AOA Forums AOA Forums AOA Forums Folding For Team 45 AOA Files Home Front Page Become an AOA Subscriber! UserCP Calendar Memberlist FAQ Search Forum Home


Go Back   AOA Forums > Software > OS, Software, Firmware, and BIOS


Reply
 
LinkBack Thread Tools Rate Thread
  #1 (permalink)  
Old 13th April, 2012, 09:30 PM
danrok's Avatar
AOA Staff
 
Join Date: March 2003
Location: Great Britain
Posts: 18,917

Blackberry 7 is the most secure Mobile OS

Trend Micro claims Blackberry 7 is the most secure mobile operating system. See front page:
http://www.aoaforums.com/frontpage/s...mobile-os.html

Comments?
__________________
Desktop PC: AMD FX-8370E / Asus M5A99X Evo R2.0 Motherboard / 16GB DDR3 RAM / GeForce GTX 970
AOA Team fah
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 16th April, 2012, 11:04 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

It's a bit more than just BlackBerry 7 is the most secure mobile operating system for Enterprise use. It's more like BlackBerry 7 trounces the competition for Enterprise use! The review covered a wide range of factors including built-in security, application security, authentication, device wipe, device firewall, and virtualization. The final scores (out of 5) were:
  • 2.89 - BlackBerry 7
  • 1.70 - Apple iOS 5
  • 1.61 - Windows Phone 7.5
  • 1.37 - Android 2.3

The report can be found here: HERE, and was written by authors from Trend Micro, Altimeter Group and Bloor Research.
__________________

Last edited by Aedan; 16th April, 2012 at 11:07 AM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 8th May, 2012, 06:45 PM
Kaitain's Avatar
Member
Mars Rover Champion, Joust Champion
 
Join Date: September 2001
Location: MK10, UK.
Posts: 4,372
Send a message via MSN to Kaitain Send a message via Skype™ to Kaitain

Just barely on-topic, but...

One inaccuracy: Android 2.2+ does support wiping the device after so many incorrect logins - not in the user settings, but if Exchange asks nicely it does so... as a colleague found to his embarrassment after a liquid lunch.

Also with noting that third party email apps (K9 mail) happily ignore the ActiveSync security settings on Android.

I don't think it would be that hard to improve Android's security greatly. At the moment when creating an Android app, the developer adds permissions requirements to the manifest as required. When you get an app with a whole laundry list of requirements it's hard to whether it's because they're useful, abusive our just because the developer doesn't really understand the permissions idea (there are a few like that).

Given the will, it wouldn't be too hard to extend the permissions system to allow users to select which permissions they accept and which they don't, a la blackberry - the onus is on the developer to handle missing permissions gracefully. Ditto Google could include a basic firewall similar to that provided by Avast. In both cases, though, users could use that to turn off "features" like airpush adverts. Not really what an ad-supported app market wants...
__________________
It is by coffee alone I set my mind in motion...

Last edited by Kaitain; 8th May, 2012 at 06:46 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 9th May, 2012, 12:29 AM
booman's Avatar
AOA Staff
 
Join Date: December 2005
Location: Mesa AZ
Posts: 4,030

I hope its a lot more secure than its previous releases. At my last job, we were running Blackberry Enterprise on one of the servers and the Symantec Endpoint Protection found many infected files where the enterprise directories were. So employees were getting spam with infected attachments and those would be routed through the server to the Exchange. The server never got infected to my knowledge, but at least Symantec found them in the daily scans.
__________________
Booman
Mint 17.3 64-bit
Wine 2.0
PlayOnLinux 4.2.10
Linux Guides: PC Games Linux Beginners Tips Linux Games List
Mack Truck Dungeon Of Fire Spray Booth Tutorial
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 9th May, 2012, 10:17 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

In a properly set up BES (BlackBerry Enterprise Server), that should never happen. If BlackBerry users were getting spam with infected attachments, how did they get through the email gateway to make it onto BES in the first place? BES is designed to integrate with existing Exchange or Notes servers, so they receive a feed of what's already on the server!
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 9th May, 2012, 12:28 PM
Kaitain's Avatar
Member
Mars Rover Champion, Joust Champion
 
Join Date: September 2001
Location: MK10, UK.
Posts: 4,372
Send a message via MSN to Kaitain Send a message via Skype™ to Kaitain

BlackBerry OS != BlackBerry Enterprise Server

Just for amusement:

