Your Smartphone Is Safer Than Your PC — For Now 125
snydeq writes "InfoWorld's Galen Gruman reports on the future of mobile security — one that will see a significant rise in exploits as valuable information increasingly migrates to mobile devices. To date, sandboxing and code-signing have helped make mobile OSes relatively secure, when compared with their desktop brethren. But as devices store more valuable information than email, they will become more enticing to hackers currently breaking into Windows PCs. And the biggest bulls-eye appears to be on Android, in large part because its architecture is most like that of the desktop PC but also because there are so many variants in use — too many for Google or the carriers to patch securely. And as the PDF-jailbreak vulnerability showed, sandboxing has its limits when it comes to securing the browser — the most likely point of entry for exploits not due to the rise of extensions, helper objects, and plug-ins on the mobile Web."
Are variants a bad thing? (Score:5, Insightful)
So if an exploit occurs it will likely only affect some handsets as opposed to every handset.
Example: iPhone (Score:0, Insightful)
And the first ones out of the gate will be easy (Score:4, Insightful)
Android less secure? (Score:5, Insightful)
Windows is an easy target because it's a huge badly-secured monoculture. How does having several different versions of Android to attack make it similarly insecure?
Re:Android less secure? (Score:5, Insightful)
The mistake of letting users interact with them. Users are the number one security flaw in any system.
Re:Irrelevant to me (Score:2, Insightful)
Agreed. I'd love to see someone hack into my $10 Alcatel.
Re:Are variants a bad thing? (Score:5, Insightful)
But the scary news stories will omit that little detail.
Re:Are variants a bad thing? (Score:4, Insightful)
So we'll all be depending on multiple carriers' good patching practices, to make sure the patch for foolib-1.2.3-r4 gets pushed to all their Frobnitz Model 200 phones that they released two years ago and have since deprecated and replaced with Model 201, 220, 240, and 250, now with more shiny (but everyone still gets them because they're free with a new contract.) And by the way, it's going to be on your data bill. Call me pessimistic, but I don't think it'll happen in a timely fashion when someone discovers a vulnerability.
Crackers compete over who can own the most boxes just so they can have bragging rights. Oh look, such-and-such group disabled e911 for 20,000 people, why hasn't OUR group done that yet? We'd better do something even bigger so we can be elite again. Someone will find the loose rivet in the armor, and it'll be like a colonial land grab for a few months until the patch gets distributed.
Re:And the first ones out of the gate will be easy (Score:5, Insightful)
People have been saying this about the Mac for a decade now, too. I'm glad I didn't hold my breath waiting for this supposed apocalyptic day of comeuppance...
Re:This is why I prefer my BB (Score:3, Insightful)
Windows is the single worst thing out there.
Or more likely, your simply inept [charlespetzold.com].
Ah ... the irony!
Re:Are variants a bad thing? (Score:4, Insightful)
It's already happened on Android. Manufacturers are out making their latest rev and they ignore the bugfiles to their current line of phones. Or they do and pass it onto the carriers who may or may not force an update. Of course, if said update will remove things like root and custom ROMs, they'll probably push it.
But phones getting abandoned at whatever Android version they shipped with are already happening - I think the early Samsung phones were promised 2.0, but ended up with 1.6 only with an official letter. And others are stuck with 2.1 with no upgrade to 2.2. The only good part is these phones often are early models and easy to root and recover, so unofficial ROMs exist. But later ones may not be so lucky.
Really, the only Android phone that's not under carrier control is the Nexus One, which gets updates straight from Google. The wierd thing is, why can't Google pull an Apple? The iPhone gets updates from Apple, leaving out the carrier middleman, even if the user is paying a contract on the iPhone.
Google's big enough, let's see it happen and end all this Android loaded with crapware stuff.
Re:Android less secure? (Score:2, Insightful)
The mistake of letting users interact with them. Users are the number one security flaw in any system.
No, this is a myth perpetuated by second-rate programmers and system administrators to cover up their own incompetence.
The number one security flaw is incompetent programmers and administrators not designing their systems for their target audience.
e.g. Putting executable content into documents by default when it is almost always not needed or wanted. It's not rocket science.
---
Anonymous commercial speech = fraud
Re:Are variants a bad thing? (Score:4, Insightful)
Re:And the first ones out of the gate will be easy (Score:2, Insightful)
And it hasn't been because of some great security model either - there has been now for weeks an iOS exploit that if you open a correctly formed (or rather malformed) PDF it silently roots your phone and installs any software it wants on your phone. It has access to *everything*. You can not tell me that is "good security". The Mac isn't any better either.
It hasn't been an issue for one of several reasons.
One is that no one had taken advantage of it beyond jail breaking phones. One needs to think through the implications of *that level* of an exploit out in the wild for this long and it not being taken advantage of. There is no *technical* reason why it couldn't this day be used to send your e-mail, browser history, all forms your fill out, pretty much everything you do to someone and unless you monitored your traffic and only used your own wifi would you know for certain. For the most part I think the macs have been in this category - if you are going to spend that effort it is better spent elsewhere.
Next is that exploits do not make news unless they are large enough. Windows exploits are often scripts that almost anyone can run and almost anyone does. iOS ones are more likely going to be one off custom scripts that may gather 10000 credit card numbers - unless someone has an anti-apple leaning (or anti-android if it happens on that platform - nothing remotely Apple centric here) it just isn't news. If I were to guess - and I think I'm more correct than not - there are a number of malformed PDF's out there that do just that. There just aren't any that propagate themselves through e-mail to everyone in your users list and thus make the news.
Lastly - and most unlikely - is that there is some conspiracy to silence it. Too many places out there that can say it for this to be true.
Ultimately there is going to be a major worm or virus out there for one of the main hand helds - RIM, Google, or Apple. They are becoming too much a general purpose machine. Whichever one gets it first will loose a great deal of market share for a while while the other two crow about how wonderful they are. They aren't and never have been. Android is more open to attacks on older phones, Apple more open to attacks on all their phones, and RIM is somewhere in between. Apple and RIM can probably handle it quicker but you are more bound to them deciding it is worth fixing and doing so. Lastly what the OP said is true - Apple and RIM users often seem to think they are immune to this. Both phones have some fairly major exploits that have happened and went further than they should because of this.
Such is life in our industry - number of known bugs, number of known exploits, and number of exploited users are irrelevant when talking about how secure a system is. There is a saying: security through obscurity isn't security. This has certain logical implications - one of those is that not being secure means you have a lot of *known* bugs (thus not obscure). It also implies (but doesn't logically prove) that just because you haven't had one means you are secure - it means there are MANY other factors there.
Were I to bet I would say Android will get the first followed closely by Apple simply because they are the two big players in the consumer market (corporate being fairly locked down) and the fact that there are more older Android out there means more known issues. Though given how Apple has responded to the PDF remote exploit I wouldn't give much more than even odds on it either. There have been more than a few truly serious exploits on Apple systems go out that were either never exploited (and you can supply your own reason for this given the length of time a number of these exploits remained live) or were not generally reported on. You response when one takes the whole PDF remote exploit into account more or less validates with the OP was saying - that I left my alarm off, all the doors and windows open on my house, and I put a big sign in yard that told people of this fact yet I wasn't robbed doesn't mean I was secure. That you think you are is *exactly* what he/she was posting about.