Blackberry 7 is the most secure Mobile OS

[danrok]

Trend Micro claims Blackberry 7 is the most secure mobile operating system. See front page:
http://www.aoaforums.com/frontpage/s...mobile-os.html

Comments?

[Aedan]

It's a bit more than just BlackBerry 7 is the most secure mobile operating system for Enterprise use. It's more like BlackBerry 7 trounces the competition for Enterprise use! The review covered a wide range of factors including built-in security, application security, authentication, device wipe, device firewall, and virtualization. The final scores (out of 5) were:

• 2.89 - BlackBerry 7
• 1.70 - Apple iOS 5
• 1.61 - Windows Phone 7.5
• 1.37 - Android 2.3

The report can be found here: HERE, and was written by authors from Trend Micro, Altimeter Group and Bloor Research.

[Kaitain]

Just barely on-topic, but...

One inaccuracy: Android 2.2+ does support wiping the device after so many incorrect logins - not in the user settings, but if Exchange asks nicely it does so... as a colleague found to his embarrassment after a liquid lunch.

Also with noting that third party email apps (K9 mail) happily ignore the ActiveSync security settings on Android.

I don't think it would be that hard to improve Android's security greatly. At the moment when creating an Android app, the developer adds permissions requirements to the manifest as required. When you get an app with a whole laundry list of requirements it's hard to whether it's because they're useful, abusive our just because the developer doesn't really understand the permissions idea (there are a few like that).

Given the will, it wouldn't be too hard to extend the permissions system to allow users to select which permissions they accept and which they don't, a la blackberry - the onus is on the developer to handle missing permissions gracefully. Ditto Google could include a basic firewall similar to that provided by Avast. In both cases, though, users could use that to turn off "features" like airpush adverts. Not really what an ad-supported app market wants...

[booman]

I hope its a lot more secure than its previous releases. At my last job, we were running Blackberry Enterprise on one of the servers and the Symantec Endpoint Protection found many infected files where the enterprise directories were. So employees were getting spam with infected attachments and those would be routed through the server to the Exchange. The server never got infected to my knowledge, but at least Symantec found them in the daily scans.

[Aedan]

In a properly set up BES (BlackBerry Enterprise Server), that should never happen. If BlackBerry users were getting spam with infected attachments, how did they get through the email gateway to make it onto BES in the first place? BES is designed to integrate with existing Exchange or Notes servers, so they receive a feed of what's already on the server!

[Kaitain]

BlackBerry OS != BlackBerry Enterprise Server

Just for amusement:

Quote:

Originally Posted by Aedan

• 2.89 - BlackBerry 7
• 1.70 - Apple iOS 5
• 1.61 - Windows Phone 7.5
• 1.37 - Android 2.3

Assuming that time in development before release to market is similar across devices and that changes made to each phone OS since then have been evolutionary rather than revolutionary (and ignoring WinPho for this reason), then:

Blackberry (phone, not PDA) first appeared in 2003, the iPhone in 2007, Android in 2008, so we get the following scores in Trend Micro points per year:

• 0.321 - BlackBerryOS
• 0.34 - iOS
• 0.343 - Android

... so it could be argued that feature completeness for business (which is what this was really testing) is a simple function of time and that you'll get the best enterprise smartphone OS by going for the oldest one.

[booman]

Quote:

Originally Posted by Aedan

In a properly set up BES (BlackBerry Enterprise Server), that should never happen. If BlackBerry users were getting spam with infected attachments, how did they get through the email gateway to make it onto BES in the first place? BES is designed to integrate with existing Exchange or Notes servers, so they receive a feed of what's already on the server!

That is a great question because we had Symantec Endpoint Protection which also had a lot of Exchange functionality. So I be something wasn't setup properly....
For some reason I assumed the emails would go through Blackberry Enterprise first, then routed to the Exchange.

[Aedan]

Quote:

Originally Posted by Kaitain

Blackberry (phone, not PDA) first appeared in 2003, the iPhone in 2007

That rather depends if you count development time or just release time, and how much has to change before it's a new OS! If you're looking at dev time, Android started in 2003. BlackBerry OS was prior to 1999. No idea for iOS. Mind you, by that basis, Windows 8 would be the best platform for business.

[Aedan]

Quote:

Originally Posted by booman

For some reason I assumed the emails would go through Blackberry Enterprise first, then routed to the Exchange.

There's a whole bunch of stuff that BES does - it is designed to integrate with existing email servers (Exchange or Notes), as well as provide data connectivity to the handheld. The MDS data connection that BES provides allows the enterprise to pull things like web browsing in house, so that the normal AV/appropriateness checks can be performed, as well as providing a method for providing access to internal web sites. All encrypted of course!

[Kaitain]

Quote:

Originally Posted by Aedan

That rather depends if you count development time or just release time, and how much has to change before it's a new OS! If you're looking at dev time, Android started in 2003. BlackBerry OS was prior to 1999. No idea for iOS. Mind you, by that basis, Windows 8 would be the best platform for business.

Plus how much of the security model has been taken from any parent OS (Darwin, Linux or whatever).

Trend Points/year is a useless metric: the coincidence of numbers was amusing, however:

Nowhere in the report are testing methodology and scoring criteria defined. On what basis is a score awarded? How can these results be verified? Without that definition, the Trend scores are no more meaningful than Trend point/year on market!

Android v2.3 was used based on number of handsets in circulation. By that logic, BBOSv6 and WinMob 6.1 should've been tested.

Equal weighting was given to all tests, which made remote administration disproportionately important and allowed double-counting of scores for application security.

