When talking about end-user device security, one of the questions I hear most often is 'Which smartphone is the most secure?' .
'The most secure platform' isn’t really a useful metric. It’s an old adage that the most secure computer is the one turned off, disconnected, and locked in a safe. Pretty secure, and not very usable. But it illustrates the point that there’s plenty more to think about than just security when deciding which device you’re going to use to get your job done (or play Minecraft on).
Instead, I believe the question we should be asking is 'Is it secure enough?'. Once you’ve established which of your potential options are in that category, you can then pick the one that best meets your other requirements, such as cost, features, battery life, availability of your favourite apps and so on.
Threat modelling for the win
One of the reasons we do threat modelling is to understand what we mean by 'Is it secure enough?'. By understanding the capabilities and motivation of our attackers, we implicitly set some requirements on our devices and the procedures we use to mitigate those threats.
What we’ve found is pretty interesting; from a security perspective there's not much to choose between any of the most common smartphone platforms, as long as they're kept up-to-date and well managed (when considering the typical sort of attackers we care about in government).
To put it another way, you’re unlikely to find a bad guy that can successfully attack one up-to-date and well-managed smartphone platform, but not the others. This is true whether you’re talking about threat actors at OFFICIAL level, right the way up to SECRET.
That doesn’t mean we’ve solved device security – far from it. What we're saying is that for a typical set of security requirements, you can worry less about which type of device you need and think more about which one(s) meet your business requirements. Once you’ve decided which one(s) you’re going with, you can use our End User Devices Security Guidance to configure and manage it/them properly. And for our non-enterprise readers, there's also the Mobile Device Security Buyers Guide.
As I said above, keeping your devices well-managed and up-to-date is crucial for maintaining the security of your networks, and this in itself can be a bit of a challenge sometimes (which is why we spend so much of our time talking about it).
I get that. But which one is the most secure?
OK, you’ve twisted my arm. Unfortunately, the answer is 'it depends' (sorry Jon). It really does depend on your requirements.
Yes, it’s true that iOS has some clever exploit mitigation technologies. But it’s also true that Samsung has developed some rather neat integrity and separation technologies to keep work data separate from personal malware.
Android has Android for Work, which is a great feature for managing mixed-use devices in an enterprise. But if you want high-granularity enterprise controls you'll probably want to use Windows.
The key point is, these platforms service different user needs. You can’t measure their security on a one-dimensional scale. The device that you perceive as being the most secure is likely going to be different for someone else. We give some guidance on the risks of each device in our EUD Guidance, but which risks matter most to you will vary considerably.
So next time you see an article that says 'X is more secure than Y', think 'So what?'. As long as the device is secure enough for you, that’s what matters.
EUD Security Research Lead