DIVSI (German Institute for trust and security on the Internet ) introduced in March 2014 a study on ” Find out more about the use of smartphones “. This OS are compared: BlackBerry OS10, Android, iOS and WindowsPhone. In the study report the complex processes that run in the background are explained.
The aim of the study is to create an awareness of how the average smartphone user have influence on the transfer and processing of data. This was achieved by test equipment, documentation of manufacturers and minimum configurations.
bb10qnx.de conclusion first:
In the private user market it is presented at the 4 operating systems tested as follows :
“bad vs terrible”, but BlackBerry is positively striking.
BlackBerry OS10 but has been developed with the priority on safety, as the White Paper points out. The private customer would like to take advantage of every opportunity to communicate with its environment, like Facebook and Twitter. The security of the data depands on the behavior of the users themselves. So who logs on to Facebook, can not complain to the smartphone manufacturer on the passing of his data in retrospect. Here, however, BlackBerry stands out: BlackBerry writes the apps for Facebook and some cloud providers on its own. Consequently, it is not necessary to install an additional Facebook Messenger, which requires the permissions to make calls or sending text messages as in Android. Furthermore, you can edit the permissions for BlackBerry apps, without compromising the basic functionality of the apps.
BlackBerry has its focus on Enterprise customers. BlackBerry can score with his BES12 in this market. One single admin console for BlackBerry, Android, iOS and Windows Phone.
Plus the eBBM ™ Suite. This offers the BBM Protected , a messenger with FIPS 140-2 validated encryption technology, BBM meetings, a way for secure VoIP conferencing, and other functions.
Due to the BES connection a customer has BlackBerry Balance on his BlackBerry. Two accounts , a private and a professional, strictly separated from each other. Plus the acquisition of Secusmart (encrypted communication via hardware encryption in form of an SD card) and Movirtu (2 contracts with separate bills and numbers on a single SIM card), the users have full control of data integrity without sacrificing the private user experience. And with BlackBerry OS10.3.1, which will be coming in January 2015: Improved internal and external ” out” messages, s/mime and PGP encryption and camera for the workspace.
Now we are showing some chapters (numbers in the headlines) of the study, shortened or summarized. BlackBerry and its differences to other operating systems are the focus.
We have attached the original graphics, so they are in german language.
2. Key Findings
Users should be aware: each manufacturer establishes connections to their infrastructure and the manufacturers use the usage data to improve their services.
- The survey of usage and diagnostic data is carried out by the manufacturer in anonymous form.
Except of Android all operating systems provide an option to disable the survey.
- Private data on smartphones can be synchronized with cloud services of the manufacturer.
Synchronisation on WindowsPhone can´t be disabled.
- If app permissions are organized in groups and a user give the agreement for this group, this can be problematic. On Android the permissions can change within a already confirmed group, without user agreement after an update. For example: an app is allowed to access the Call Statistics, after an update it is allowed to make calls without user interaction, because the permissions are organized in one group.
- Users may withdraw the permissions (or grant) for apps for BlackBerry OS and iOS. Users of an unmodified Android or WindowsPhone don´t have this option.
3. Tested mobile operating systems
Android, BlackBerry OS10 , iOS and Windows Phone
5.1 Smartphone setup
Smartphones, OS version:
- Android : LG E960 Nexus 4, Android 4.4.3
- BlackBerry OS: BlackBerry Q5, BlackBerry OS10.2.1.2977
- iOS: Apple iPhone 5s, iOS 7.1.1
- WindowsPhone: Nokia Lumia 920, Windows Phone 8.0
Note: Available in November 2014: Android 4.4.4 , BlackBerry OS10.3 , iOS8.1 and WindowsPhone 8.1.
5.1.2 Minimum settings in practice
Endpunkte=Points, Verbindungen=Connections, Datenvolumen=Data volume
All 4 manufacturers establishing connections to their own infrastructure. All are using a TLS encryption for part of their communication (Android 13.4%, BlackBerry 3.4% , iOS 52%, WindowsPhone 44.9%).
Continuous links: iOS ( for push messages), Android ( video and chat functions) and BlackBerry (According to the study: unknwon. But we know: connection to the BlackBerry Server for PIM services and BlackBerry services)
Android built just one connection to an advertising service: DoubleClick, an advertising company of Google.
Android and BlackBerry OS establish a connection to gpsonextra to receive updates for the basic positioning service.
All 4 operating systems establish a connection to Content Delivery Networks (CDN) to deliver the data quickly and without distortion.
WindowsPhone establishes a connection to a service for location services. This happens also if the user denied that connection in the setup.
5.6 Survey of usage and diagnostic data
In the study is mentioned, that the option to disable diagnostic data is given to all mobile OS, except of Android.
Android can carry out the complete usage of Google services, there are for example affected the lists of telephone numbers. The processing of data takes place on several servers in several countries. Furthermore, a user can maintain access to their data, but only if it can be implemented with a reasonable effort. Backups are probably never deleted by non-active servers.
