Feature Language Support
Operating System
iPhone OS iPhone Apps can only be
developed in Objective-C. The library in the libSystem dynamic
applications can invoke C
libraries and C code.
Blackberry The BlackBerry device
supports MIDlets (Java
applications that use
standard MIDP and CLDC APIs
only) and Java applications
that use the BlackBerry APIs.
Encryption APIs
iPhone provides a Common Crypto
library. CFNetwork is a high-level
API that can be used by
applications to create and maintain
secure data streams
and to add authentication
information to a message.
Block Encryption and decryption is
also supported by the Supported
by the Certificate, Key and Trust
Services API. Storage encryption
can be achieved using KeyChain
API.
The RIM crypto API supports a wide
range of asymmetric, symmetric
and hashing algorithms. It has a
Key Store API and a Messaging API
that is CMS compliant.
Android All apps are written in Java Does not have support for device-
and executed within a custom level encryption. However,
JVM called Dalvik Virtual supports the javax.crypto API for
Machine. Development in C is creating encryption capable
possible but apps have to be applications. Bouncycastle's J2ME
externally compiled and then provider comes bundled with
loaded. Android.

Symbian Platform Applications can be Supports the Security and Trust

developed for Symbian using
C++ or J2ME.
Using Symbian's Web
Runtime Tools that support
HTML/ JavaScript/ CSS, web
applications can be
developed, distributed and
installed on Symbian devices.
Services API (SATSA) for Java ME
that defines a set of APIs that
allows applications to
communicate with and access
functionality, secure storage and
cryptographic operations provided
by security elements. Supports the
SATSA-CRYPTO package to enable
symmentric and asymmetric
cryptography.

Also has C++ classes for OS based

encryption and decryption.
Another alternative is use of
Bouncycastle's Lightweight Crypto
API.
Windows Phone Third-paty applications can be Windows Mobile provides
developed for Windows Phone cryptography services that enable
by application developers to add
- writing native code with cryptographic security to their
Visual C++ applications. These are available in
- writing Managed code that the form of Cryptography APIs and
works with the .NET Compact Cryptographic Service Providers
Framework (CSP).
- Server-side code that can be
deployed using Internet Windows Phone also supports
Explorer Mobile or a mobile Device Encryption which allows
client on the user's device. encryption os internal as well as
There is no J2ME version for external memory cards using a
Windows Phone. password that is itself encrypted
and stored using the Device Lock
PIN.
Certificate Management SSL/ TLS support

iPhone provides the the Keychain Supports TLS/ SSL. Also has a
Services API and the Certificate, CFNetwork API, a high-level C API
Key, and Trust services API, whichthat makes it easy to create,
in turn communicate with the send, and receive serialized HTTP
internal Security Server. messages.
Because CFNetwork is built on
In iPhone OS, an application can top of Secure Transport, data
access only its own items in the stream can be encrypted using
keychain—the user is never asked any of a variety
for permission or for a password. of SSL or TLS protocol versions.

The RIM crypto API provides a Data can be encrypted over

Certificate Management API and a SSL/TLS for the entire connection
Key Store API. between BlackBerry
smartphones and the application
server. The RIM crypto API
provides a WTLS and a TLS API.
Supports java.security.cert
package that provides all the
classes and all the interfaces
needed to generate, administer
and verify X.509 certificates.
Certificate and Key Management
is supported through the SATSA
PKI UserCredentialManagement
class.
Another alternative is use of
Bouncycastle's Lightweight Crypto
API.
Supports javax.net.ssl package
that provides all the classes and
interfaces needed to implement
and program the Secure Socket
abstraction based on the SSL
protocol SSSLv3.0 or TLSv1.2.
OpenSSL is also available on
Android as a standard
component. The Android
javax.net.ssl package uses the
OpenSSL Library to implement
the low level SSL functionality.
Symbian Platform SSL/ TLS client
functionality through both native
C++ API provided by the OS and
through MIDP.
Windows mobile provides a
Credential Manager that consists
of a set of APIs that applications
can use to cache and obtain
cached credentials. The supported
Credential types include
Certificates.
Windows Mobile only supports
client certificates using its
wireless authentication
components. Machine certificates
are not supported.
Windows Mobile device shas
inbuilt SSL support for HTTP
protocol. Its NATIVE SSL support
is however lacking as one socket
can only receive and send at one
time. So for full duplex
connection two SSL sockets are
needed.
VPN Support Authentication Support

