Blog post

Which smartphone is the most secure?

Created:  10 Feb 2017
Updated:  10 Feb 2017
Author:  Andy P
A safe

When talking about end-user device security, one of the questions I hear most often is 'Which smartphone is the most secure?' .

Now, since Jon’s told us we’re not allowed to say 'It Depends', we’d better have a good answer. So here’s what I think.

'The most secure platform' isn’t really a useful metric. It’s an old adage that the most secure computer is the one turned off, disconnected, and locked in a safe. Pretty secure, and not very usable. But it illustrates the point that there’s plenty more to think about than just security when deciding which device you’re going to use to get your job done (or play Minecraft on).

Instead, I believe the question we should be asking is 'Is it secure enough?'.  Once you’ve established which of your potential options are in that category, you can then pick the one that best meets your other requirements, such as cost, features, battery life, availability of your favourite apps and so on.

 

Threat modelling for the win

One of the reasons we do threat modelling is to understand what we mean by 'Is it secure enough?'. By understanding the capabilities and motivation of our attackers, we implicitly set some requirements on our devices and the procedures we use to mitigate those threats.

What we’ve found is pretty interesting; from a security perspective there's not much to choose between any of the most common smartphone platforms, as long as they're kept up-to-date and well managed (when considering the typical sort of attackers we care about in government). 

To put it another way, you’re unlikely to find a bad guy that can successfully attack one up-to-date and well-managed smartphone platform, but not the others. This is true whether you’re talking about threat actors at OFFICIAL level, right the way up to SECRET.

That doesn’t mean we’ve solved device security – far from it. What we're saying is that for a typical set of security requirements, you can worry less about which type of device you need and think more about which one(s) meet your business requirements. Once you’ve decided which one(s) you’re going with, you can use our End User Devices Security Guidance to configure and manage it/them properly. And for our non-enterprise readers, there's also the Mobile Device Security Buyers Guide.

As I said above, keeping your devices well-managed and up-to-date is crucial for maintaining the security of your networks, and this in itself can be a bit of a challenge sometimes (which is why we spend so much of our time talking about it).

 

I get that. But which one is the most secure?

OK, you’ve twisted my arm. Unfortunately, the answer is 'it depends' (sorry Jon). It really does depend on your requirements.

Yes, it’s true that iOS has some clever exploit mitigation technologies. But it’s also true that Samsung has developed some rather neat integrity and separation technologies to keep work data separate from personal malware.

Android has Android for Work, which is a great feature for managing mixed-use devices in an enterprise. But if you want high-granularity enterprise controls you'll probably want to use Windows.

The key point is, these platforms service different user needs. You can’t measure their security on a one-dimensional scale. The device that you perceive as being the most secure is likely going to be different for someone else. We give some guidance on the risks of each device in our EUD Guidance, but which risks matter most to you will vary considerably.

So next time you see an article that says 'X is more secure than Y', think 'So what?'. As long as the device is secure enough for you, that’s what matters.

 

Andy P

EUD Security Research Lead

11 comments

Graham - 10 Feb 2017
Very nice post, thank you. "This is true whether you’re talking about threat actors at OFFICIAL level, right the way up to SECRET." does this mean you will start looking at commercial smartphones for use at SECRET ??
Andy P - 14 Feb 2017
Our research is about pushing the boundaries of what’s achievable with commodity technology, and a really key part of that is understanding what the risks look like if you use commodity devices in higher threat situations. It’s a tricky one!
Russell Page MInstRE - 24 Feb 2017
As you state it is dependent on your requirement you have as to ultimately what device you chose. However, taking into account, the devices base electronics, components and if it has a TPM chip, what is the level of protection offered when the device is at rest, turned off or the battery is removed. What level of protection is offered to the internal data i.e. Data at Rest? Can Data be extracted later from the RAM chip if it is immersed in liquid nitrogen, or is there a way of detecting the addition of components? Like a new battery, that has a chip added with 'KeyLogger' SW embedded into it or the battery has a Wi-Fi component added that connects to a local receiver.
Russell Page MInstRE - 24 Feb 2017
We all have different requirements of our devices, but the human will always be the weakest link, maybe not intentionally but accidently. Forgetting to lock the device or leaving it unattended so it can be tampered with. A simple test/scan of its internal structure to verify the Data, so nothing has been added or taken away and its internal components are all still trusted with no additional FW updates. Like 'Which' magazine I would like to see a points scale that will give me a basic level of security of the device (based on no additional SW being added) IL1 to 5 AES 512 or 1024 encryption or the survivability from a brute force attack Mins Hrs, Days, weeks. Information always has a lifespan, at some point it becomes useless because it has been superseded or the devices estimated survivability time has allowed the old data to become useless and been replaced with new.
Russell Page MInstRE - 24 Feb 2017
i.e. Device "A" - AES-1024, Supports up to IL3, not protected from device intrusion, BF attack 4 days. Device "B" - AES 2048, Supports up to IL4, protected from device intrusion, BF attack 14 days.
Andy P - 28 Feb 2017
Thanks for your comments. I completely agree with you that hardware security is really important to think about when considering a variety of technical threats – especially physical attacks. However, we know some of our EUDs are used in physically secure environments, so in those scenarios the ability to withstand an offline brute force attack is less important than other capabilities of the device. The key message of this blog is that it’s important to understand what your devices need to do to mitigate the threats you’re specifically worried about. To do more than that often impacts usability with no real additional risk mitigated.
Rob Knight - 06 Mar 2017
Hi, Great post and very informative. Interesting comments too. In isolation, a device will only provide some security functionality - mobile devices such as Apple, Samsung and BlackBerry typically have more out of the box. It's only when you start to apply security policies (through MDM or GPO, for example), enforce encryption (standard on iOS and Samsung these days), add an always-on VPN (not always available on the platform) etc. that these devices become suited for commercial and official use.
Kenny P - 06 Mar 2017
#Blackberry #Keyone is staking its claim stating it is the most secure Android device. Whats your take on this Andy P? What I'd like to know is it legal for manufacturers to make those claims or is it misleading and if its misleading why aren't manufacturers prosecuted for making these claims?
Stuart Smiles - 27 Mar 2017
what are your thoughts on WhatsApp and other secure messaging for all the public? what about VOIP calls and encryption used by the public? - skype and skype for business?
Andy P - 05 Apr 2017
There’s a whole load of apps that we know users rely on to keep their data and communications secure, but they don’t work unless the underlying platform can be trusted. That’s why we put so much effort into ensuring we have a solid foundation to build on. We then have guidance that app developers can use to secure their apps for iOS (https://www.ncsc.gov.uk/guidance/apple-ios-application-development-guidance) and Android (https://www.ncsc.gov.uk/guidance/android-application-development-guidance), and you can use those guides to help in your own assessments of app security. We’ll be doing updates to those guides later in the year. We also have a CPA Security Characteristic for secure voice clients (https://www.ncsc.gov.uk/documents/cpa-security-characteristic-secure-real-time-communications-client) which apps can be assessed against. There’s a handful of clients that have gone through this assessment (https://www.ncsc.gov.uk/index/certified-product?f%5b0%5d=field_assurance_scheme%3A226&f%5b1%5d=field_assurance_status%3AAssured&f%5b2%5d=field_product_type%3A210). Other than this, we don’t currently publish any assessments of app security.
Deepak - 11 Apr 2017
Thanks for such a nice write -up. This is a very useful information.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No