Insight Community

Mobile phone security will have to be very, very light... the phone itself will probably have a limited set of the critical rules and/or firewall-type security on it,and then require regular scans from a more serious device that can hold all the rules, i.e. a pc or server-initiated scan.  As these phones become more powerful, though, they will be more likely to run the scans themselves.  Providers must include security software and services with phones and plans that they sell, or else face liability charges since phones come pre-loaded with vulnerable programs.

Mainstream media will have you believe that your smartphone is horribly at risk from 'mobile malware' (i.e. applications that spread themselves to other devices and do horrid and unspeakable things to yours). The trouble is that almost every story, every press release originates from a security company with a large vested interest in people buying their software. Here's the truth about mobile malware.

The number one thing to emphasise here is that users shouldn't be worried at all. In fact, most of the time they shouldn't even be told about most so called hacks and malware, since most people will NEVER come into contact with anything suspect and the only result of careless reporting will be the spread of FUD (Fear, Uncertainty and Doubt), which will harm the whole smartphone scene.

Despite the scare stories, the world of malware on current handheld devices is miniscule compared to that on Windows. Mobile operating systems like Symbian OS and Windows Mobile are perfectly secure in terms of not letting 'nasties' in while online, so there's no need for a firewall, an otherwise essential utility on the desktop. OS X, as used on the iPhone, is a lot less secure at the moment because every process, however suspect, can run will full system privileges. But you can bet your last dollar that by the time Steve Jobs releases an iPhone firmware with proper, legal third party app support, there will be proper protections in place. Apple aren't stupid!

All known malware applications for mobile devices travel as applications in their own right, usually arriving as an unexpected Bluetooth beamed item or MMS, sent from an 'infected' device. On any smartphone or handheld the user can simply refuse the incoming transmission or not install whatever payload application is received.

Another way for a user to unwittingly receive malware is when installing a so-called 'trojan', usually an application that they've seen online on a 'warez' site (hacked copies of commercial applications) and one that also includes malicious content. Because they wanted the 'for free' application they're likely to install this and it's then that their troubles start. Conversely though, if a user stays away from illegal/warez software then they can avoid ever being tricked altogether.

Assuming that a user has been tricked into installing something malicious (and trust me, encountering mobile malware should be extremely rare) and has accepted the usual 'Are you sure you want to install' questions, what can such a program get up to?

In the case of a communicator or smartphone based on Symbian OS 9.x, e.g. the Nokia E61, N95, etc., not a lot. All operating system files are fully protected against tampering (Symbian call this 'Platform Security', part of Symbian OS 9) and even routine functions like an untrusted application sending items by Bluetooth or trying to go online are each prefaced by a warning message, so there's no possibility of a 'silent infection'. In theory at least, Symbian OS 9-based smartphones are invulnerable and there's no need for any concern or extra security software.

Older S60 smartphones are more vulnerable, allowing silent infections and malware access to Bluetooth and the Internet, but they also make just as much fuss when installing such a program. The reason so many S60 'viruses' have been reported is only because of the huge number of units sold, the proportion infected is still lower than 0.01%.

Windows Mobile devices have a limited amount of security built-in but aren't really secure. When a user tries to run a program it asks them for permission, but once this is given the program is pretty much given free reign to do whatsoever it likes, including changing the registry to allow future malware to install silently. Therefore users have to be even more careful than with old S60 devices about which software they install. In addition, two vulnerabilities have been discovered in Windows Mobile Internet Explorer and the Pictures and Video module: viewing a malicious web page or image file could cause the device to fail, causing potential denial-of-service attacks.

Users can rest easy if they own a Palm OS or Linux-based device, or an older UIQ smartphone, as these aren't attractive platforms for malware-writers and users are more likely to win the lottery than encounter anything malicious, especially if they stick to trusted programs. The iPhone's OS X will be an attractive target, of course, but only Apple know what they're planning in terms of security measures and it's too early to pronounce a verdict on this platform.

Luckily, because the operating system of every handheld or smartphone is in flash memory (as opposed to an easily-writeable hard disk), even if a user is careless enough to get infected then getting rid of the malware is as simple as doing a factory reset and restoring their last good backup or resyncing over their PIM data.

The bottom line? Users should be warned to only download and install third party programs from 100% trusted sources and to avoid warez like the plague.  Bluetooth should be left as 'Hidden' once pairings with accessories have been set up.
And users shouldn't accept new applications or even images by infrared, Bluetooth or MMS unless they are explicitly expecting them.

As mobile phones become more and more capable, security issues similar to what we see on desktop computers are a natural and expected consequence. The nature of the beast on mobile phones is very different from a typical personal computer, however. Part of this is due to the limited resources, part of this is because the operating system in use is very different from that of a desktop computer.

The single biggest threat on a mobile phone is also the single biggest threat on the desktop: the web browser. As the web browser gets more and more capable, simply visiting a page with carefully crafted Javascript could be enough to cause the phone to be subverted for other users. The device itself may not be compromised, but the phone could be used as an unwitting participant in hacking into a web site.

For third-party applications, both Windows Mobile and Symbian OSes make use of application signing. The app can be cryptographically signed so that the content can be verified, if they so desire. S60 3rd Edition, which is Nokia's Symbian implementation, actually requires that all applications be signed. Signatures don't necessarily make it easier to track down a nefarious software author, but they do provide a way to verify you're installing an application that might have trust issues.

The bottom line is that if you follow safe computing guidelines on your mobile phone, you are less likely to be subject to malware or malicious software. This means:

• Don't run applications from people you don't know!
• Browse only to trusted sites on the web. 

Currently, I'd suggest that users are at the greatest threat from stolen phones, overheard conversations, ringtone scams, and problematic "legitimate" software than from dangerous mobile applications but as the question notes this is bound to change as data, surfing, wifi, and bluetooth capabilities sweep over the mobile market and make it a more lucractive area for illegal activity.

In a recent interview Eric Everson of MyMobisafe software suggested that the four greatest threats to all wireless users are:  mobile keyloggers, snoopware, viruses, and hackers.    MyMobisafe offers protection for the mobile device by encrypting data at the handset level.  

Everson notes that  "Most cell phone threats will enter a phone by one of three points of vulnerability which are by inbox messaging, Bluetooth, or Wi-Fi. Most commonly hackers and mobile malware target the inbox as it is a common feature in all phones and has the least amount of security."

AVG anti virus is now beta testing a similar mobile security solution.  See this  SlashPhone article about AVG's approach and how to register with AVG for more information about how to get involved in that beta.

Symbian mobile software has a good track record countering malicious activity.   From Wikipedia:

Symbian OS has been subject to a variety of viruses, the best known of which is Cabir. Usually these send themselves from phone to phone by Bluetooth. So far, none have taken advantage of any flaws in Symbian OS – instead, they have all asked the user whether they would like to install the software, with somewhat prominent warnings that it can't be trusted.

However, of course, the average mobile phone user shouldn't have to worry about such things, so Symbian OS 9.x has adopted a capability model. Installed software will theoretically be unable to do damaging things (such as costing the user money by sending network data) without being digitally signed – thus making it traceable.

Summary:  Users can continue to relax and practice basic online common sense regarding applications and downloads.  Handset makers will continue to innovate in this area and an increasing number of third party handset security solutions will continue to enter the market. 

 

Other Sources:

Wireless and Cell Security 

MyMobiSafe Software

AVG Mobile Software beta 

Wikipedia on Symbian