[MC_A_DOT]

Just seen this.

iPhone more vulnerable than Android, BB, and WP combined


Pretty shocked to be honest lol. Thoughts?

P.S ...please don't start bashing the company, lets be civil.

[MC_A_DOT]

Just in case you don't wanna click the link.

Security is always a hot topic with mobile platforms, but most of the time the focus is on Android and the malware issues that exist for the platform if you don't use the Google Play Store. But, a new study shows that maybe we should pay more attention to the iPhone's security issues, because the study claims that the iPhone has more security vulnerabilities than Android, BlackBerry, and Windows Phone combined.


The study was conducted by SourceFire, which analyzed vulnerabilities from the Common Vulnerabilities and Exposures (CVE) data and National Vulnerability Database (NVD) over the past 25 years. Yves Younan, senior research engineer at SourceFire's Vulnerabilities Research Team and author of the report, said that the results were "surprising", especially since despite Apple constantly releasing security fixes with each update, CVE continue to grow year over year.


According to the study, the iPhone has 210 vulnerabilities, which adds up to 81% of mobile phone platform vulnerabilities in the four platforms studied. Android has just 24 known vulnerabilities, Windows has 14, and BlackBerry has 11, which combined rounds out the remaining 19%. The study didn't extend to fringe systems like Symbian, bada, and the rest. To be fair, these numbers are a cumulative total since 2007, but even removing 2007 from the mix, iPhone still has 205 vulnerabilities to Android's 24.

Younan's theory to explain the results is that cybercriminals can't get at users through the iTunes App Store, and have to work harder to find iPhone vulnerabilities, so more are found. Whereas, because Android is an open platform, that makes it easier for criminals to attack the platform.

Of course, he doesn't mention that only 0.5% of malware comes through the Google Play Store, so criminals still have to find ways to get Android users to sideload infected apps. It is still very possible that Android simply has fewer vulnerabilities because it is open-source (which tends to be more secure), and the only real serious vulnerability with Android is that users are allowed to screw things up if they aren't careful.

source: SourceFire via ZDNet and BGR

[howarmat]

not sure if i really put much faith into what they are saying. It looks like a funny way to spin numbers is all really

[MC_A_DOT]

not sure if i really put much faith into what they are saying. It looks like a funny way to spin numbers is all really

True. It is all numbers really but, if this 'news' got out would companies have second thoughts about using iPhones in an enterprise environment?

Obviously BB is number one choice for security, I just wonder how do they make their decisions on what devices they choose to hand out to their employees.

[qbnkelt]

True. It is all numbers really but, if this 'news' got out would companies have second thoughts about using iPhones in an enterprise environment?

Obviously BB is number one choice for security, I just wonder how do they make their decisions on what devices they choose to hand out to their employees.

Actually, technically speaking, BB is number two for security, when you think of the Sectera Edge. But now I'm nitpicking to get a rise out of ya!!!!

All kidding aside....agencies like at ICE and DoD would undoubtedly use these devices in sandboxed instances where they cannot access sensitive data or they would block their ability to change the phones' configurations, to include apps.

There's an app for that....

[MC_A_DOT]

Actually, technically speaking, BB is number two for security, when you think of the Sectera Edge. But now I'm nitpicking to get a rise out of ya!!!!

All kidding aside....agencies like at ICE and DoD would undoubtedly use these devices in sandboxed instances where they cannot access sensitive data or they would block their ability to change the phones' configurations, to include apps.

There's an app for that....

LOL ok Q you win...obviously you know a bit more about this then I do. whats Sectera Edge?

If this study is true...do you think people will continue to bash android? I doubt the BlackBerry prophets opinions will change though....




oh...good morning too

[qbnkelt]

LOL ok Q you win...obviously you know a bit more about this then I do. whats Sectera Edge?

If this study is true...do you think people will continue to bash android? I doubt the BlackBerry prophets opinions will change though....




oh...good morning too

Good moning love....

BB people will always bash Android. Iphone people will always bash Android. Android people will always bash Blackberry. iPhone people will always bash Blackberry. Android will always bash iPhone. Android people will always bash Blackberry. It's a thing.

Android does have a lot of malware. I am familiar with that site (it's a National Institute of Science and Technology site, nist.gov) and visit it regularly, both for work and for personal reasons.

The Sectera Edge is put out by General Dynamics and it's hideously ugly, but secure to Top Secret.

http://www.gdc4s.com/sectera-edge-%2...roddetail.html


Interestingly, General Dynamics has recently partnered with Samsung to work together on an Android variant to their OS, called Knox. Not sure if Knox is a full fledged OS or a version of Android on certain Samsung devices. Haven't kept up on it.

http://defensesystems.com/articles/2...e-devices.aspx

[RECOOL]

Is this even considered news?? We don't need to gloat or anything its up to people who rely on security and rest of world to see the truths.There's a whole bunch of hack vids on apple and samsung devices. This thread might mean something in apple forums or droid forums but this ain't surprising here we'll just keep it moving.I just now got a red light unlocked and peeked **** is great.

[Sith_Apprentice]

Good moning love....

BB people will always bash Android. Iphone people will always bash Android. Android people will always bash Blackberry. iPhone people will always bash Blackberry. Android will always bash iPhone. Android people will always bash Blackberry. It's a thing.

Android does have a lot of malware. I am familiar with that site (it's a National Institute of Science and Technology site, nist.gov) and visit it regularly, both for work and for personal reasons.

The Sectera Edge is put out by General Dynamics and it's hideously ugly, but secure to Top Secret.

Sect�ra� Edge? (SME PED)


Interestingly, General Dynamics has recently partnered with Samsung to work together on an Android variant to their OS, called Knox. Not sure if Knox is a full fledged OS or a version of Android on certain Samsung devices. Haven't kept up on it.

General Dynamics develops security platform for Samsung mobile device -- Defense Systems

Very nice Q, and good to see you in this topic. One thing to add about KNOX, is that it is a different version of android from others (Security Enhanced - SE Android). They basically worked on securing the OS itself, and layering a secure container on top of it. While it has greatly enhanced the stock security, it is still trying to secure an inherently insecure OS. That being said, this is, as I have a said, a huge step in the right direction for anyone wanting to run relatively secure android devices in their environment, and BB MUST be worried about this.

The secure container is an AES-256 bit encrypted application, that is separately encrypted from the rest of the device. This is very similar to how Balance works (separate work and personal encrypted space). This container uses a FIPS validated VPN client to connect back to the back end infrastructure. Here is where BB and BB10 sit above. BlackBerry devices, for all intents and purposes, sit WITHIN your enterprise. They are not outside devices connecting back in through a VPN (though they can VPN in). Each application within the KNOX container can use this VPN, if it is granted rights to do so.

Samsung is a bit hazy on which MDM vendor they are working with, but my guess is they are using Fixmo Sentinel servers for the MDM piece. Fixmo put together a pretty good MDM package. More information can be found here :Fixmo Sentinel MDM | Fixmo Inc.
While the entire end to end MDM is much better than GOOD Mobile, it still is behind the BES environment (though UDS does falter in some areas).

KNOX is a threat to BB, and specifically BB10. While the extent of that threat remains to be seen, BB MUST counter this. Balance is a far superior user experience, but it only works on BlackBerry devices. The Secure Work Space on Android and iOS devices will be virtually identical to KNOX in how it works right now. It is an encrypted container, attempting to secure inherently insecure OS. BB has plans to change how this works on those devices, but time will tell if they can pull it off. For now, it appears, ALL iOS and Android devices that want some sort of secure back end (more than activesync), use the encrypted container method, and this gives an inferior user experience. BB needs to tout Balance and show how much MORE effective it can be than going in and out of an 'app'.


A good site for information on KNOX is Samsung KNOX-Solutions-Security | SAMSUNG

[MC_A_DOT]

The Sectera Edge is put out by General Dynamics and it's hideously ugly, but secure to Top Secret.

Sect�ra� Edge? (SME PED)

LOL WOW...that phone is beautiful.

I wonder if the Samsung Knox thing will be up to standard....cheers for the read

[MC_A_DOT]

Is this even considered news?? We don't need to gloat or anything its up to people who rely on security and rest of world to see the truths.There's a whole bunch of hack vids on apple and samsung devices. This thread might mean something in apple forums or droid forums but this ain't surprising here we'll just keep it moving.I just now got a red light unlocked and peeked **** is great.

Yes it is news..that's why I posted it...might not be news to you but it is general news.

Not gloating at all, just wanted general thoughts.

Who's we? If you have a problem with the thread then why don't you just ignore it and carry on.

Jeez...

[Barracuda7772]

just because its secure does it have to look like a thick motorola q with a nasty antenna bump ?

[qbnkelt]

just because its secure does it have to look like a thick motorola q with a nasty antenna bump ?

That's the nichest of the niche markets!!! Looks are not a consideration. LOL!!!!

Where the farkyfark are the smilies when you need one.....

Posted via CB10

[Barracuda7772]

That's the nichest of the niche markets!!! Looks are not a consideration. LOL!!!!

Where the farkyfark are the smilies when you need one.....

Posted via CB10

I know and this isn't the forum for only serious people lighten up a little it was a joke

[qbnkelt]

I know and this isn't the forum for only serious people lighten up a little it was a joke

Ummmmm....uhuh......

<insert nonexistent confused and eye rolling smilies here>

Posted via CB10

[MC_A_DOT]

I know and this isn't the forum for only serious people lighten up a little it was a joke

LOL woah where did that come from?

[Barracuda7772]

LOL woah where did that come from?

you know I'm not exactly sure? maybe a bit of a argument with my fiance. sorry if I offended anyone

[qbnkelt]

you know I'm not exactly sure? maybe a bit of a argument with my fiance. sorry if I offended anyone

Hey, no problem. I lash out every time I have to go to a release readiness review...

[AngryEdmontonian]

Very nice Q, and good to see you in this topic. One thing to add about KNOX, is that it is a different version of android from others (Security Enhanced - SE Android). They basically worked on securing the OS itself, and layering a secure container on top of it. While it has greatly enhanced the stock security, it is still trying to secure an inherently insecure OS. That being said, this is, as I have a said, a huge step in the right direction for anyone wanting to run relatively secure android devices in their environment, and BB MUST be worried about this.

The secure container is an AES-256 bit encrypted application, that is separately encrypted from the rest of the device. This is very similar to how Balance works (separate work and personal encrypted space). This container uses a FIPS validated VPN client to connect back to the back end infrastructure. Here is where BB and BB10 sit above. BlackBerry devices, for all intents and purposes, sit WITHIN your enterprise. They are not outside devices connecting back in through a VPN (though they can VPN in). Each application within the KNOX container can use this VPN, if it is granted rights to do so.

Samsung is a bit hazy on which MDM vendor they are working with, but my guess is they are using Fixmo Sentinel servers for the MDM piece. Fixmo put together a pretty good MDM package. More information can be found here :Fixmo Sentinel MDM | Fixmo Inc.
While the entire end to end MDM is much better than GOOD Mobile, it still is behind the BES environment (though UDS does falter in some areas).

KNOX is a threat to BB, and specifically BB10. While the extent of that threat remains to be seen, BB MUST counter this. Balance is a far superior user experience, but it only works on BlackBerry devices. The Secure Work Space on Android and iOS devices will be virtually identical to KNOX in how it works right now. It is an encrypted container, attempting to secure inherently insecure OS. BB has plans to change how this works on those devices, but time will tell if they can pull it off. For now, it appears, ALL iOS and Android devices that want some sort of secure back end (more than activesync), use the encrypted container method, and this gives an inferior user experience. BB needs to tout Balance and show how much MORE effective it can be than going in and out of an 'app'.


A good site for information on KNOX is Samsung KNOX-Solutions-Security | SAMSUNG

This is great information!

A few things I'd like to know is the cost of the KNOX infrastructure in comparison to BlackBerry BES10(Server costs, Licensing etc) as this is not compared directly anywhere I can find.
As stated in the SG4 unboxing, all SG4's will come preloaded with KNOX, and everyone went oooh, aahhhh, with no mention of the backend. BlackBerry Balance comes preloaded on BB10 devices, ut as we all know there are costs and infrastructure associated with it, that is always seen as a downside to the naysayers.

Also another advantage of Secure Elements is that is available for iOS and Android. Am i correct in assuming that KNOX is specific to Samsung? Would KNOX be able to run on an HTC or Sony etc?

If anyone has any of the answers it would be great to know.

[Sith_Apprentice]

This is great information!

A few things I'd like to know is the cost of the KNOX infrastructure in comparison to BlackBerry BES10(Server costs, Licensing etc) as this is not compared directly anywhere I can find.
As stated in the SG4 unboxing, all SG4's will come preloaded with KNOX, and everyone went oooh, aahhhh, with no mention of the backend. BlackBerry Balance comes preloaded on BB10 devices, ut as we all know there are costs and infrastructure associated with it, that is always seen as a downside to the naysayers.

Also another advantage of Secure Elements is that is available for iOS and Android. Am i correct in assuming that KNOX is specific to Samsung? Would KNOX be able to run on an HTC or Sony etc?

If anyone has any of the answers it would be great to know.

Couple of things, first related to the BES architecture.

For companies running BES 5 now, there is ZERO backend cost to moving to BES 10. Server software is free, licenses are upgraded from BES 5 CAL to BES 10 CAL for free. So they would ONLY have a hardware cost moving from BBOS to BB10 OS devices. Everything else is taken care of. Moving to a new vendor for MDM would require, at the very minimum, license (CAL) cost. Both CAL and Server software cost varies wildly per corporation/government/business, it is hard to say on that, but there would almost certainly be a cost.

Now, to be fair, UDS has a cost for CALs when adding iOS and Android devices. So the zero cost solution is really only BBOS to BB10.

The KNOX architecture is a completely different OS than your stock, run of the mill Android. It has been hardened from the kernel up. While this could be done on any manufacturer's device, KNOX is something specific (the name at least) to Samsung. SE Android is out there, but likely isnt free since a TON of money and research went into doing this.

[DStLouis]

See related charts from SourceFire.




Obviously surprising at the first look.
Relatively to smartphone, keep in mind that hackers prefer the following situations:
- Drilling thru a deemed secured environment
- Impacting as much devices as possible
...where Iphone god 2 points here, so definitively became very attractive for hacker
...we all know that Android is deemed to be an inherent insecure OS, so not much chalenging for hacker.

Now imagine a situation were Blackberry drastically take big chunk in that maket (which will definitively not append soon...); For hackers, this should then become the most chalenging OS to drill thru.

What this say is; IT staff must be aware of level of risks and take actions accordingly. Obviously some OS will soon be at risk with growing popularity, and maybe not the one we have originally thought; IT policies may need to be readdressed.

[greggebhardt]

As I sit in Panera today, I counted no less than 15 iPhones. Most people are oblivious to any security problems.