In iPhone OS, there is no API for The iPhone OS security services

Secure Transport. CFNetwork API do not provide an authentication
is used for secure connections. interface. It relies on the device's
PIN for Authentication.

Supports VPN functionality only By default, Blackberry supports

through a Blackberry Enterprise
Server. Does not have a bundled
VPN client that can connect to
third-party VPN servers.
simple password device
authentication. Server-side strong
authentication can be built into
applications using J2ME and the
RIM crypto API.
The supported types of VPN are
- L2TP/IPSEC pre-shared key
based VPN
- L2TP/IPsec certificate based
VPN
- L2TP only VPN
- PPTP only VPN
Also, a VPN client for openvpn is
available but it requires root
access to the phone to be
started.
Vpnclient software is used to
establish secure connections
from a mobile device to
protected networks (e.g. a
company intranet) over insecure
networks such as the Internet.
Vpnclient is based on open
standards and it can be used
with various security gateways
produced by different vendors.
Symbian also supports IPSec.
Supports
javax.security.auth.plugin
package that provides a
pluggable and stackable
authentication system based on
ideas and concepts from the Unix-
PAM module.
Authentication is supported
through the SATSA PKI
CMSMessageSignatureService
class. This class provides an
authenticate method that can be
used to invoke DSC based
authentication capability on the
underlying device.
Password-based authentication
can be supported using the
standard J2ME Authenticator
class.
By default, Windows Mobile
supports virtual private
networking (VPN),
using either Layer Two Tunneling
Protocol with Internet Protocol
Security encryption (LT2P/IPSec)
or Point-to-Point Tunneling
Protocol (PPTP).
To achieve network
authentication the Windows
Mobile Security Support Provider
Interface (SSPI) allows
applications to access DLLs —
called Security Support Providers
(SSPs) — that provide common
authentication protocols like
Kerberos, NTLM and SSL.
Additionally, Windows Mobile-
based devices can dial into
Remote Access Servers by using
one of the following
authentication protocols:
- Password Authentication
Protocol (PAP)
- Challenge Handshake
Authentication Protocol (CHAP)
- Microsoft CHAP v1 & 2
Digital Signatures
Supported by the Certificate, Key
and Trust Services API. iPhone
has Apple's Fast Elliptic
Encryption (FEE) implementation
that has a small memory
footprint.
Digital Signatures are supported
through Core Crypto API or
through the CMS API which is
PKCS #7 compliant. Supports EC
based cryptosystems.
Authorization
The iPhone OS security services
do not provide an authorization
interface. It relies on the
sandboxing to achieve this. Each
application is put in a sandbox
that restricts the application to
using only its own files
and preferences, and limits the
system resources to which the
application has access.
BlackBerry applications can write
only to the BlackBerry
devicecmemory that the
BlackBerry® Java® Virtual
Machine uses; they cannot
access the virtual memory or the
persistent storage of
other applications unless they
are specifically granted access to
do so through the use of special
Blackberry APIs. Research In
Motion must digitally
sign a BlackBerry Java
Application that uses these
BlackBerry APIs, to provide an
audit trail of applications that
use sensitive
APIs.
BouncyCastle has a J2ME provider
that can be used on Android. This
provider comes bundled with
Android however certain
algorithms like EC do not seem to
be working. This will have to be
investigated further.
Digital Signatures are supported
through the SATSA PKI
CMSMessageSignatureService
class. This class provides a sign
method that can be used to
invoke signature capability on the
underlying device. The signatures
are generated in accordance with
CMS - PKCS #7.
Currently, Symbian Platform does
not support ECC.
The Android manifest file allows
developers to define an access
control policy for access to
components
- Each component can be
assigned an access permission
label
- Each application requests a list
of permission labels which are
fixed at install
When an application requests
permissions to access other
applications or OS features, the
OS either automatically allows or
disallows based on certificates or
prompts the user.
Symbian platform has a UNIX-
style capability model
(permissions per process, not
per object).
Symbian supports Data caging
which means that the
applications and the users have
access only to certain areas of
the file system. In practice the
applications can access their
own private directories and
directories that are marked as
open.
Privileges can be granted by
user at installation time, through
being Symbian signed or by
device manufacturer.
Digital Signatures based upon Windows Phone has the concept
RSA are supported. of Normal and Privileged
applications.

Normal applications cannot

access protected registry keys
and system APIs.

Privileged Applications can

access all registry keys and all
system APIs and can install
certificates on the device.
Privileged applications can
switch to run kernel mode.
Privilege is assigned to
processes rather than to
modules.
Application Deployment

Digital signatures are required on

all applications for iPhone OS. The
developer first signs an application.
It is then signed by Apple.

An application that
hasn’t been signed by Apple will not
execute.

(The BlackBerry device allows the

downloading of all third-party Java
applications by default.
BlackBerry smartphone applications
using the RIM crypto API require
developers to sign and register
their applications with Research In
Motion (RIM).
All Android applications (.apk files)
must be signed with a certificate
whose private key is held by their
developer. This certificate identifies
the author of the application and
may even be self-signed.

Digital signatures by Symbian are

required on all trusted applications
for Symbian OS. These are applied
through the Symbian Signed
program.

An application that
hasn’t been signed by Symbian will
be an untrusted application.
Windows Mobile devices are
available in several security
configurations. The typical
configurations are locked, third-
party signed, prompt, and security-
off.

Windows Phone has the concept of

Normal, Privileged and Blocked
applications. Privileged
applications are those that are
signed using a Certificate available
in the Privileged Execution Trust
Authorities Store. Privileged
applications can be created by
getting them signed by Verisign -
a Microsoft Partner.
S.No Category
Software Modification Threats
1

2 Data Threats

Threats due to Malware

4 DoS Attacks
5 Messaging based Attacks

6 Threats due to OS Vulnerabilities

7
Threat Description
Attack via faulty or illegal privileged Moderate
code extensions

Data extraction from Lost/ stolen

devices

Viruses, Worms, Trojans

Spyware
Rootkits
Jailbreaking
social engineering attacks

Data Theft Taking someone’s pictures, messages,

phonebook or file data without the
permission of the owner

Copyright Abuse Violating paid for content – e.g. by

recording and distributing pay-per-
view films
Device Theft phones are a highly lucrative item and
phone theft is a massive problem. Re-
enabling stolen phones is a key driver
for hacking phones

Theft of Service stealing someone else’s minutes or

data or getting free service from the
network
Denial of Service
Disruptive / Anarchistic Attacks
preventing normal operating of a
phone or preventing the access to or
operation of a network
attacks in which the intention is to
cause upset, distress and disturbance
to the user, network or corporation
such as a virus (could include Denial of
Service).

Interception listening into someone’s calls or

getting access to messages / data
during transit
Facilitators some attacks are deliberately
designed to create a staging post for
other forms of attack.
Fraud Getting financial gain by deceptive
means
Method of Propagation Resolution
WWW

MMS, SMS, Email, Bluetooth, WiFi,

User Installation, Self Installation,
Memory Card, USB
A distrusting partner or spouse can
secretly download the free application,
called PhoneSnoop, onto your
BlackBerry, remotely turn on the
microphone, and listen to
conversations held in proximity to the
device.
Major Players