There has been much security talk around the three main mobile players lately. iPhone, Blackberry and Android have all had their turn in the media limelight and have equally been scrutinized by security critics. The iPhone iOS 4 Jailbreakme
website that popped up last week offered users an easy way to jailbreak their phone by exploiting a vulnerability in Safari and the way it handles PDF files. Oddly enough, once the Cydia store was installed after jailbreaking, users could download the patch to fix the vulnerability.
RIM’s Blackberry has been under the microscope in the way that it encrypts and transmits BBMs (blackberry messages). All BBMs are routed through off shore servers using private key / public key encryption. Each device has its own unique key that is authenticated by RIMs servers. The UAE and Saudi Arabia came forward threatening to ban blackberry messages from their carrier networks unless RIM provided a way for them to monitor the transmitted text. The security threat here was the allegation that a terrorist bombing had been planned and executed over blackberry’s privately encrypted network and governments were not able to monitor the chatter for keywords. RIM has since agreed to installing a blackberry server in the UAE.
Android has had it’s fair share of scrutiny as well. Research Firm LookOut first mentioned findings at the blackhat security conference that a wallpaper app from Jackeey collected personal information and transmitted the data back to a website. The allegations have since been debunked and no such activity was in fact happening. The issue begged the question, how easy could this have been true?
If we compare the way Google and Apple approve or allow apps to their respective App Stores, we see two very different approaches. Apple boasts that their methodology of inspecting each and every app that developers submit is the most secure way to prevent malicious content. But really, unless they go through the source code one line at a time, there is no way that they can guarantee zero vulnerabilities. Android takes a more open approach by making it a requirement for the developer to list all of the service that the app will interact with to the user before he or she installs. The approval process then falls on the shoulders of the user. Rather, a worldwide community of users. It wouldn’t take long for Google to be notified of a malicious app and Google doesn’t fool around with this stuff, they are very quick to remove any questionable apps from the Market Place. An Android user must use some common sense as well. If they’re installing a Wallpaper app that requests access to your contact list or any other personal information, this should set off a red flag.
Regardless of how many people you have at Apple checking each app, there is no way that they can reach the same level of scrutiny as the worldwide user base Android has. And given that the responsibility of text message transparency falls in the hands of local carriers and not on the manufacturer, as in blackberry’s case, both Google and Android are safe from government intervention in that respect. When competing smartphones all offer similar features and functionality, users will inevitably gravitate toward a very important differentiating factor, security.