Smartphones Are Safer than PCs — for Now
In security circles, the talk on mobile centers around mobile management, protecting access to and use of corporate information by smartphone users. This summer's iOS 4 has been a game-changer for most IT organizations, giving the Apple iPhone, iPad, and iPod Touch security capabilities equivalent to those of Windows Mobile and meeting the needs of most BlackBerry users, ending the main objection at many companies for allowing iOS devices in. (When used with BlackBerry Enterprise Server, the RIM device does remain more secure for high-requirements organizations.)
What they're not talking about are threats that reach the smartphone itself, the equivalent of the malware that ravages Windows PCs every day. There are no equivalents of Symantec's Norton Antivirus or Kaspersky Lab AntiVrus for the popular smartphones: iPhones, Android devices, and BlackBerrys. (A small company oddly spelled SmrtGuard does offer antivirus apps for Android and BlackBerry devices, as does Lookout for the BlackBerry.) Does that put your devices at risk, or are they somehow inherently secure?
[ Learn how to say yes to (almost) any smartphone in your business in InfoWorld's guide. | Keep up on key mobile developments and insights with the Mobile Edge blog and Mobilize newsletter. ]
A key reason that so-called endpoint mobile security is not seen as a big deal is that mobile OSes such as iOS, Android, BlackBerry, and the forthcoming Chrome OS use a couple techniques not common on desktop OSes to make infection more difficult. One is sandboxing, which confines apps and their data and requires explicit permission to exchange data among them. The other is code-signing, which makes software developers register and be vetted before their apps can be installed.
"A lot of mobile devices have a very different security model," says Scott Crawford, a security analyst at the consultancy Enterprise Management Associates (EMA), and the OS makers have built in security from the get-go. "By contrast, the original Windows had very little security," creating a tempting target early on and an architecture whose vulnerabilities became widely known.
There've long been antivirus products for Windows Mobile and Nokia Symbian devices, but they're not that necessary. All smartphone platforms combined have seen fewer than 1,000 malware threats, versus hundreds of thousands for Windows PCs, notes Khoi Nguyen, group product manager for mobile security at Symantec. In fact, the need for antimalware apps on smartphones is so low that Symantec is focusing on delivering mobile management tools instead.
The emerging threats, and who's susceptible
But despite their more secure designs, a few threats have begun to emerge for mobile OSes, so security experts and vendors figure it's just a matter of time before the increased usage of such devices and their use of more valuable information than just emails will attract hackers. For example:
- The Android Market contains lots of apps that are spyware, Trojan horses, or other malware. One recent malware app secretly sends SMS messages to a Russian service, which charges the user very high fees for the messages. Google doesn't evaluate the apps posted there for security or other concerns, pulling malware from the Android Market only after enough users complain, and the company requires minimal information for developers to be code-signed, notes EMA's Crawford.
- Apps don't have to be malware to be trouble, says Symantec's Nguyen. He cites an Android app whose poor coding saps lots of network access, overwhelming nearby cell towers and making it unavailable to other users. Hackers who want to do denial-of-service attacks can use such techniques intentionally.
- A flaw in the PDF reader plug-in for mobile Safari let hackers load a jailbreaking app onto iOS devices -- raising the specter of desktoplike malware on the iPhone and iPad.
- One Apple developer's code-signing identity was stolen, letting the thieves submit apps to Apple under his name. Crawford says that shows the Achilles' heel of the cryptography-based code-signing approach: There's a single "root of trust" that, once breached, makes everything vulnerable, and the breach often can be done through nontechnological means (phishing is the prime example).
- Nokia has seen several episodes of Symbian vulnerabilities relating to flaws in its code-signing technology -- a year ago, one hacker even found a way to disable the code-signing requirement, Nguyen recalls -- and in 2005 a major malware attack caused Nokia to rework the OS's security approach.
It's situations like these -- especially for the unvetted Android Market -- that has Kaspersky Lab working on an Android antimalware app. But Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab Americas, isn't so sure there'll be equivalent products for iOS, BlackBerry, or the forthcoming Windows Phone 7 because all do more serious vetting of the apps sold through their stores -- at least not in the near future. He notes that sandboxes aren't hacker-proof and may get easier to hack as more connections are made between sandboxes to allow applications to work together or share data, as users expect from their desktop experience.
There likely won't be an antimalware app for iOS devices -- because Apple won't allow them, note both Schouwenberg and Crawford. (Apple declined to comment.)
As mobile devices get more popular and users access and store more valuable information than email on them, they'll begin to attract the attention of hackers now happily making lots of money by breaking into Windows PCs. "It will happen," says Ted Julian, a mobile security analyst at Yankee Group.
It's clear that if any mobile OS is likely to be the easy target for hackers, it's Android, whose architecture is most like that of the desktop PC due to its openness, says Schouwenberg. "Android is forcing other OSes to be more open, which increases risk," adds Symantec's Nguyen.
It's also harder to protect Android devices than other devices, notes Julian. The reason: There are so many Android variants in use -- four versions of the OS itself, just as many UI overlays from device makers, and a variety of other customizations from both carriers and device makers -- that Google or the carriers couldn't quickly patch all the devices as, say, Apple can with its iOS devices.
The False Security of App Stores
Apple pioneered the concept of a vetted app store, and every other mobile platform maker has followed suit. It's well known that Apple reviews apps to ensure they conform to Apple's programming and even "decency" standards, and such review gives users the sense that Apple has filtered out malicious apps, says Julian.
That's a risky assumption for any app store, not just Apple's, Julian says. Reviewing all the apps line by line by security experts simply isn't possible given the thousands of apps that are submitted each month, and automated code analysis tools aren't yet up to snuff, he notes. Julian says that Apple, Google, Microsoft, RIM, and the rest will eventually be able to find the "obvious stuff," reducing the risk to everyone's benefit. But some malware will still get through.
Android users can make any vetting meaningless by disabling the OS's block on unsigned apps, a setting easily changed in the OS's Settings app. Some users disable the block so that they can install apps not available in the Android Market, such as apps not authorized for their specific device/carrier combination. Likewise, iOS devices jailbroken to allow unapproved apps undercut any security vetting by Apple in the App Store.
Theoretically, sandboxing would limit the damage of mobile malware. And it will, everyone interviewed for this article agreed. "It's good that people are building in isolation" via sandboxes, Juliuan says. But it's not a perfect defense. "You can Swiss-cheese a sandbox," notes EMA's Crawford, as you add mechanisms to allow apps to communicate with each other or share data.
The app most likely to have such holes punched in it is the browser, for which plug-ins add both capabilities and entry points for hackers, as Apple discovered in the PDF-jailbreak vulnerability, says Kaspersky's Schouwenberg. "That showed the limits of sandboxes."
Crawford notes the issue "wasn't the design of the browser itself, but how it's stretched -- through the extensions, helper objects, and plug-ins that open the doors where control is slight." He notes that users want such extensions, which are often developed by smaller companies and individual developers not necessarily well versed in application security, so mobile OS makers who wall off the browser are likely to get strong user pushback.
And the push to using HTML5 as a pan-mobile application development platform could increase the risk of the browser as a malware vector, he says, if the HTML5 apps were to rely on local helper apps. Web apps concern Crawford the most of all the potential mobile threats because "Web security is getting too little action today," despite the constant stream of reported exploits on the desktop.
This article, "Mobile security: Your smartphone is safer than your PC, for now," was originally published at InfoWorld.com. Read more of Gruman et al.'s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com.