When my cell phone started acting strange last week, I decided it was a good time to get a new one. I had several features in mind that I felt were essential, and the only phone I could find that had all of them was a Droid. Against my better judgment, I said I would take it.
As a security professional, it took a lot to ignore the voice in my head that was yelling, "No, don't do it!" Phones with the Android operating system don't thrill me. Besides the growing proliferation of malware for the operating system, Android phones are required to back up to a cloud-based service that we hear is regularly compromised. It's no stretch to say that Android is the most insecure operating system for phones right now.
When it comes to operating systems, I normally reject labels like "most secure" and "least secure". My view is that the most secure operating system is the one you know how to maintain best. But things are different in the mobile world. There is generally little you can do on your own to make a smartphone operating system more secure. So many apps - and so poorly vetted. It is becoming very easy, and much more common, for malware to creep on to a smartphone. Meanwhile, anti-malware software for mobile platforms barely exists and is woefully inadequate. Just about the only thing that the average user can do to avoid the bad stuff is to swear off downloading apps entirely. But in the real world, who wants a smartphone with no apps on it?
So, what can you do? With any operating system, security is a continuing process. The problem with Android is that security is more continual than for most. You need to constantly stay aware of the latest attacks and vulnerabilities and implement the patches as quickly as possible. That of course assumes that there are patches available. I don't know about you, but I don't have time to constantly stay on top of these issues - nor the patience to worry about zero day vulnerabilities.
These are issues with every mobile platform out there. But, having attended several presentations at Black Hat, and after talking to security colleagues who track this issue, I have concluded that Apple's iOS and the BlackBerry are better choices from a security perspective. That hasn't stopped the Android from becoming the most popular mobile operating system in the world, with projections for continued dominance . And guess what - with popularity comes more attacks tailored specifically for No 1.
Of course, the mobile world is very dynamic, and therefore in a constant state of change. Not long ago, the iPhone was thought to be laughably insecure. Now, as I noted above, the best minds in security are hailing it as having one of the most secure mobile operating systems. A lot of the credit for this has to go to Window Snyder, the former head of security at Mozilla who has been overseeing the security of all Apple products for over a year now. Apple's security posture is not perfect, but it's moving up. Google could easily make changes that help Android security as well.
But right now, could I really let myself be blinded to Android's very real security issues by my desire to have certain features? I'm a security professional. I live and breathe risk management.
Well, we all make bad decisions from time to time. In casual conversations with security colleagues, I have asked them why they chose their phones. In their answers, they mentioned various features and apps, but rarely a word about security. No one who used a BlackBerry said it was because they were impressed by the fact that RIM had to strike deals with different countries because the BlackBerry infrastructure does not allow for monitoring. And in doing security assessments, I have seen what I would consider highly secure enterprises that require data encryption, anti-malware software, patch management, etc. on all corporate computers, then throw all of that out the window by handing out iPads and smartphones to staff members that provide none of the required protections. (And make no mistake: While iOS might be one of the most secure mobile operating systems, "secure" is a relative term. All of the previously mentioned countermeasures are not even available for the platform.) Now, if otherwise secure organisations and security professionals don't consider security when they purchase a device that will potentially have access to some of their most sensitive data, how can we expect the average home user to do so?
In the end, I couldn't ignore that voice in my head. I stopped my purchase of the Droid. For now, I have bought a new battery, which seems to have extended the life of my current smartphone. This gives me more time to study my options. Maybe the iPhone 5, which is supposed to be coming out next month, will give me all the features I'm looking for as well as better security. Not perfect, but much better.
The question that bothers me, though, is whether the makers of smartphones are going to give security the attention it deserves? I suspect that as long as so many people, including security practitioners, don't consider security when choosing a smartphone, it isn't going to happen anytime soon.