Blinded by the smartphone glitz: Is security on your must-have features list?

When my cell phone started acting strange last week, I decided it was a good time to get a new one. I had several features in mind that I felt were essential, and the only phone I could find that had all of them was a Droid. Against my better judgment, I said I would take it.

As a security professional, it took a lot to ignore the voice in my head that was yelling, "No, don't do it!" Phones with the Android operating system don't thrill me. Besides the growing proliferation of malware for the operating system, Android phones are required to back up to a cloud-based service that we hear is regularly compromised. It's no stretch to say that Android is the most insecure operating system for phones right now.

When it comes to operating systems, I normally reject labels like "most secure" and "least secure." My view is that the most secure operating system is the one you know how to maintain best. But things are different in the mobile world. There is generally little you can do on your own to make a smartphone operating system more secure. So many apps -- and so poorly vetted. It is becoming very easy, and much more common, for malware to creep onto a smartphone. Meanwhile, anti-malware software for mobile platforms barely exists and is woefully inadequate. Just about the only thing that the average user can do to avoid the bad stuff is to swear off downloading apps entirely. But in the real world, who wants a smartphone with no apps on it?

So, what can you do? With any operating system, security is a continuing process. The problem with Android is that security is more continual than for most. You need to constantly stay aware of the latest attacks and vulnerabilities and implement the patches as quickly as possible. That of course assumes that there are patches available. I don't know about you, but I don't have time to constantly stay on top of these issues -- nor the patience to worry about zero day vulnerabilities.

These are issues with every mobile platform out there. But, having attended several presentations at Black Hat, and after talking to security colleagues who track this issue, I have concluded that Apple's iOS and the BlackBerry are better choices from a security perspective. That hasn't stopped the Android from becoming the most popular mobile operating system in the world, with projections for continued dominance . And guess what -- with popularity comes more attacks tailored specifically for No. 1.

Of course, the mobile world is very dynamic, and therefore in a constant state of change. Not long ago, the iPhone was thought to be laughably insecure. Now, as I noted above, the best minds in security are hailing it as having one of the most secure mobile operating systems. A lot of the credit for this has to go to Window Snyder, the former head of security at Mozilla who has been overseeing the security of all Apple products for over a year now. Apple's security posture is not perfect, but it's moving up. Google could easily make changes that help Android security as well.

But right now, could I really let myself be blinded to Android's very real security issues by my desire to have certain features? I'm a security professional. I live and breathe risk management.

Well, we all make bad decisions from time to time. In casual conversations with security colleagues, I have asked them why they chose their phones. In their answers, they mentioned various features and apps, but rarely a word about security. No one who used a BlackBerry said it was because they were impressed by the fact that RIM had to strike deals with different countries because the BlackBerry infrastructure does not allow for monitoring. And in doing security assessments, I have seen what I would consider highly secure enterprises that require data encryption, anti-malware software, patch management, etc. on all corporate computers, then throw all of that out the window by handing out iPads and smartphones to staff members that provide none of the required protections. (And make no mistake: While iOS might be one of the most secure mobile operating systems, "secure" is a relative term. All of the previously mentioned countermeasures are not even available for the platform.) Now, if otherwise secure organizations and security professionals don't consider security when they purchase a device that will potentially have access to some of their most sensitive data, how can we expect the average home user to do so?

In the end, I couldn't ignore that voice in my head. I stopped my purchase of the Droid. For now, I have bought a new battery, which seems to have extended the life of my current smartphone. This gives me more time to study my options. Maybe the iPhone 5, which is supposed to be coming out next month, will give me all the features I'm looking for as well as better security. Not perfect, but much better.

The question that bothers me, though, is whether the makers of smartphones are going to give security the attention it deserves. I suspect that as long as so many people, including security practitioners, don't consider security when choosing a smartphone, it isn't going to happen anytime soon.

Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts