Smartphones optimize

What are the prospects for smartphone security threats?

Smartphones are becoming ubiquitous, but they are still limited in their usefulness. This is actually a boon for their security because they have not been effectively secured to replace a desktop or laptop computer for a lot of high-risk activities.

With the growing popularity of smartphones, people are beginning to speculate about whether there will be an explosion of security issues in the near future. When will the storm of viruses appear? When will smartphones -- relatively low-power by the standards of personal computers, but online pretty much all the time -- become a platform of choice for botnet nodes?

Some security experts are skeptical of the idea that smartphones will ever be much of a target for malicious security crackers to build botnets, or otherwise hijacking resources. Maybe the botnet threat will never materialize for the smartphone platform, because it is so limited compared to the general-purpose desktop and laptop computer. On the other hand, even if malicious security crackers are not directly targeting our smartphones yet, the ability to transfer files between a smartphone and a more general-purpose computer means that a smartphone can become an important vector for spreading viruses and other mobile malicious code.

For years, users have become more and more complacent about the obsolescence of physical media as a way to transfer mobile malicious code from one system to another, because mobile malicious code writers have specifically chosen the Internet as the attack path of choice. The growing ubiquity of always-on broadband Internet connections, combined with the increased necessity of user interaction to get mobile malicious code moved from computer to computer through physical storage media, has resulted in an explosion of mobile malicious code infections acquired over network connections, while physical media transfer of that malicious code has almost completely fallen off our radar.

The convenience of smartphones as portable data stores, perhaps ironically because that is not all that smartphones do for us, might see a return to the days when people were afraid to use a floppy to transfer files from one computer to another, with the smartphone as the "floppy" in this case.

Smartphones themselves are less tempting targets for direct attack for a number of reasons, and the lack of sufficient system resources to make it worthwhile to divert attention from developing attacks on desktop, laptop, and server systems is only one. There is also the simple fact that no smartphone has an interface that is sufficient to make it a reasonable replacement for a desktop or laptop system, for all but the very simplest of tasks. Since I have acquired my first smartphone, I have used it for text-based communication quite a bit, but only in cases where it is not practical to use a laptop instead; even though I specifically chose a device with a great QWERTY keyboard (great for a smartphone, anyway), it still does not provide nearly the same ease and efficiency of use of as I get from a full-size keyboard on a ThinkPad.

Email increases the effect of the limitations of the tiny keyboards on smartphones. Web browsing feels even more cramped and restrictive, thanks not only to the tiny keyboards but also the tiny screens of our smartphones. Considering the strong role played by Web browsing in giving people a reason for instant messaging -- as we use IMs to share links with each other -- this contributes at least as much to the tendency some of us have to prefer a laptop or desktop system for IMing over a smartphone as the problem of small keyboards. That may especially be the case for people who do not know how to touch type, since slower hunt-and-peck typing speeds are probably not missed as much on a smartphone.

Until smartphone resources increase significantly in both power and availability, or until their user interface capabilities improve significantly, it seems likely that the major security threat related to smartphones may be the smartphones themselves. They may increasingly become layover points for infections that target other computers, without anything much changing in how smartphones are used, but some things definitely have to change before they become a more tempting target for mobile malicious code infections and resource hijacking.

There are two other concerns where smartphone security are involved, however, that deserve special mention. The first is the danger of physical theft of a smartphone. In the late 90s, cellphone theft became something of an epidemic. With the growth of the smartphone market, where devices are not only valuable in and of themselves (and subject to the market value inflation of fads, as in the case of the iPhone, the Motorola Droid, and anything bearing the name BlackBerry), but also stores of private information for their owners. I have yet to see any smartphone from any vendor whose screen-locking mechanism is worth more than a few moments' delay for a determined and technically proficient thief. The blame, of course, lies in part at the feet of the smartphone's need for convenience -- and the fact that, with the extremely limited user interfaces of these devices, convenience effectively means no security at all.

The second of these other concerns for smartphone security is something that is only gradually developing, but will become an increasingly bigger concern as time passes. People are starting to use smartphones more and more often for financial transactions, and software developers are coming up with more and more ways to specifically target smartphones as platforms for applications intended to facilitate financial transactions. Tools such as Square are starting to appear, available for both iPhone OS and Android devices, that increase the convenience of financial transactions for smartphone users to a frankly surprising degree. This new smartphone application niche may become a lucrative pseudo-cottage industry all its own, or even grow into a much bigger industry with major players on the order of eBay getting into the mix.

There is nothing wrong with the growing convenience of using a smartphone as a facilitator for financial transactions, in and of itself. The problems are with the lack of suitability these devices have, at present, for securely managing these transactions. While the applications themselves may be perfectly secure (in theory), smartphones are in effect part-owned by two entities other than the end user: the wireless service provider and the OS distributor. The latter effective part-owner can exercise varying levels of control, of course, from the truly draconian in the case of Apple's iron grip on the iPhone OS to the way Google allows third-party applications to be installed from outside of the Android Market channel, but still does not provide any way (by default) for users to access more than the most superficial capabilities of the OS itself.

The other reason that the increasing convenience of financial transactions via smartphone is a growing concern is the fact that this means such transactions will become increasingly common -- which makes the smartphone a much more tempting target for security crackers. That, alone, is a big problem, as long as more attention is not paid to effectively securing smartphones.

I will treat the security of my own smartphone with special care, and will be hesitant to place enough trust in the device to use it for high-risk activities like financial transactions. At least with a laptop, I can install the OS I want, configure it precisely the way I like (depending on the OS of course), and be reasonably sure that if there is any security issue in a financial transaction made with the laptop, it will be on the side of the other party to the transaction. I wish I could say the same about my smartphone.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

6 comments
Jaqui
Jaqui

Well now, with the excessively bloated java being the most common language for apps, and windows being the second most common platform, the security holes in smartphones are abundant, and there is little to stop hem becoming the botnet drones most people let their desktop / laptop become. the scary part is that if Jobs was right in the desktop and laptop market dying off, these limited resource devices will be the ONLY area for malware to infect. so the "hardware is cheap" development model that creates the gaping holes in security will gurantee that the smartphone is even more infested than any pc.

MISDude-E
MISDude-E

Good read from you, as always, though long with rambles. Yes this is about the "prospects" of what could happen, but I'd like to add that upon cell phone activation all cell service providers should help the situation by doing the following: 1) Inform users on what evil doers can do and how to secure your phone. 2) Provide a means and explain how to backup data of phone to a computer or Internet web site (buzzword "the cloud"). 3) Provide a means to wipe the phone.

emekusman
emekusman

I don't think Smartphones are that attractive for hackers yet. I really have not been bothered about viruses on phones considering i can easily wipe and restore. About the security on Smartphones i believe the Screen lock on Blackberry's is good enough since it wipes the device after 10 wrong password entries

santeewelding
santeewelding

Rambling is okay. Here, it contrasts nicely with the diminutive size of the subject.

apotheon
apotheon

I do get rambly sometimes. I try to remember to be concise, but so far it's a losing battle at least some of the time. It would be nice if service providers would help ensure that users get a little security education. I'm not holding my breath waiting for that to happen, though.

apotheon
apotheon

A bigger problem than being able to try over and over again is being able to bypass screen locks entirely, or being able to figure out the way to unlock the screen so it only takes one or two tries, and so on. I've seen buggy behavior where shutting down a smartphone and restarting it might cause the screen lock to reset, so one doesn't need to unlock it at all. I've also noticed that with many smartphones' unlocking pattern implementation, people leave streaks on the screen where their fingers have traveled the same path over and over again in a given day to unlock the smartphone -- thus allowing someone with half a brain to figure out the pattern in two or three tries (easily within the realm of failed attempts for a normal user who is actually supposed to know the unlocking pattern). Wiping the device after 10 failed attempts to enter the unlock pattern isn't good enough, and if you're using an actual password for which you need to use the keyboard, you're probably going to get very sick of entering that password after a few weeks of use. The sad fact is that with these tiny interfaces and no better input options than we currently have, we're unlikely to have any kind of authentication mechanism for the things that will be both effective and usable with any convenience at all. The interface has to improve before security can really improve in this case.