BlackBerry users in the European Economic Area agree that their data are processed outside the European Economic Area. BlackBerry committed to complete deletion, destruction or anonymisation of data if they are no longer needed. BlackBerry can use private information of the user to respond to court orders, warrants, or other legal requirements or legal process, or to give emergency assistance in situations that are life-threatening. In this case, BlackBerry does not require consent of the user.
Apple passes the data on to third parties that provide services for Apple. Data from users in the European Economic Area will be stored and processed in Ireland. However, Apple publishes the data to government authorities, even outside the country of residence. Explicitly national security.
According to the study, WindowsPhone has the highest number of affected data. Microsoft notes that the data of their users are possible stored and processed in the US and other countries by Microsoft, its partners, affiliates and service providers. Government agencies also get help from the manufacturer .
6. Basic functions and Cloud
- Android: Creating a Google Account, the user is prompted immediately to synchronize the contacts via Google cloud services. The data is only transmitted after users consent.
- BlackBerry: DIVSI writes that the BlackBerry OS does not allow the cloud synchronization. This is not entirely correct. BlackBerry has no private cloud service for home users. But it is possible to synchronise the contacts across multiple protocols, for example Microsoft Exchange or CardDAV.
- iOS: Sync with iCloud is default and can be disabled.
- WindowsPhone: No deactivation of synchronization possible.
The situation is similar for calendaring and scheduling information as well as photos and music. BlackBerry can synchronize photos with Dropbox or Box for example. Music and video via 7digital with a standalone app.
The data were not entirely correct, these points were not taken from the DIVSI study.
6.2 E-Mails and text messages
While BlackBerry summarizes all accounts in the BlackBerry Hub together, it represents every style of textual communication in an own app. All other manufacturers combine some of their short message services with IP messengers.
6.3 Browsing the Web
- Android: No private mode, no do-not-track option, only coarse-grained cookie settings, no cloud synchronization
- BlackBerry: Private mode, no do-not-track option, only coarse-grained cookie settings, no cloud synchronization
- iOS: Private mode, do-not-track option , fine-grained cookie settings, cloud sync
- WindowsPhone: do-not-track option, coarse-grained cookie settings
6.7 Further cloud services
All providers have a cloud in their portfolio, except for the BlackBerry private users. For private users, there is BlackBerry Protect, which offers a discovery of a stolen device. Connected to BES, the server memory can be integrated as a cloud.
All manufacturers consider the apps before setting them in their markets.
BlackBerry OS tests native and Android apps before installation. The statement in the study ” a general statement about security test automation of these third markets, can not be made.” is just for third-party markets.
Comparison of Security Models
Time and selective award
Android and Windows Phone offer only to award or deny all permissions.
Android: Since May 2014, the permissions are organized in groups. Allowing an application to access a group, permissions might be added later without user activity with an update.
Only with BlackBerry and iOS, you can change the permissions individually afterwards. Android and WindowsPhone: no way.
Regulated and recognizable access to user data
Other safety precautions of the operating systems
All operating systems provide different types of screen lock.
Android and iOS offer fingerprint sensors. This is questionable, since these systems have been bypassed and with the use of this possibility the fingerprint is “burned” as an security token.
BlackBerry offers picture password. It displayes numbers in a grid on the whole display. A predetermined number must be set to a certain predetermined pixel. Incomprehensible and unique.
All manufacturers offer encryption. Only for WindowsPhone you need an Exchange server, for private users unusual.
Android and WindowsPhone encrypt only when power is off (most of the smartphones are online all day).
BlackBerry encrypted immediately, even for incoming data on a locked device.
iOS works with non-transparent protection classes.
7.4 Data usage: Angry Birds
Advertising (banners and videos) are displayed.
164 connections, 52 are encrypted with TLS, 38 endpoints, 6.05 megabytes were exchanged.
Unencrypted via http is transmitted:
Selected language, device ID and MAC (but not in plain text), IP, carrier, device type, operating system and version, screen resolution.
Several connections to third-party advertising.
No further communication to the data from section 5.1.2 recognized!
43 connections, 38 are encrypted with TLS, 13 endpoints, 1.11 megabytes were exchanged.
Because of encrypting it is not clear what data has been transferred.
52 connections, 39 are encrypted with TLS, 26 endpoints, 1.44 megabytes were exchanged.
The usage of the app is transmitted to multiple services.
The four smartphones were logged on to a WPA2-secured (encrypted) wireless network, specially set up for the study. The access point is realized by a Linux server that is connected to the Internet and routes the traffic of the individual smartphones to the Internet. At this point it is possible to record the network traffic and to examine subsequently overlooking the performed data transfers.
For the tests in Section 5.1.2, the phones have been reset to factory settings. The phones are then ready for the first setup by the user. From this time the network traffic was recorded so that all network connections of the setup have been detected on the internet. After setting up the network traffic of the phones was still monitored for several hours without further user interaction.
For the tests in Section 7.4 a customer was on the phone after the first institution set up and bought the game Angry Birds in the respective App Market. The network traffic was recorded from the app start and for the duration of an average user interaction.