Mobile Devices Security and Red Teaming
Many readers asked recently about mobile devices security and more specifically iOS and Android devices.
First of all let me say something, I DO NOT think that jailbreaking an iPhone is a good thing. In fact, I think it's quite the opposite, you are making it less secure and inviting malware and other nasties into it.
Second, ALL cellphones can be used to track you, regardless of the make and OS. Unless you can remove the battery, they can be used to track you.
Now for the questions.
Question: What security application do you guys use on your iPhones?
If by security application you mean an antivirus or something similar then the answer is nothing. Antivirus software on iOS devices (and Android devices for that matter) does NOT work. A good, secure habit on everyday usage of your devices is better.
The so called mobile securing apps clog your phone, they crash and they don't really protect you again security problems from a malicious website you are browsing to. In my opinion Apple does a fairly good job is monitoring the apps that go into the appstore, having said this, there are some out there (mostly the free, ad-based apps) that still manage to get some malicious code through. You have to read and research a little bit before downloding an app or allowing a website to access data and resources on your phone.
Now, if the question was: what tools do we use for our security scans and research, then the answer is: many. I've witten before about this. We use a combination of tools to recon networks (port mappes, SSH clients, mini vuln. scanners) and to map physical locations.
We do have an app that we wrote, the Red Teams App, but it's not ready. It's buggy and I would not let anyone use it until it's fixed. Unfortunately, the time is limited to work on this app.
Question: You seem to hate Android and prefer iOS over Android, why?
Well, Android per-se has the potential of being very secure. Unfortunately both the mobile devices manufacturer and the cell carriers both cripple the security of the OS by removing security features and adding crapware to it. On top of that, the OS performance is horrendous. I love Linux, or rather I used to love Linux, I've been a user since the early years (think 1993), however Linux is currently so fractured, so broken, that it has become a pain. The same can be said of Android. We tried to write a verison of the Red Teams App for the Android platform, but it was impossible to come up with a good solution that covers all the different flavors.
It's like Windows. Windows tries to be one OS for many manufacturers, and it doesn't work. I believe in the model that Apple has with building the hardware and the software to go with it.
Then you have Google and the Google Play (or whatever crappy name they are using now). They really do a poor job in filtering malware. They do a poor job verifying certificates of developers. So, no, it doesn't give me a good feeling.
Then there is the hardware. Android devices are cheap. I'm talking quality, not price. We've tried many over the past 3 years. They are all cheap. Like PCs. Yes, some of are really expensive (price) but the hardware is crap.
I prefer iOS devices.
BTW, here you have some good information about iOS security testing: