With enterprises becoming increasingly mobile, administrators have to balance their users’ desire to stay connected with maintaining mobile device security and safeguarding corporate data. In years past, ensuring security for enterprise mobility was simple: Deploy enterprise-grade mobile devices and management platforms to the specific users who require them. However, Bring Your Own Device (BYOD) policies have opened a floodgate of consumer devices into the enterprise. Before allowing these new devices to access enterprise systems, mobility managers need to understand both the capabilities and risks associated with each of the popular operating systems and devices on the market today. Here, we review how the leading smartphone platforms rank in terms of mobile device security.
Holy trinity of mobile device security
There are three core components to mobile device security, or the “holy trinity of mobile device management,” according to Clint Adams, director of technology and product engineering for mobile device management vendor Fiberlink. These three components are hardware encryption, remote wiping and the ability to set a passcode policy. Mobility managers should demand that all three of these requirements are met before allowing a particular mobile device to access corporate data and applications. Mobile device manufacturers and operating system developers vary in their support for these three tenets of mobile device security. Mobile device management (MDM) platforms, available from third-party developers and some device manufacturers, can fill the gaps of individual device platforms to ensure these minimum security requirements are met and also help enterprises set and enforce policy centrally.
Top mobile operating systems ranked by mobile device security
BlackBerry manufacturer Research in Motion (RIM) takes the top spot in terms of mobile device security. RIM combines strong Advanced Encryption Standard (AES) and Triple Data Encryption Standard (Triple DES) encryption with a strong mobile device management platform to provide a strong security stance for enterprise BlackBerrys. The BlackBerry Enterprise Server (BES) and BlackBerry devices comprise the only single-vendor solution that can deliver encryption, remote wipe and passcode policy enforcement. This combination provides a significant challenge for hackers and maintains a very low threat profile among mobile devices. Always a staple within enterprises, the venerable BlackBerry is seeing its popularity wane in the era of BYOD policies, losing market share to more consumer-friendly devices.
Nokia’s Symbian operating system comes in second in terms of security, according to Fiberlink's Adams. The beleaguered operating system, which lacks a strong market presence in the U.S., still has a commanding enterprise market share abroad. As a platform purpose-built for the enterprise, Nokia designed Symbian with security in mind and has developed an ecosystem of management tools around it. Although researchers discovered a couple of vulnerabilities in the operating system, overall security concerns are low with Symbian. In fact, Nokia’s partnership with Microsoft and its imminent transition to Windows Phone 7 as the primary OS for its mobile devices has led to lower interest among hackers in exploiting Symbian vulnerabilities.
Apple's iPhone—with its iOS 4 operating system—earns good reviews for mobile device security despite its heritage as primarily a consumer device. After several iterations of both the iPhone and iOS, Apple now includes full-block, file-level hardware encryption and a set of mobile device management APIs. With these management hooks now available, third-party mobile device management tools can make the iPhone and iPad much more enterprise friendly. Upcoming FIP-140-2 certification will also help Apple’s devices gain acceptance into government and other security-conscious enterprises. Apple’s App Store draws criticism from advocates of open platforms for being a closed system. But the closed nature of the App Store actually minimizes the security threat landscape because Apple screens applications before making them available to the public. If a malicious application does slip through the cracks, Apple can quickly remove it from the App Store. In a worst case scenario, enterprises can use a "kill switch" to remove such malware from end-user devices. However, the popularity of the iPhone does make it a juicy target for hackers and raises its threat profile. Hackers are frequently successful at “jailbreaking” or unlocking iOS devices to third-party applications, which is a mobile device security threat that vector mobility managers must plan against.
Microsoft’s Windows Phone 7 is a nearly complete rewrite of its enterprise-focused predecessor, Windows Mobile 6, with a decidedly consumer focus. Unfortunately, the MDM features available in previous versions of Microsoft’s platform have not yet appeared on Windows Phone 7. The operating system only features limited device management capabilities built into Microsoft Exchange. Still, Windows Phone 7's threat landscape is low, given its limited market share and relatively recent entry into the mobile device space. “Not much is known yet about the platform, affording it some security through obscurity,” said Adams.
HP’s WebOS, which HP acquired with Palm in August 2010, replaced the venerable PalmOS with a fresh user interface and native synchronization capabilities. Like Windows Phone 7, WebOS lacks both management tools and market share, which has kept many enterprise mobility managers from supporting it. However, the low market share keeps the hackers away, too, Adams said.
Google’s Android platform earns low grades for mobile device security. Like iOS, Android heritage is in consumer devices, yet it is creeping its way onto the enterprise network. Unfortunately, enterprise-grade security features are slow in coming, Adams said. For example, device encryption, now a standard feature for both BlackBerry and Apple, was not available until version 3.1 of Android. This latest version of the operating system is available for Motorola’s Xoom tablet, with an unclear timeline of when other Android devices might see this upgrade. The openness of Android gives users a choice of not only multiple application store options, including from Google and Amazon, but also the option to sideload third-party applications directly to their devices via a USB connection. This openness gives consumers lots of options, but it also increases the risk of malware infection and significantly raises the threat landscape for Android devices. In fact, Google has had to remove multiple suspicious applications from its Android Market app store.
Finally, each mobile device manufacturer has control over when it updates or upgrades the version of Android used by its devices. Combined with the certification testing that the wireless carriers demand before a manufacturer can push an update out, a significant amount of fragmentation can occur in the market. Enterprise mobility managers could find themselves managing a half dozen different versions of Android, each with its own set of enterprise management capabilities and functionality.
This was first published in June 2011