Quote:
Originally Posted by Aedan View Post
  • 2.89 - BlackBerry 7
  • 1.70 - Apple iOS 5
  • 1.61 - Windows Phone 7.5
  • 1.37 - Android 2.3
Assuming that time in development before release to market is similar across devices and that changes made to each phone OS since then have been evolutionary rather than revolutionary (and ignoring WinPho for this reason), then:

Blackberry (phone, not PDA) first appeared in 2003, the iPhone in 2007, Android in 2008, so we get the following scores in Trend Micro points per year:
  • 0.321 - BlackBerryOS
  • 0.34 - iOS
  • 0.343 - Android

... so it could be argued that feature completeness for business (which is what this was really testing) is a simple function of time and that you'll get the best enterprise smartphone OS by going for the oldest one.
__________________
It is by coffee alone I set my mind in motion...
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 9th May, 2012, 04:47 PM
booman's Avatar
AOA Staff
 
Join Date: December 2005
Location: Mesa AZ
Posts: 4,030

Quote:
Originally Posted by Aedan View Post
In a properly set up BES (BlackBerry Enterprise Server), that should never happen. If BlackBerry users were getting spam with infected attachments, how did they get through the email gateway to make it onto BES in the first place? BES is designed to integrate with existing Exchange or Notes servers, so they receive a feed of what's already on the server!
That is a great question because we had Symantec Endpoint Protection which also had a lot of Exchange functionality. So I be something wasn't setup properly....
For some reason I assumed the emails would go through Blackberry Enterprise first, then routed to the Exchange.
__________________
Booman
Mint 17.3 64-bit
Wine 2.0
PlayOnLinux 4.2.10
Linux Guides: PC Games Linux Beginners Tips Linux Games List
Mack Truck Dungeon Of Fire Spray Booth Tutorial
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 10th May, 2012, 11:59 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Quote:
Originally Posted by Kaitain View Post
Blackberry (phone, not PDA) first appeared in 2003, the iPhone in 2007
That rather depends if you count development time or just release time, and how much has to change before it's a new OS! If you're looking at dev time, Android started in 2003. BlackBerry OS was prior to 1999. No idea for iOS. Mind you, by that basis, Windows 8 would be the best platform for business.
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 10th May, 2012, 12:04 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Quote:
Originally Posted by booman View Post
For some reason I assumed the emails would go through Blackberry Enterprise first, then routed to the Exchange.
There's a whole bunch of stuff that BES does - it is designed to integrate with existing email servers (Exchange or Notes), as well as provide data connectivity to the handheld. The MDS data connection that BES provides allows the enterprise to pull things like web browsing in house, so that the normal AV/appropriateness checks can be performed, as well as providing a method for providing access to internal web sites. All encrypted of course!
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #10 (permalink)  
Old 10th May, 2012, 01:23 PM
Kaitain's Avatar
Member
Mars Rover Champion, Joust Champion
 
Join Date: September 2001
Location: MK10, UK.
Posts: 4,372
Send a message via MSN to Kaitain Send a message via Skype™ to Kaitain

Quote:
Originally Posted by Aedan View Post
That rather depends if you count development time or just release time, and how much has to change before it's a new OS! If you're looking at dev time, Android started in 2003. BlackBerry OS was prior to 1999. No idea for iOS. Mind you, by that basis, Windows 8 would be the best platform for business.
Plus how much of the security model has been taken from any parent OS (Darwin, Linux or whatever).

Trend Points/year is a useless metric: the coincidence of numbers was amusing, however:

Nowhere in the report are testing methodology and scoring criteria defined. On what basis is a score awarded? How can these results be verified? Without that definition, the Trend scores are no more meaningful than Trend point/year on market!

Android v2.3 was used based on number of handsets in circulation. By that logic, BBOSv6 and WinMob 6.1 should've been tested.

Equal weighting was given to all tests, which made remote administration disproportionately important and allowed double-counting of scores for application security.

The thread title states that BBOS is the most secure, but both iOS and WinPho did better in those parts of the test. Of course, the report was actually looking at enterprise-readiness and I don't disagree with the conclusion despite my criticisms of the method and statistics.
__________________
It is by coffee alone I set my mind in motion...
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #11 (permalink)  
Old 10th May, 2012, 03:48 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Well, the title of the report was "Enterprise Readiness of Consumer Mobile Platforms". I note they don't cover two factor authentication for devices - I know that BlackBerry devices handle smartcard authentication for example. I'm also not sure why BlackBerry scored "1.5" on jailbreaking/rooting protection - as far as I'm aware, no-one's "rooted" BlackBerry OS 7 (or 6). In the same vein to your complaint, is it fair to score BlackBerry badly because it doesn't support ActiveSync policies, but provides something better.

