IT and security managers who hope to keep consumer devices and applications out of the enterprise should wake up to the fact that resistance is futile. They are coming.
With that as an unstated theme, eSecurityPlanet looks at two of the major cellular innovations -- Apple's iPhone and the Android platform promised by Google -- and passes judgment on the security of each. The author makes it clear that the comparison is between a device that already is in the field (the iPhone, of course) and a platform that still on the drawing board. The author concludes that Android will be more secure than the iPhone.
The analysis is technical. Luckily, the writer offers a summation at the end of each category. On application security architecture, Android gets an "A-minus," while the iPhone gets an "F." (Indeed, the writer says that it would get an "F-minus" if such a grade were possible. We know from personal experience that it is not.) The next category is "openness," which refers to the ability of outsiders to see into and contribute to security of the device. In this category, open source Android (graded "B") tops the proprietary iPhone ("D"). In configuration management, Android gets an "incomplete," while the iPhones scores a "B-plus."
The Register also looks at the security status of Android. It seems that the crux of the matter will be how Google and its partners employ the concept of openness. In a completely open environment, the writer says, a "malign" application could be dispatched to the device.
One expert says that it remains to be seen whether Android will demand that users approve applications to be added. Another adds that asking users whether a particular action should be taken -- for instance, sending an SMS reporting a score on a game to a central server -- is less than ideal because hackers will undoubtedly set myriad social-engineering tricks.
When the iPhone was released at the beginning of the year, there was some debate over whether it should be classified as a feature phone or a smartphone. The deciding issue was its openness to third-party applications. Whether a device accepts such applications certainly affects its security. There is no doubt, however, that both types of phones are more powerful, carry more vital data and are used for more sensitive applications than legacy phones. Thus, regardless of the food group into which they fit, future phones must be better protected.
Vendors are taking note of the increased risks associated with the proliferation of smartphone devices. For example, GuardianEdge late last month released Smartphone Protection, aimed at enterprises and governmental agencies. The product, this release says, offers "always-on" protection to Palm, Pocket PC, Windows Mobile and Symbian platforms. Manufacturers devices' covered by the new product include Motorola, Palm, Samsung, Audiovox/Siemens, Dell and HP. The product provides data-loss protection, data-leakage prevention and enterprise-class management.
Symantec has gotten into the act as well. Also last month, the company unveiled Norton Smartphone Security, which it says is the first consumer offering that serves both Windows Mobile and Symbian operating systems. The release says the product offers Norton antivirus technology, a firewall and short-message service (SMS) anti-spam. The release quotes Applied Research numbers that underlie the need for smartphone security. Applied says 34 percent of respondents access bank accounts though mobile devices and 54 percent visit Web sites that require passwords. Though the assessments are aimed at consumers, there is no reason to think there's any fewer security concerns about smartphones used for business. Indeed, the same device is no doubt used for both business and consumer purposes.
This is not all theoretical: Hackers are targeting the iPhone today. This note at GameSHOUT in mid November says that in its 1.1.2 iPhone firmware update, Apple patched a vulnerability that enables phones to be opened to third-party applications (a process known as "jailbreaking"). The bug, the story says, made the devices susceptible to other exploits. Apple promises a software developers kit -- an approved way for third parties to write applications for the device -- in February.
The details and opinions vary to some extent, but there is no disagreement on this basic reality for IT departments and security forces: The next generation of mobile handsets represent a greatly increased risk that must be addressed.