Mobile platforms must not repeat the security failings of PCs

phonesecurity

I can still remember my breathless excitement the first time I heard the executives of a major AV vendor tell me about the promise of smart phones. Imagine 100 million devices all needing software subscriptions for AV! I was dubious then (2003) and I am still dubious today. Indeed there are security issues with new mobile platforms. But before getting to those, let’s go over why mobiles are not the same as PCs.

Diversity

The number one difference between the mobile ecosystem and the Microsoft-Intel duopoly that defined that last generation of computing devices is diversity. Windows everywhere, a logical strategy for Microsoft, but a security nightmare for the world, was the primary driver of the security industry as we know it. Major AV vendors are the largest components of that industry.

Anti-malware is required on every Windows platform from workstation, to desktop, to laptop, to server. One of the tenets of the software business model is to re-use code. Thus there are elements of Dos extent today in every Windows installation. A new vulnerability discovered in code that is over ten years old can expose hundreds of millions of devices.

One of the travesties of Windows is that the market was convinced that having the same operating system everywhere offered some sort of cost savings. When it comes to security, there has definitely not been a savings. And while critical systems like medical equipment, manufacturing controls, even vehicles like trains, ships, and submarines were originally sufficiently separated from vectors of infection, over time they too became exposed and even targeted. This has led to today’s environment of data loss, cybercrime, and a constant battle to patch and protect Windows systems.

Thankfully, smart phones and new platforms such as iPads and book readers have not fallen for this idea of uniformity. Features, connectivity, content, and applications are the drivers, just like the pre-PC days when we had competing workstations from IBM, HP, Sun, Silicon Graphics, and Apollo all innovating and competing to offer the best solution.

We have Symbian on Nokia phones, MacOS (Open BSD) derivatives on iPhones, and iPads, at least ten different ebook reader platforms, and Android being pushed on phones and netbooks. While any one platform is not inherently secure, the diversity of so many platforms means increased cost and reduced return on investment for those that would attack those devices. Three cheers for diversity.

Carriers

Mobile devices are bound to the carriers that support them. Carriers invest billions in deploying their wireless networks to support those devices and they have contractual relationships with the device makers. They will respond to attacks against those platforms. In Europe, most carriers have deployed head end gear to filter out viruses spread by smart phones. There are costs associated with every message sent, something that keeps spam down.

Carriers are not like fixed line ISPs that washed their hands of responsibility for the attacks and malware that was delivered to their customers. A virus on a cell phone that causes new charges for calls or messages will result in immediate customer reaction and consequently, lost revenue. And a major virus outbreak could disable the carrier network. Of course they will continue to invest to prevent that.

Security matters

Mobile devices carry a lot more personal information than PCs. The end user is very protective of contacts, texts, and location information. Any perceived weakness in the security of a mobile device will have a bigger impact than in the PC world. As platforms proliferate, you will see all sorts of interesting attacks against them, like the SMS-o-Death that researchers at the Berlin Institute of Technology recently demonstrated or Facebook born attacks against Android. But notice those attacks are platform dependent.

So here is our big chance. Mobile device platforms can come complete with security features, including a hardened OS and default settings that are secure. Remote location and device wipe are two other features that can be incorporated as additional security. Device manufacturers and carriers have an opportunity to forestall the security issues that have plagued the last generation of computing devices. Hardening, code review, and yes, whitelisting will be the avenue to safer computing platforms.

My predictions for the mobile device industry

Anti-malware will never be a big business (sorry Intel, why did you acquire McAfee again?) Application whitelisting will be required on mobile platforms. Trusted third parties that check code validity will emerge and crowd-sourced, cloud-based services will arise that give you a sense of trust based on user ratings and number of installs.

Richard Stiennon is the author of Surviving Cyberwar (Government Institutes, 2010). He also researches the security industry with a focus on cyber defense at IT-Harvest, an independent IT security analyst firm. Richard has held executive positions at Fortinet, Webroot Software, and also served as Vice President of Research at Gartner. Richard was named “one of the 50 most powerful people in Networking” by Network World Magazine and he holds Gartner’s Thought Leadership award.