Mobile Security’s Future: 4 Expert Predictions
Despite gloomy predictions, the amount of malicious software affecting mobile devices today is miniscule, primarily because mobile app stores act as a first line of defense against the pernicious programs. Also, criminals have not seen massive potential for profit on the devices–yet.
“The bad guys care about money, like credit-card information,” says Charlie Miller, principal consultant with security compliance firm Accuvant. “Phones are full of personal contacts and embarrassing stuff, but not things that are easily monetized.”
Traditionally, IT works in a break-fix mode within operational silos.
Discover the benefits of a holistic approach to IT management.
The lack of obvious ways to profit from hacking phones has left them fairly free of attack. Yet, the historical lack of malware looks ready to change, which means that users will not be able to solely rely on app stores to protect them. Here are four predictions for the future of mobile security.
1. More Alluring Means More Threats
Charlie Miller, principal consultant at Accuvant, says certain characteristics of smartphones have dissuaded criminals from focusing on attacking the devices. They include the fact that smartphones have not historically accounted for a large share of the mobile market, that there are a handful of platforms, and the data on the phones has never been that valuable.
Each of those points is now changing, and that means that workers and consumers can expect their phones to be targeted, he says.
“As more people put sensitive data on their phones or use their phones to do sensitive things, like banking or shopping online, then slowly the malware authors and cybercrminal-type guys are going to go after the devices,” says Miller, who successfully compromised an iPhone 4 at this year’s Pwn2Own competition at CanSecWest. “Smartphones are a little more locked down then PCs, but the bad guys will be able to exploit them.”
[ See how one company provides security for Android smartphones ]
The introduction of a number of digital wallet programs that allow users to pay for goods using their phones is likely to attract more attention from criminals, he says.
The code review carried out by Apple eliminates many threats to that company’s iPhones and iPads. Even in the absence of code review, Google’s Android Marketplace, the open-source equivalent to Apple’s closed-source store, can quickly remove any malicious apps and remotely delete them from users’ devices. Yet, mobile-device users should not merely rely on the software ecosystem to keep malware off their phones, Miller adds. Even though Google has the ability to remove malware from a phone, the program could still do bad and irreversible damage in a short time.
“While you don’t have worry about the [malicious] app being there forever, the bad thing is that someone might have all your data, at that point,” he says.
2. Work Separates From Play
William Enck, an assistant professor at North Carolina State University, says another major change in the way people interact with their phones will be the introduction of ways to separate work applications and data from a person’s personal data and programs. Enck co-authored a paper presented at the USENIX Security Conference on Android security.
“You are running business software on this phone that you are doing personal stuff as well–that’s a concern for companies,” Enck says. “There is a need for providing systems to create some separation between the apps you are running personally, and the apps you are running for business.”
While some consumers will only want one instance of some programs, such as the address book, other programs have specific business functions. Virtual private networking software, data viewers and visualizers that handle corporate data, and collaboration software could all be run in a separate virtual instance on the device to protect the applications and data from unauthorized use, he says.
“Phones may, in the future, have the ability to give certain guarantees of confidentiality for certain data, while allow other applications to interact as necessary,” Enck says.
RIM’s Balance for the BlackBerry separates the personal and work aspects of a phone. VMware has teamed up with LG to sell a smartphone with two virtual instances on it–one for business use and another for personal use. VMware has broader plans for mobile, as well.
3. Patching Becomes Quicker
Tim Vidas, an Android researcher at Carnegie Mellon University, notes that the chain of software suppliers for most smartphones is a long list. Once a vulnerability is spotted, it has to get fixed by the developer, added to the latest Android operating system by Google, recompiled into the manufacturer’s version of the firmware, and checked by the carrier. In all, it can take months, if not years, for a security patch to reach the user’s phone.
Patches have to come faster, so as not to leave phones vulnerable to attack via known flaws, says Vidas, a PhD student in the department of electrical and computer engineering at the university.
“You could differentiate the patch cycles for security versus features,” Vidas says. “Then, when Google makes a security patch available, that could go directly to the phone.”
Google has not commented on its plans to speed patching, except that it is working with handset makers and carriers on the issues. Apple is moving to over-the-air updates in iOS 5, which will increase the likelihood that a patch will actually be installed on a user’s phone.
Until then, mobile device management companies will have to find ways to protect the phone even if a patch is not available.
4. Location Tracking Does More
While location-based services have become common for mapping applications and some advertising services, they also may start becoming a way to automate security.
Wiping a phone that is lost or missing is only the most basic version of this capability. Some mobile-device management and wireless-security applications can change which applications can use the Internet based on whether an employee is in the office or at home. Stock brokers on the trading floor, for example, would not be able to use social-networking applications.
“We want to them to have full functionality when they are in their home or in the parking lot, but when they are in the company, we don’t want any third party that has a footprint on the device to listen in,” says Tom Kellerman, chief technology officer of wireless security firm AirPatrol. “We can triangulate the specific location of a device and push that information to be acted on by various other services and software.”
Paired with the increasing ability of mobile devices to segment work and personal data, these applications could prove even more helpful to enterprises.
Security pros weigh in on major trends that will change the way enterprises handle mobile threats, such as separate personal and work spaces on devices and faster patching.
By Rob Lemos, InformationWeek
September 28, 2011