I’m not entirely dead yet, just very busy 🙂
Anyway, I came across this blog posting (Mobile Virus FUD) which in turns references this article about Kaspersky Labs (not the one at heise security as I stated – erroneously – before). Before we continue, a disclaimer: the views and opinions expressed here are my own and are not representative for any current or past employer. I have no relations with Kaspersky Labs. Also, I’m not an expert in mobile devices per-se and never did development for them, but I have some background in low-level logic circuits (like FPGAs).
Back to the topic: the article referenced ask the question how much of the danger presented in the media is true and how much is hype? I have to say that I despise hype and half-truths meant to scare the public into acting a certain way very much (just look at the title of my blog) and in the short term I have to agree with the posting: it is mostly hype and currently it has a very low possibility of affecting people. However, this being said, this issue has a very great potential to become a big problem in the future. The reasons being:
- As far as I know many mobile OSs sacrifice a well defined security model for simplicity and performance. You don’t have
limited user accounts, you are always running as administrator.
- Further more, many of the processors used in such devices lack the proper hardware basis – again, for cost and performance reasons probably – to implement such a security system (this is not to say that you can’t implement a very secure system in software alone – just look at Singularity, a research OS written in C# which relies entirely on software to enforce the security – but it is a lot harder)
- Finally, the security industry hasn’t managed to convince all the people that they need security products or to inform them on how to use them properly (like updating regularly). It will be even harder with smart-phones since many people will say
it’s just a phone, why do I need to have to buy X for it?
- This same lagging can be observed in the patching area: no framework for patching existing phones is currently available.
In conclusion, the situation is somewhere at the Win9x level: every program runs with system wide privileges, no automatic method for patching system flaws and very low user awareness. It isn’t a problem currently, but if the right financial motivation appears (like these phones getting widespread and containing many sensitive information), it has a git potential to become one.