Windows Phone the securest smartphone platform of all?

Published by at

Security is very much in the news recently, whether physical, in terms of terrorism, or personal, in terms of hacked servers, potential ID fraud, and so on. Then there's the raft of security holes found in various versions of Android, arguably the dominant OS on the planet at the moment. Regardless of other factors, including the 'app gap', you have to wonder whether security should be a factor when choosing which smartphone platform and ecosystem to invest your time and money in? I contend that it absolutely should be.

With that in mind, I was interested to read an article from a few weeks ago, in which What Mobile interviewed Steve Lord, a 'white hat' hacker, asking about his experiences trying to break into various platforms and systems in order to help shore up security.

A few quotes from the Q&A caught my eye:

• Which OS is most at risk? Windows, Android or iOS?

All have benefits and drawbacks. Currently Windows Phone seems to be the hardest nut to crack. Blackberry has a long history of being very security-focused. If I have physical access to the device, I find Android’s usually the easiest target. Then comes iPhone, then older versions of BlackBerry. If it’s over a network or I have to attack via email or message, Android’s usually the softest target.

• What can people do to keep personal data more secure?

Make sure your phone has the latest updates. Don’t put anything on it you wouldn’t want to see all over the Internet . Don’t jailbreak or root your phone. Never install apps from outside of your phone’s app store.

• Are there older smartphones that consumers can use to be more secure?

Older smartphones tend be considered less secure as they’re usually affected by known weaknesses. If you’re using an older phone you’re better off with a classic dumb phone. If you have to have an older smartphone, use an older BB10-based Blackberry, or a Windows Phone running Windows Phone 8 or newer.

• Are there any apps that are guilty of making your phone insecure?

Lots of apps that do bad things with permissions. The worst offenders are things like Facebook and Facebook Messenger. Most apps need to access certain things like your photos to allow you to share pictures. But some apps just seem to want to hoover up data and send it back to the mothership.

There's quite a bit there to unpack. It's somewhat ironic that Windows, the butt of most of the security jokes in the 2000s (don't worry, the mantle is now firmly on Adobe, maker of Reader and Flash), is now getting much more battle-hardened and tougher to crack, though we're talking moble here and Steve Lord singles out 'Windows Phone' for praise, not once but twice in the questions above. 

There are two aspects to security here:

  1. Vulnerabilities and the effort being put into finding them
  2. Store lockdown

While Steve states that Windows (Phone) is the least vulnerable to attack by a hacker (phew!), there's a question of whether Windows 10 Mobile is more vulnerable than the more locked down Windows Phone 8 - I'd bet that it is, if only because it's so new and rough edges are still being knocked off. On the plus side, almost no one in the real world is actually using it yet, so there's zero point in anyone malicious targetting the platform. Then, with Windows Phone as its heritage and with Windows 10 becoming very mature now (it launched in the summer) and with Microsoft's newfound zeal for security (I spotted this the other day, talking about hardening of the Edge browser), I'd still bet that Windows 10 Mobile was more secure than your average Android handset - a lot more secure.

The second aspect is just as important though. The number one problem on Android is the ease with which malicious communications can trick users into installing trojans on their smartphones (including guiding them though ticking the appropriate 'unknown sources' box in Settings) - this just doesn't happen on iOS and Windows Phone/Windows 10 Mobile, since the Stores are the only way for regular users to install anything onto their phones. (OK, so if you're a developer then you can push stuff across a cable, but then if you're a developer you know what you're doing.)

This Store security is not absolute, of course, since you're relying on the people and algorithms behind (in this case) the Windows Store thoroughly checking each new application for malicious behaviour. And, as regular readers will know, I have my doubts as to how well this is done - I've seen FAR too many 'fake' applications in the Store on my Windows phones recently (see here for my response!) Perhaps all they want to do is trick me into spending an extra pound or two, perhaps they 'just' want to serve me lots of ads, but either way I'm not taking the chance - and neither should you.

  • Always check that the developer of a Store title looks legitimate and check the star ratings and any reviews. If there's no rating and no reviews, and the title is well known, then the chances are that this entry is a fake, etc. Plus, as quoted by Steve Lord above, look carefully at the 'permissions' part of the Store listing for anything you're thinking about downloading. A game which needs access to your 'pictures library', 'contacts', 'location', and so on is either very ambitious (which is fine if it's something you're expecting) or possibly malicious. I repeat - read the permissions pane for anything new to you in the Store. Just in case.

Lumia 925

So, in terms of fundamentals, Windows Phone and Windows 10 Mobile are pretty secure then, at least compared to Android. And there's an extra factor to consider - the size of the attack surface, i.e. how large a target is the user base of a platform? We can see that this makes a difference since iOS (iPhone) is pretty locked down, yet Steve quotes this as second easiest to break into, thanks to the size of the iOS user base and the much greater amount of work that has gone into hammering away at it in order to find vulnerabilities and develop hacking tools. In contrast, the relatively small market share of the Windows Phone platform hasn't made it much of an attraction to the bad guys.

This is likely to remain the case for a while, despite the commonality with Windows 10 on the desktop. Having been primarily a Mac user on the desktop for the last seven years, it's been liberating seeing stories of PC and Windows attacks, knowing that I'm relatively safe, as the minority platform. A similar sense of safety probably applies to Windows Phone and Windows 10 Mobile.

Now, while none of this is absolute, while no platform can ever be 100% bug and vulnerability free, while no Store can ever be 100% free of fake apps, while no OS can ever be immune from hacking attempts, put everything above together and Windows Phone (and, by extension, Windows 10 Mobile) does indeed come out as the 'safe' choice of smartphone for anyone worried about mobile security.

Have I missed anything? Anyone care to disagree or agree? Comments welcome!

Lumia 640 XL in context

PS. As a bonus to this chat(!), note that security guru Graham Cluley is joining me on Phones Show Chat this weekend, let's see if he agrees!