Should You Worry About Smartphone Security?
Every industry involves four main parties. There are, most obviously consumers and manufacturers. There are also those who provide services or supplies to the manufactures, or produce peripheral products that work in tandem with the original product. Finally, there are the watchdogs, keeping tabs. Watchdogs are usually either government regulators or third party nonprofits.
IBM predicts rising mobile threats, critical infrastructure attacks in 2011.
As reported by BoingBoing, former Google Android security framework engineer Chris Palmer, who is now technology director of the nonprofit Electronic Frontier Foundation, addresses the risks posed by mobile operating system manufacturers’ lax approach to security:
“Mobile systems lag far behind the established industry standard for open disclosure about problems and regular patch distribution. For example, Google has never made an announcement to its android-security-announce mailing list, although of course they have released many patches to resolve many security problems, just like any OS vendor. But Android open source releases are made only occasionally and contain security fixes unmarked, in among many other fixes and enhancements…
Android is hardly the only mobile security offender. Apple tends to ship patches for terrible bugs very late. For example, iOS 4.2 (shipped in early December 2010) contains fixes for remotely exploitable flaws such as this FreeType bug that were several months old at the time of patch release. To ship important patches so late is below the standard set by Microsoft and Ubuntu, who are usually (though not always) much more timely. (For example, Ubuntu shipped a patch for CVE-2010-2805 in mid-August, more than three months before Apple.)”
Other industry leaders disagree. CIO.com’s Bill Snyder has stated:
“I was sitting in the middle of one of the most security conscious crowds you’d ever come across—about 200 computer security professionals listening to a high-powered panel on mobile security threats at the RSA Conference in San Francisco last week. And you’d think that after nearly 90 minutes of discussion, I’d leave the room all a twitter (pardon the pun) and scared that my iPhone was about to go rogue. Not at all. In fact, I left feeling a lot more relaxed about the security of my smartphone, and a little more skeptical about the barrage of hacker warnings to which we’ve all been subjected.”
Ed Amoroso, chief security officer of AT&T, said:
“Day-to-day mobile threats haven’t (yet) caused much harm.”
Ian Robertson, security research manager for BlackBerry developers Research in Motion, said:
“I can count on one hand the pieces of (mobile) malware I’ve seen installed.”
And quoted in NPRs All Things Considered is Paul Smocer, who is in charge of technology at the banking trade group The Financial Services Roundtable:
“I have begun to use mobile banking myself, yes. We haven’t seen a whole lot of malicious software yet. Part of that relates to the fact that there are so many different manufacturers and operating systems in the mobile world. But part of it, I think, is also to do with the fact that this is a relatively new environment, and unfortunately, crime follows growth.”
The truth, of course, lies in the middle. While the mobile security industry isn’t exactly under siege, there is clearly more work to be done. It’s smart to invest in antivirus protection for your mobile phone, keep its operating system updated, and be cognizant of how you use you phone, so that you can avoid putting your data at risk.
Robert Siciliano is a personal security expert contributor to Just Ask Gemalto. (Disclosures)