Perhaps a better report to read would be
Context Information Security's Smartphone White Paper, although it's a bit out of date now.
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #12 (permalink)  
Old 11th May, 2012, 07:02 AM
chrisbard's Avatar
Benchmarker
 
Join Date: March 2003
Location: Earth
Posts: 8,252
Send a message via Yahoo to chrisbard

Since this thread has a bit of security in it I thought it would be fun to see a bit of AliG and have a good laugh...or not!

ALI G "security" - YouTube
__________________
I've heard that linux community came up with better implemented security in it's latest Linux Mint Gold version, it's actually preventing the user to log in, thus posing 0 risk in contamining the computer with malware! Well done to the open source community!

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #13 (permalink)  
Old 11th May, 2012, 07:57 AM
Kaitain's Avatar
Member
Mars Rover Champion, Joust Champion
 
Join Date: September 2001
Location: MK10, UK.
Posts: 4,372
Send a message via MSN to Kaitain Send a message via Skype™ to Kaitain

Quote:
Originally Posted by Aedan View Post
Perhaps a better report to read would be
Context Information Security's Smartphone White Paper, although it's a bit out of date now.
It is a better report, which isn't too surprising given its pedigree.

So overall Trend reached the same conclusion, that a designed-for-business device is going to work better for companies than consumer devices with added enterprise features, just that the method and scoring they use is full of holes.

I'd be interested to know how many of the weaknesses in Android 2.0 are still present in v4.0...
__________________
It is by coffee alone I set my mind in motion...
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #14 (permalink)  
Old 11th May, 2012, 09:55 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Thanks for the compliment!

As far as Android goes, I have no idea. I'm not too likely to have any time to dig into Android 4.0. Although, as always, any kernel exploit will break the entire security model of the device.

Android also supports the concept that a developer can grant their applications the same user ID at the file system level, so that the apps can gain access to each other's data. However, as the user ID also identifies the permissions, it means the effective permissions of an application can be more than you expected.

The upshot of this is that one manufacturer runs all their apps with the same user ID. One of the apps (the web browser) requires privileges to access the network. Another app requires privileges to install software. Ultimately, this means the effective permission set for the web browser includes permissions to install other applications, opening it up to drive-by malware!

So, whilst at one level, you'd hope that Android is secure, manufacturers can also put a serious dent in the security of the device without much effort.

Features like ALSR make breaking things more difficult, but return-orientated programming (ROP) make it possible to effectively bypass ALSR by building a set of stack frames that knit together existing parts of code to do your bidding, rather than directly writing the code yourself. ALSR on Android 4 looks like it does randomise libc and other shared libraries, but not linker mappings, heap or executable code - making ROP style attacks much much easier. 4.0.3 is supposed to randomise the heap too, but the rest has to wait for a future release of Android. (See A look at ASLR in Android Ice Cream Sandwich 4.0 - Blog Duo Security - Two-Factor Authentication Done Right )

Full device encryption is always an interesting one. If you fully encrypt a device, you can't start to boot it without entering the password/PIN. If the device can get itself up and running without the password/PIN, then either the password/PIN isn't required to decrypt (and hence an attacker can decrypt) or it's not fully encrypted. iOS did do full device encryption, but didn't require the password/PIN to decrypt, and hence was open to the uploading of a new kernel via DFU that would permit the device to be fully decrypted without needing any password. I hope that Apple have fixed this, but I haven't verified it.

Android 3 encrypted the /data filesystem (see here for details). However the filesystem is decrypted on the fly after the first entry of the password, so root access to the device equals game over for encryption.
__________________

Last edited by Aedan; 11th May, 2012 at 10:14 AM. Reason: crypto stuff & ASLR
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #15 (permalink)  
Old 11th May, 2012, 12:26 PM
Kaitain's Avatar
Member
Mars Rover Champion, Joust Champion
 
Join Date: September 2001
Location: MK10, UK.
Posts: 4,372
Send a message via MSN to Kaitain Send a message via Skype™ to Kaitain

I'm still reading through the references and a few bits and pieces I don't fully understand, however:

Quote:
Originally Posted by Aedan View Post
However, as the user ID also identifies the permissions, it means the effective permissions of an application can be more than you expected.

