2011: The Year of Mobile Security

N/A • 03 Jan 2011 • EDITORIAL

 I didn’t sleep well last night.  And it’s all because I watched a series of video presentations from a bunch of pale faced kids demonstrating how easy it is to exploit your mobile phone. Here’s the low down:

The past year saw unparalleled growth in mobile apps. The average smart phone user has twenty apps installed on their device and they’re not just fart apps anymore. While, this is generally great news for the mobile industry, it’s also good news for hackers. As the major mobile platforms mature, standardize and grow in ubiquity, they become more alluring to the so called “black hat” hackers who salivate at the idea of finding new ways to get at your credit card, social security number and Facebook login.

Don’t throw your phone away just yet though. The good news is that smart phones tend to have more security at their core than most of our laptops did just a few years ago. Signed and encrypted applications, banned proprietary APIs, and process level security all contribute to the security of mobile applications. App stores also act as gatekeepers to prevent malicious binaries from stealing our savings account.

But like most things, even the best security has limitations and -- as we’re starting to see now -- your mobile has many. The app stores are inundated with crappy submissions as dull as the day is long. This means the scrutiny applied to each submission is limited. There are already several applications in the app stores that collect and share way too much information with third parties (WSJ: Your Apps Are Watching You).  And it’s only a matter of time before the gatekeepers accidentally let a dangerous insurgent enter the green zone. Maybe they already have!

What’s At Risk?
The most common misuse thus far is collecting information that isn’t needed or relevant to the application. For example, a number of wallpaper applications will copy your phone number and mobile phone ID to a central server without asking most likely to be sold for marketing purposes. While it is an invasion of your privacy, if that’s all you experience this year then consider yourself lucky. There are far worse possibilities.

A cleverly crafted app could purposefully hide functionality in otherwise legitimate applications allowing virulent payloads to silently transform your phone into a zombie (Wired: Apple Approves, Pulls Flashlight App with Hidden Tethering Mode).  The most dangerous aspect of this type of invasion is you wouldn’t know anything about it until it was much too late. If ever. After all, the best crime is the one that no one knows about until much much later (think Bernie Madoff). These more sophisticated and malicious exploits would harvest your contact list and use it to expand their list of targets. They will scour the data in your device for passwords, credit card numbers and other information. They will eavesdrop on your email, text messages, phone calls, and reveal your GPS location.

What can you do to stop it?
It’s mostly up to Apple, Google, RIM and Microsoft to keep us secure but you need to keep up your end by being aware and being smart. And by smart, I mean being selective about the applications you install on your phone especially if you jail break or root your device to install unverified applications. If you’ve already whored your phone out to just about every app that you can install, well the good news is you most likely only need to reset or re-install it to get back to a clean bill of health. Lucky you! You dirty bird!

Meanwhile, the big four mobile OS suppliers should be working on improving their app store vetting process, setting stronger or more consistent standards for privacy, providing users with the ability to programmatically choose what is and isn’t shared, and giving users tools to detect and remove rogue applications.

 

http://www.ianwood.com/news/story.asp?sid=62         Share on Facebook

...