The thread title states that BBOS is the most secure, but both iOS and WinPho did better in those parts of the test. Of course, the report was actually looking at enterprise-readiness and I don't disagree with the conclusion despite my criticisms of the method and statistics.

[Aedan]

Well, the title of the report was "Enterprise Readiness of Consumer Mobile Platforms". I note they don't cover two factor authentication for devices - I know that BlackBerry devices handle smartcard authentication for example. I'm also not sure why BlackBerry scored "1.5" on jailbreaking/rooting protection - as far as I'm aware, no-one's "rooted" BlackBerry OS 7 (or 6). In the same vein to your complaint, is it fair to score BlackBerry badly because it doesn't support ActiveSync policies, but provides something better.

Perhaps a better report to read would be
Context Information Security's Smartphone White Paper, although it's a bit out of date now.

[chrisbard]

Since this thread has a bit of security in it I thought it would be fun to see a bit of AliG and have a good laugh...or not!

ALI G "security" - YouTube

[Kaitain]

Quote:

Originally Posted by Aedan

Perhaps a better report to read would be
Context Information Security's Smartphone White Paper, although it's a bit out of date now.

It is a better report, which isn't too surprising given its pedigree.

So overall Trend reached the same conclusion, that a designed-for-business device is going to work better for companies than consumer devices with added enterprise features, just that the method and scoring they use is full of holes.

I'd be interested to know how many of the weaknesses in Android 2.0 are still present in v4.0...

[Aedan]

Thanks for the compliment!

As far as Android goes, I have no idea. I'm not too likely to have any time to dig into Android 4.0. Although, as always, any kernel exploit will break the entire security model of the device.

Android also supports the concept that a developer can grant their applications the same user ID at the file system level, so that the apps can gain access to each other's data. However, as the user ID also identifies the permissions, it means the effective permissions of an application can be more than you expected.

The upshot of this is that one manufacturer runs all their apps with the same user ID. One of the apps (the web browser) requires privileges to access the network. Another app requires privileges to install software. Ultimately, this means the effective permission set for the web browser includes permissions to install other applications, opening it up to drive-by malware!

So, whilst at one level, you'd hope that Android is secure, manufacturers can also put a serious dent in the security of the device without much effort.

Features like ALSR make breaking things more difficult, but return-orientated programming (ROP) make it possible to effectively bypass ALSR by building a set of stack frames that knit together existing parts of code to do your bidding, rather than directly writing the code yourself. ALSR on Android 4 looks like it does randomise libc and other shared libraries, but not linker mappings, heap or executable code - making ROP style attacks much much easier. 4.0.3 is supposed to randomise the heap too, but the rest has to wait for a future release of Android. (See A look at ASLR in Android Ice Cream Sandwich 4.0 - Blog Duo Security - Two-Factor Authentication Done Right )

Full device encryption is always an interesting one. If you fully encrypt a device, you can't start to boot it without entering the password/PIN. If the device can get itself up and running without the password/PIN, then either the password/PIN isn't required to decrypt (and hence an attacker can decrypt) or it's not fully encrypted. iOS did do full device encryption, but didn't require the password/PIN to decrypt, and hence was open to the uploading of a new kernel via DFU that would permit the device to be fully decrypted without needing any password. I hope that Apple have fixed this, but I haven't verified it.

Android 3 encrypted the /data filesystem (see here for details). However the filesystem is decrypted on the fly after the first entry of the password, so root access to the device equals game over for encryption.

[Kaitain]

I'm still reading through the references and a few bits and pieces I don't fully understand, however:

Quote:

Originally Posted by Aedan

However, as the user ID also identifies the permissions, it means the effective permissions of an application can be more than you expected.

The upshot of this is that one manufacturer runs all their apps with the same user ID. One of the apps (the web browser) requires privileges to access the network. Another app requires privileges to install software. Ultimately, this means the effective permission set for the web browser includes permissions to install other applications, opening it up to drive-by malware!

Do you even need to have applications run with the same user ID? [edit]Never mind: yes to directly accessing app data, classes etc, no to exploiting apps with insecure intent filters[/edit]

An app I knocked together with no special permissions can nonetheless access the device name and state, take a picture and access the internet by simply starting the intents of applications that have those permissions and haven't imposed any per-activity restrictions.

[robbie]

Quote:

Originally Posted by Aedan

Perhaps a better report to read would be
Context Information Security's Smartphone White Paper, although it's a bit out of date now.

Nice bit of work there bud.

[Aedan]

Quote:

Originally Posted by Kaitain

Do you even need to have applications run with the same user ID?

An app I knocked together with no special permissions can nonetheless access the device name and state, take a picture and access the internet by simply starting the intents of applications that have those permissions and haven't imposed any per-activity restrictions.

Indeed - that is an issue and will probably continue to be an issue for some time given that many developers fail to check who's invoked the activity.

However, one manufacturer (HTC) has already set up their devices with a number of the manufacturer's apps running as the same user ID, which of course, mean they inherit the superset of permissions. HTC had also set up the web browser so that it could install FlashLitePlayer. To do this required the browser to have the INSTALL_PACKAGES permission, which means it can install apps silently. This was Android 2.1, but I've no idea where they are now. The choices a manufacturer makes can significantly impact the security of the device far beyond what you might have expected.

[chrisbard]

I like my HTC

[Kaitain]

Quote:

Originally Posted by chrisbard

I like my HTC

For that to be true, it'd have to be one of the WinMob handsets

[chrisbard]

Hehe you prolly mean the HTC HD2 but I only have the modest Desire. Me like the android devil.