I recently completed an MSc at Royal Holloway, University of London. My dissertation undertook a comparative analysis of Google Android and Windows Phone 7.0 security using a range of practical tests and experiments.
Why Study Smartphone Security?
Smartphones are one of the most exciting computing developments in recent years. They capture people's desire to remain connected and at the same time offer far more functionality than ever believed possible on a humble mobile phone. Couple this with an upsurge of interest in social networking, new device releases weekly and executives demanding access to corporate data from their smartphones we have a perfect storm of activity that will challenge security professionals for a long time to come.
This inspired the study of this subject in more depth.
There are a number of smartphone operating systems that can be studied; Apple iPhone, Google Android, Symbian, Blackberry and Windows Phone. Although it would have been interesting to study each one in detail time and resource limitations prevented this and so it was decided to focus on Google Android and Windows Phone 7.0. These were chosen as they both offer different security challenges and the contrast between them can be quite stark.
Google Android is an open source platform, meaning that the operating system software is available for review and redevelopment by anyone with the time and inclination. This appeals to hobbyist and professional developers alike as they are easily able to get to the heart of the device. Google Android has also been available for a reasonable length of time and has a significant and growing market share, supported by many applications from third parties that can be downloaded to a user's device. Google Android has also attracted the attention of malware authors and hackers due to the relatively open nature of the Android application market place.
In contrast Microsoft Windows Phone 7.0 is a relatively new operating system released in the autumn of 2010. The operating system is proprietary, meaning that it is owned and managed by Microsoft and developers do not have direct access to the operating system programming code, rather they are restricted to using the application programming interfaces alone. The application market is less vibrant for Windows Phone 7.0, as developers will choose to write for a platform that provides best return for their time and effort, and that will inevitably be the market leader first and foremost. The upside of this lack of interest is that malware targeting Windows Phone 7.0 is currently minimal, as like application developers hackers want to get the best return on their 'hacking investment'.
Smartphone Security Threats
As well as operating system and device based vulnerabilities there are a set of security threats that can present a problem for any smartphone. These include the use of rogue network connections as well as phishing based emails designed to lure a user into responding to an offer they can't refuse. The small form factor of the smartphone, coupled with the 'always on' nature of many users prompts them to respond quickly to incoming messages, and therefore miss the visual clues that normally indicate a phishing email.
Not only are users worried about their data being compromised, both personal and commercial, network operators are concerned about reputational risk if one of their customers has a 'bad experience'. Often the network provider will be the first port of call, for want of anyone else to address the issue to, which of course has a cost impact on the network provider. This may also lead to 'churn', the process of customers moving to another network operator, with a damaging impact on operator revenues. Operating system development companies are also concerned about reputational risk and the impact of being associated with an insecure platform, leading to reduced platform adoption impacting market share objectives.
This acadmic study provides a security comparison of the chosen platforms in the context of generic threats that face any smartphone device. Some of these threats are then evaluated in a set of practical experiments followed with some specific advice and recommendations for users and network operators to secure their devices and networks.
It is hoped that any reader of this dissertation will leave better informed and better equipped to secure their own and their user's smartphone devices.
The full project dissertation is available here