The emerging threats, and who's susceptible
But despite their more secure designs, a few threats have begun to emerge for mobile OSes, so security experts and vendors figure it's just a matter of time before the increased usage of such devices and their use of more valuable information than just emails will attract hackers. For example:
- The Android Market contains lots of apps that are spyware, Trojan horses, or other malware. One recent malware app secretly sends SMS messages to a Russian service, which charges the user very high fees for the messages. Google doesn't evaluate the apps posted there for security or other concerns, pulling malware from the Android Market only after enough users complain, and the company requires minimal information for developers to be code-signed, notes EMA's Crawford.
- Apps don't have to be malware to be trouble, says Symantec's Nguyen. He cites an Android app whose poor coding saps lots of network access, overwhelming nearby cell towers and making it unavailable to other users. Hackers who want to do denial-of-service attacks can use such techniques intentionally.
- A flaw in the PDF reader plug-in for mobile Safari let hackers load a jailbreaking app onto iOS devices -- raising the specter of desktoplike malware on the iPhone and iPad.
- One Apple developer's code-signing identity was stolen, letting the thieves submit apps to Apple under his name. Crawford says that shows the Achilles' heel of the cryptography-based code-signing approach: There's a single "root of trust" that, once breached, makes everything vulnerable, and the breach often can be done through nontechnological means (phishing is the prime example).
- Nokia has seen several episodes of Symbian vulnerabilities relating to flaws in its code-signing technology -- a year ago, one hacker even found a way to disable the code-signing requirement, Nguyen recalls -- and in 2005 a major malware attack caused Nokia to rework the OS's security approach.
It's situations like these -- especially for the unvetted Android Market -- that has Kaspersky Lab working on an Android antimalware app. But Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab Americas, isn't so sure there'll be equivalent products for iOS, BlackBerry, or the forthcoming Windows Phone 7 because all do more serious vetting of the apps sold through their stores -- at least not in the near future. He notes that sandboxes aren't hacker-proof and may get easier to hack as more connections are made between sandboxes to allow applications to work together or share data, as users expect from their desktop experience.
There likely won't be an antimalware app for iOS devices -- because Apple won't allow them, note both Schouwenberg and Crawford. (Apple declined to comment.)
As mobile devices get more popular and users access and store more valuable information than email on them, they'll begin to attract the attention of hackers now happily making lots of money by breaking into Windows PCs. "It will happen," says Ted Julian, a mobile security analyst at Yankee Group.