In our world of corporate security where the threats are constant, most IT pros and administrators would not consider giving a computer to an employee without locking it down. Login systems, antivirus, network protection, and more provide a security-in-depth approach that is the norm for corporate life. Antivirus companies provide extensive suites to secure computers, networks, servers and more, with a central point of control. But what about smartphones? As iPhone and Android devices have become more and more popular, employees no longer consider their company-issued or BYOD phones to be just a communication device. Now, they use that phone to read email attachments, download documents, and even VPN inside the corporate firewall. So it’s no wonder that we often hear of the potential for security problems. Is it time to install antivirus software on smartphones?
Before being able to answer this question, it’s important to understand how modern smartphones work, and how the model is different than a typical computer. On a normal system, a program has the ability to access all system resources. All the unprotected RAM, hard drive content, and more can be read, unless it’s specifically locked down. So if an employee downloads a malicious software, either because they were tricked, or they went to a web page using a browser that wasn’t fully patched yet, then that software can read keystrokes, scan the hard drive for useful file types, and then send that back through the network. Recent versions like Windows Vista and 7 have UAC which helps mitigate it, but we all know it doesn’t stop everything.
Modern smartphones like iOS and Android don’t work like that. Instead, each app is given its own work environment, and is unable to access other apps’ data. Think of it like if you were to run every single application in its own VM. This, by itself, is a huge security improvement, and means that no malicious software can do much harm by simply being installed. Then, at least in the case of iOS, there’s the additional benefit that any app must be downloaded from the App Store, and is vetted against potential problems. In the case of Android, Google introduced “Bouncer” to help scan for problem apps, but it’s not foolproof.
So right away, the potential for trouble from a single app is fairly limited. But it also means that there’s not much an antivirus could do either. Any antivirus software you install on a phone would not be able to scan any other app, or any data used by those apps. There is antivirus software out there for iOS and Android, but unless you jailbreak or root your device, their abilities are limited. For example, VirusBarrier is a $2.99 iOS antivirus available in the App Store. But it doesn’t actively scan anything, because it can’t. Instead, if you want to scan an email attachment, you have to send it off to the app from within mail. This makes the process fairly annoying, and is of minimal use. On Android there are more active scanners such as Avast! Mobile Security, where you can set up daily or weekly scans, but again, some of its functions only work on rooted phones. Besides, right now there hasn’t been any real virus on modern smartphones. Instead, the threat is usually different. What we’ve seen are apps that can read and transmit information from the phone. There have been cases where rogue Android apps managed to get into the Market and would read all your contacts, sending them off to a third-party. Other apps would start sending SMS messages to a foreign address in the hope to raise your bill. So far, we haven’t seen much malware that would somehow manage to read confidential data from other apps; however, they’re always evolving, as in this report, “Remote-controlled Android malware stealing banking credentials” by ZDNet’s Ryan Naraine.
So what exactly should you do when it comes to phone security? There are many functions you can turn on, such as having a lock screen, making sure the device is erased if someone tries to guess the passcode after a certain number of attempts, and having the ability to track and remotely erase devices. All of these features are now available on any modern platform, and are the kind of things any IT administrator can implement.
Now, we’re starting to see corporate security suites implement various smartphone-related features as well. For example, if someone VPNs into the network using a smartphone, the model can be checked to see that it supports security features, or otherwise blocked. So right now my recommendation is to not worry about trying to get antivirus software to run on the phones themselves. Not only is it barely effective, but like any background process, it takes up valuable battery life and resources. Instead, if you have very sensitive documents, don’t allow them to be used on a Smartphone, implement the already-existing security features that come with any good smartphone, and you’ll be in good shape.