Windows Phone safer by virtue of smaller installed base?

Published by at

With the current rather serious rash of vulnerabilities discovered in Android (oh, and another one here), potentially affecting a couple of billion handsets and undermining everyone's confidence in this mobile platform, there's a definite case for suggesting that any smartphone platform that's not Android is going to be safer. Not least because Android's sheer popularity causes it to be a much larger target for hackers and mischief makers. Windows Phone, plus iOS at the top end, may well benefit from this mess, I'd like to suggest.

The current rash of Android vulnerabilities has got manufacturers and Google itself scrambling, putting in place update/patching mechanisms which should have been in place long ago. And, with several billion handsets in the wild, and with only a fraction of these kept updated to the necessary standards, the world is fast heading for something of a mobile meltdown.

Well, that's the danger anyway, I'm sure reality won't be quite that dramatic. But it does dent confidence in Android for any professional seeking to use a smartphone in day to day life. If you can't rely on your smartphone and its information being safe, then you're pretty much screwed.

One significant vector for Android's issues, aside from the vulnerabilities themselves, is that it's trivially easy to socially engineer any Android user to allow the installing of applications from 'Unknown sources'. Heck, that's what the likes of Amazon does, with official blessing, with many of its own applications for the platform. And how many people will remember to disable that after installation, or will be bothered to keep enabling and disabling it every time there's an Amazon app update? The net result is that a lot of the aforementioned billions are either running with no protection/checking, or are at risk of being left in this state.

Lumia 640, Vodafone Smart Ultra 6, Lumia 640 XL

In contrast, you have to jump through hoops and sign on the proverbial dotted line to unlock a Windows Phone for sideloading 'unknown' applications, so we can eliminate that vector on our platform.

What about trojans, applications or games that get passed by Microsoft Store QA but which do contain dodgy functions that come to light later? This is potentially more likely, since Microsoft's Store QA department is quite clearly slacking - there are some horrendous examples of 'fake' apps currently in the Windows Phone Store - how on earth did ANY of these slip through? And who knows what horrors might be lurking in their code?

Then there are platform vulnerabilities to probing - things that open up the OS under certain circumstances, via SMS, email, Bluetooth and so on. So far we've heard almost nothing about threats of this kind. Is it that Windows Phone (or Windows 10 Mobile) is less vulnerable than Android? Probably not - but, at least on the phone side, it's a much smaller target for malevolent hackers, so not that much attention has been paid by them so far. Helped, no doubt, by the virtual impossibility of subsequently foisting some form of malware on the phone because of the aforementioned lockdown in terms of application installations, i.e. you can't 'install' something you come across on the wider Web.

All of which should be reassuring, hopefully, though the imminent merging of the Windows Phone line with Windows 10 (Mobile) does mean that there's an outside chance that some deep vulnerability in an OS routine might be common across phone and desktop. Windows 10 (on PCs) is effectively built on a decade of learning about vulnerabilities and most horrors are now a thing of the past, with Microsoft patching things almost in real time through Windows Update under the new 'Windows as a service' ethos. In short, Windows on a PC is now pretty safe as long as you let it keep itself up to date.

On the smartphone, things aren't so clear cut. In principle, small updates to Windows 10 Mobile can be pushed out via Settings/'Phone update', but it's early days and we just don't know how committed Microsoft will be to getting this working and how frequently updates will be built and pushed. All we've seen so far is the Insiders Programme, where new builds get offered immediately, whatever your phone, but this is after you accepting at least one disclaimer. What will happen for normal users once Windows 10 Mobile is installed over the air onto real world handsets? The jury's out...

1020 being updated

I'd hope for an Insiders/iOS-like model, where critical OS updates can be made available regardless of network, device or region, but who knows which networks (in particular) will stick their oar in here and make this a problem. We're used to firmware updates on Windows Phone being quite a big deal, involving half an hour of 'downloading/installing/migrating' (and spinning gears) but much smaller updates are also possible, and which won't need whole-scale 'migration' and other messing with the file system. 

In the meantime though, I'm still happy to pronounce one of the biggest advantages of choosing the underdog, Windows Phone, is security. For all the reasons given above. And the next time an Android owner queries your choice of Windows Phone (or Windows 10 Mobile) point out that you don't have to worry about trojans or probing or tapping on links in emails and web pages. 

PS. There's no significance to the rather tasty Vodafone Smart Ultra 6 being used in the main graphic above - it's no more vulnerable that any other Android and in fact probably a lot safer, since Vodafone is making a lot of effort to keep it patched up to date. The handsets you have to worry about are the older, cheaper ones that exist by the hundreds of million.