Tuesday, 11 January 2011

Smartphone security - reflection on InfoSecurity Press conference

I participated on a panel on the topic "Mobile and Smartphone security" at InfoSecurity press conference in London today. My colleagues on panel were Nigel Stanley and John Coley.

The topic of mobile and Smartphone security is very interesting and has many viewpoints. I try to look at some of them, though the list is not exhaustive.

Usage patterns
One could say that mobile phones, and especially smartphones, are just smaller computers. That is indeed true, with a twist. We tend to use smartphones almost like an accessory and a personal item. Many take phones to places where they would not take PC (even laptop) with them. That makes phones a target for criminals that want to monitor people's behaviors or even steal information that is nearby. There have been cases where microphone was enabled remotely and real time audit streamed to an attacker.

There are relatively few malware that target mobile phones and smartphones. Especially compared to their PC cousins. However, this is likely to change and we can expect big increase in malware that targets specifically smartphones. The HW and SW concept is very similar to PC (X86 architecture) as are some techniques to secure mobile phones SW and SW.
In some aspect, smartphone security can be seen as being more proactive. Look at mandatory digital signatures, sandboxing and limiting of accessible APIs just to name few.

Training and awareness
In security, most of the problem are caused by ill defined policies and inconsistent/non existent awareness and training. Take for example data classification policies. These document are sometimes very dry, written in highly level language and hard to apply in practical solutions.

Data security
I believe hat data security is where the most of the focus should be, followed by sound application and host security practices. If there is good security awareness supported by technology that allow classification and then enforcing the policy, mobile phones can be used in corporate environments. An example, is MS DRM technology that is now arriving at the network near you. Soon, it should be available on your mobile phone.

Mobile operators responsibility
Most of the mobile operators class themselves as "big pipe" from smartphones to the Internet. Yet, they are uniquely positioned to analyse traffic from smartphones for malware. If malware is found quarantine the phone (limit the speed or disable APN completely) and inform the owner of the phone. If this is happening on any network, please let me know.

Finally, mobile phone vendors and appstore operators should take more responsibility in making sure that the platform and applications in the app stores are programmed without vulnerabilities and does not act as malware. For example, if I program a game and plant a malware to extract details from phone's address book, that is very unusual operation.
Categories: ,


Post a Comment