The Mobile Security Timebomb Keeps Ticking


The happily overrated Conficker worm is the jumping off point for this piece in Ars Technica, which describes a study aimed at shedding light on another happy fact: Despite the growing sophistication of cell phones, which offer more nooks and crannies into which malware can permeate, there has been no overly successful attack against the mobile devices.


The explanation the piece offers is quite complex, but the conclusion is not. It also isn't something that people haven't known for quite some time: The best defense against attacks is the fact that there are many operating systems (OSes) in the smartphone and cell phone world. The absence of the dreaded "monoculture" raises significant hurdles to bad guys who want their code to execute on a plurality or majority of devices.


Smartphones are only one element of the broader world of mobile device security. A higher-level view is offered in this SC Magazine look at the state of "end point" security. The writer says that the fact that there have been no major smartphone problems until now doesn't mean that there won't be in the future -- or that criminals won't try. The response should be a concerted effort to get encryption and other security software on every device. The writer also takes a bit of steam out of the argument that the industry is inherently safer because of the wide variety of OSes. An IBM ISS execurive says the firm has assessed a wide variety of handsets and found several serious vulnerabilities. Some of these problems, he said, are with the underlying radio standards-meaning that they can be widespread and apply to more than one OS.

The world of security is very complex. There are good people, bad people-and people who straddle the line between the two camps. This uncertain identity is very much in evidence in this Computerworld piece that discussed the PWN2OWN hacking contest held earlier this month at the CanSecWest security conference in Vancouver, British Columbia. The news that all five smartphones used in the competition withstood the onslaught seems to be treated with a touch of disappointment.


The invulnerability of the phones was said to be due to the limited memory and processing power and the complex mix of handsets, OSes and carriers. This, of course, is consistent with the view offered elsewhere that multiple OSes make the sector hacker-resistant. The story says that one contestant possibly could have broken an iPhone, but passed on the opportunity-and the $10,000 prize. A possible reason for the decision to not attack the iPhone was that being able to break it as part of a demonstration to a potential penetration testing customer would be worth far more than 10 grand if it leads to a contract, the story says.

A vital issue is how long the old verity that mobile devices are inherently safe because there are so many operating systems will hold true. Alexander Wolfe sounds a couple of cautionary notes. The lack of a dominant platform may not save the industry for much longer, he writes. Indeed, there there may not be a single dominant platform. But several, such as the iPhone and BlackBerry, are big enough to firmly put themselves in criminals' crosshairs. The other point is that in the final analysis mobile phishing is likely to be the greatest threat. Thus, while it is a great idea to bolt as much security as possible into, on top of, around, in front of and underneath a mobile platform, the real threat will be the gullibility of the person holding the handset.

Wolfe's warning about phishing being the most dangerous security issue for mobile devices is validated in this TechNewsWorld piece. Though the term itself is not used, the piece definitely deals with phishing. The writer provides vignettes on choices that smartphone owners made on the access permissions requests from applications. The decisions were all negative in the piece. In cases, the thinking was that the applications were asking for too much and the owner was uncomfortable. There is no proof that the application providers profiled here weren't on the up-and-up. Clearly, however, there are times that permission requests will be phishing initiatives.

There are four ways to protect mobile devices: with security on the device, at the network perimeter and directly in front of the databases containing the valuable information. The fourth-antiphishing techniques and technology-may prove to be the most valuable of all.