mk27,
You are in principle right, but the one thing you stressed is not so important I think.
First of all, Symbian was fully abandoned very long ago, meaning that no one really wants to develop any kind of malware on it (including popular nowadays trojans-bankers or ransomware). As a matter of fact, I would say Symbian is one of the most secure mobile OS today, simply because it is not actual
I have to disagree. Symbian being uncommon these days does not make it safe. This is equivalent to not locking your doors, but thinking nobody will walk in because you live in a middle of nowhere. The holes are still there.
I may have perhaps worded my post poorly. Let me correct it.
The world of security research is huge, and there is serious money to be made by security researchers who find these and either report them to the developers or sell them on a gray market. Humans are not perfect and there are always vulnerabilities in everything.
Normally they get patched if the software is supported, but Symbian is not anymore. Normally on a supported OS, someone purchases the vulnerability, uses it and it's burned. It's a one time use thing because using it gets the word out and it gets patched with an update. This does not happen on Symbian, which pretty much lowers the barrier to entry because the value of the vulnerabilities goes down, and one can even find vulnerabilities by googling for free.
Symbian being uncommon these days does not make it safe because if someone wants to exploit your phone, all they need is to know you use the phone and google it's vulnerabilities. All it takes is someone actually having the dedication to go after you.
Secondly, you needn't purchase anything from security researches, because Nokia developers were quite lazy. Symbian^3 PR1.0 and Belle FP2 do not differ a lot on binary level. I discovered that when I was transferring 'underground' patches from pre-Anna to Belle - truly saying, in 90% of cases there was even no need to use the disassembler, direct transfer in hex worked out. And as we know, PR1.0 PDK was officially available to the public. So, all you have to do is find some vulnerability in code, compile this part, effortlessly find it on Belle, and viola
Yeah, I worded my thing wrong by saying they are for sale.
I was not aware Nokia almost never patched vulnerabilities. This is even worse because one can easily find some old studies written as a PDF from 12 years ago by googling.
There is also something someone I know (who is very experienced in this topic) told me about Symbian, and that is they are just modems with screens, buttons and other smartphone features attached, as opposed to an SoC package that has a dedicated modem for dealing with the GSM/3G network. They also told me that carriers have full control over the modems that connect to their networks. In case of Symbian, this means full control over the phones.
I have not verified this "full control over all modems" due to my time constrains but if this is true, this would make Symbian inherently insecure by design as the microphone and camera are directly connected to the modem. (let's not forget in some countries, the government has 100% control over their carriers)