With the growing popularity of smartphones, people are beginning to speculate about whether there will be an explosion of security issues in the near future. When will the storm of viruses appear? When will smartphones — relatively low-power by the standards of personal computers, but online pretty much all the time — become a platform of choice for botnet nodes?
Some security experts are skeptical of the idea that smartphones will ever be much of a target for malicious security crackers to build botnets, or otherwise hijacking resources. Maybe the botnet threat will never materialize for the smartphone platform, because it is so limited compared to the general-purpose desktop and laptop computer. On the other hand, even if malicious security crackers are not directly targeting our smartphones yet, the ability to transfer files between a smartphone and a more general-purpose computer means that a smartphone can become an important vector for spreading viruses and other mobile malicious code.
For years, users have become more and more complacent about the obsolescence of physical media as a way to transfer mobile malicious code from one system to another, because mobile malicious code writers have specifically chosen the Internet as the attack path of choice. The growing ubiquity of always-on broadband Internet connections, combined with the increased necessity of user interaction to get mobile malicious code moved from computer to computer through physical storage media, has resulted in an explosion of mobile malicious code infections acquired over network connections, while physical media transfer of that malicious code has almost completely fallen off our radar.
The convenience of smartphones as portable data stores, perhaps ironically because that is not all that smartphones do for us, might see a return to the days when people were afraid to use a floppy to transfer files from one computer to another, with the smartphone as the “floppy” in this case.
Smartphones themselves are less tempting targets for direct attack for a number of reasons, and the lack of sufficient system resources to make it worthwhile to divert attention from developing attacks on desktop, laptop, and server systems is only one. There is also the simple fact that no smartphone has an interface that is sufficient to make it a reasonable replacement for a desktop or laptop system, for all but the very simplest of tasks. Since I have acquired my first smartphone, I have used it for text-based communication quite a bit, but only in cases where it is not practical to use a laptop instead; even though I specifically chose a device with a great QWERTY keyboard (great for a smartphone, anyway), it still does not provide nearly the same ease and efficiency of use of as I get from a full-size keyboard on a ThinkPad.
Email increases the effect of the limitations of the tiny keyboards on smartphones. Web browsing feels even more cramped and restrictive, thanks not only to the tiny keyboards but also the tiny screens of our smartphones. Considering the strong role played by Web browsing in giving people a reason for instant messaging — as we use IMs to share links with each other — this contributes at least as much to the tendency some of us have to prefer a laptop or desktop system for IMing over a smartphone as the problem of small keyboards. That may especially be the case for people who do not know how to touch type, since slower hunt-and-peck typing speeds are probably not missed as much on a smartphone.
Until smartphone resources increase significantly in both power and availability, or until their user interface capabilities improve significantly, it seems likely that the major security threat related to smartphones may be the smartphones themselves. They may increasingly become layover points for infections that target other computers, without anything much changing in how smartphones are used, but some things definitely have to change before they become a more tempting target for mobile malicious code infections and resource hijacking.
There are two other concerns where smartphone security are involved, however, that deserve special mention. The first is the danger of physical theft of a smartphone. In the late 90s, cellphone theft became something of an epidemic. With the growth of the smartphone market, where devices are not only valuable in and of themselves (and subject to the market value inflation of fads, as in the case of the iPhone, the Motorola Droid, and anything bearing the name BlackBerry), but also stores of private information for their owners. I have yet to see any smartphone from any vendor whose screen-locking mechanism is worth more than a few moments’ delay for a determined and technically proficient thief. The blame, of course, lies in part at the feet of the smartphone’s need for convenience — and the fact that, with the extremely limited user interfaces of these devices, convenience effectively means no security at all.
The second of these other concerns for smartphone security is something that is only gradually developing, but will become an increasingly bigger concern as time passes. People are starting to use smartphones more and more often for financial transactions, and software developers are coming up with more and more ways to specifically target smartphones as platforms for applications intended to facilitate financial transactions. Tools such as Square are starting to appear, available for both iPhone OS and Android devices, that increase the convenience of financial transactions for smartphone users to a frankly surprising degree. This new smartphone application niche may become a lucrative pseudo-cottage industry all its own, or even grow into a much bigger industry with major players on the order of eBay getting into the mix.
There is nothing wrong with the growing convenience of using a smartphone as a facilitator for financial transactions, in and of itself. The problems are with the lack of suitability these devices have, at present, for securely managing these transactions. While the applications themselves may be perfectly secure (in theory), smartphones are in effect part-owned by two entities other than the end user: the wireless service provider and the OS distributor. The latter effective part-owner can exercise varying levels of control, of course, from the truly draconian in the case of Apple’s iron grip on the iPhone OS to the way Google allows third-party applications to be installed from outside of the Android Market channel, but still does not provide any way (by default) for users to access more than the most superficial capabilities of the OS itself.
The other reason that the increasing convenience of financial transactions via smartphone is a growing concern is the fact that this means such transactions will become increasingly common — which makes the smartphone a much more tempting target for security crackers. That, alone, is a big problem, as long as more attention is not paid to effectively securing smartphones.
I will treat the security of my own smartphone with special care, and will be hesitant to place enough trust in the device to use it for high-risk activities like financial transactions. At least with a laptop, I can install the OS I want, configure it precisely the way I like (depending on the OS of course), and be reasonably sure that if there is any security issue in a financial transaction made with the laptop, it will be on the side of the other party to the transaction. I wish I could say the same about my smartphone.