run in their individual sandboxed environment and permissions are granted by the user on a per app basis.
Unfortunately, end users all-too-often don't even check what permissions they are giving particular apps when they download and install them. Cesare Garlati, Senior Director of Consumerisation at Trend Micro, believes people need to be educated regarding mobile security: "[There is a] total lack of education out there, especially in the consumer sector. The consumers need to be told that there is a real and serious threat in terms of security on your mobile phone and it's an economical threat."
Looking at iOS, the research found that security extends beyond the software to the physical devices such as the iPhones or iPads themselves. "There are no options for adding removable storage, which in effect provides another layer of protection for users. Apple also compares favourably to BlackBerry insofar as the BlackBerry IT administrator has complete control over the device, whereas in iOS, the IT department can only configure items once the user has supplied their permission"
Apple effectively has control over the entire eco-system, which is something the research found to be a major plus for Apple. However, the system is far from perfect. Indeed Garlati told IBTimes UK last month about an ex-NSA employee who released an app which stole all the data from your iPhone or iPad and managed to get it past the App Store gatekeepers.
Sitting inbetween iOS and Android is the newest mobile phone platform, Microsoft's Windows Phone. While the platform is only 18 months old, the research found it has made a good start in terms of security.
"Microsoft has learnt the lessons of the past and created a reasonably robust and secure smartphone operating system in Windows Phone. The OS uses privileges and isolation techniques to create sandbox processes. These "chambers" are based on a policy system that, in turn, defines which system features the processes operating in a chamber can access," the report says.
While RIM may be posting huge losses and suffering negative press coverage, its OS remains the most enterprise friendly. The researchers found that BlackBerry OS's corporate-grade security and manageability make this platform the option of choice for the most stringent mobile roles.
However it's not all good news for RIM, as the research also found that many features and protections that are commonly enabled or enforceable via the BlackBerry Enterprise Server (BES) are not present on devices that are user-provisioned via BlackBerry Internet Services (BIS).
"In fact, some of the strongest features restricting high-risk activities that users may undertake, such as removal of password protection for the device, may be rendered inactive if a user's device is not provisioned via the BES," the research found.
Raimund Genes, CTO at Trend Micro and one of the researchers who produced the report, points out that the smartphone sector still has a long way to go to become enterprise-ready.
"Against the growing, unstoppable backdrop of consumerisation and BYOD, every mobile device is a risk to business. What is interesting in these results is that, whilst some mobile platforms have evolved very noticeably along enterprise lines, there is still a strong 'consumer marketing' legacy in some quarters and this is negating some of the progress made on the enterprise front. Indeed, some of the attributes we have examined in the report are still firmly 'enterprise-unready.'"