The upshot of this is that one manufacturer runs all their apps with the same user ID. One of the apps (the web browser) requires privileges to access the network. Another app requires privileges to install software. Ultimately, this means the effective permission set for the web browser includes permissions to install other applications, opening it up to drive-by malware!
Do you even need to have applications run with the same user ID? [edit]Never mind: yes to directly accessing app data, classes etc, no to exploiting apps with insecure intent filters[/edit]

An app I knocked together with no special permissions can nonetheless access the device name and state, take a picture and access the internet by simply starting the intents of applications that have those permissions and haven't imposed any per-activity restrictions.
__________________
It is by coffee alone I set my mind in motion...

Last edited by Kaitain; 11th May, 2012 at 04:07 PM. Reason: As marked
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #16 (permalink)  
Old 11th May, 2012, 03:45 PM
robbie's Avatar
AOA Staff
 
Join Date: November 2001
Location: Out in the desert of Ca.
Posts: 12,548
Send a message via AIM to robbie Send a message via MSN to robbie Send a message via Yahoo to robbie Send a message via Skype™ to robbie

Quote:
Originally Posted by Aedan View Post

Perhaps a better report to read would be
Context Information Security's Smartphone White Paper, although it's a bit out of date now.
Nice bit of work there bud.
__________________
Taking each day as it comes
Grow, learn and OVERCLOCK. Need help?? Ask me.
Your Mommy!! (Aug/02) Welcome to the fold.
Buy it, Sell it, or Trade it in the AoA classifieds!!
AOA Team fah
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #17 (permalink)  
Old 11th May, 2012, 04:23 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Quote:
Originally Posted by Kaitain View Post
Do you even need to have applications run with the same user ID?

An app I knocked together with no special permissions can nonetheless access the device name and state, take a picture and access the internet by simply starting the intents of applications that have those permissions and haven't imposed any per-activity restrictions.
Indeed - that is an issue and will probably continue to be an issue for some time given that many developers fail to check who's invoked the activity.

However, one manufacturer (HTC) has already set up their devices with a number of the manufacturer's apps running as the same user ID, which of course, mean they inherit the superset of permissions. HTC had also set up the web browser so that it could install FlashLitePlayer. To do this required the browser to have the INSTALL_PACKAGES permission, which means it can install apps silently. This was Android 2.1, but I've no idea where they are now. The choices a manufacturer makes can significantly impact the security of the device far beyond what you might have expected.
__________________

Last edited by Aedan; 11th May, 2012 at 04:24 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #18 (permalink)  
Old 11th May, 2012, 07:02 PM
chrisbard's Avatar
Benchmarker
 
Join Date: March 2003
Location: Earth
Posts: 8,252
Send a message via Yahoo to chrisbard

I like my HTC
__________________
I've heard that linux community came up with better implemented security in it's latest Linux Mint Gold version, it's actually preventing the user to log in, thus posing 0 risk in contamining the computer with malware! Well done to the open source community!

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #19 (permalink)  
Old 11th May, 2012, 07:46 PM
Kaitain's Avatar
Member
Mars Rover Champion, Joust Champion
 
Join Date: September 2001
Location: MK10, UK.
Posts: 4,372
Send a message via MSN to Kaitain Send a message via Skype™ to Kaitain

Quote:
Originally Posted by chrisbard View Post
I like my HTC
For that to be true, it'd have to be one of the WinMob handsets
__________________
It is by coffee alone I set my mind in motion...
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #20 (permalink)  
Old 12th May, 2012, 07:11 AM
chrisbard's Avatar
Benchmarker
 
Join Date: March 2003
Location: Earth
Posts: 8,252
Send a message via Yahoo to chrisbard

Talking

Hehe you prolly mean the HTC HD2 but I only have the modest Desire. Me like the android devil.
__________________
I've heard that linux community came up with better implemented security in it's latest Linux Mint Gold version, it's actually preventing the user to log in, thus posing 0 risk in contamining the computer with malware! Well done to the open source community!

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

Tags
blackberry , phone security , rim , trend micro



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
New Technology Offers Secure Electronic Payment Via Mobile Phones Daniel ~ Data Security 1 15th February, 2010 01:40 PM
The New Secure Operating System Daniel ~ OS, Software, Firmware, and BIOS 4 8th December, 2008 08:05 PM
SSL (secure socket layer/secure server) Question Nix Random Nonsense! 2 18th November, 2001 05:58 AM


All times are GMT +1. The time now is 07:17 PM.


Copyright ©2001 - 2010, AOA Forums
Don't Click Here Don't Click Here Either

Search Engine Friendly URLs by vBSEO 3.3.0