Your Smartphone Is Safer Than Your PC — For Now 125
snydeq writes "InfoWorld's Galen Gruman reports on the future of mobile security — one that will see a significant rise in exploits as valuable information increasingly migrates to mobile devices. To date, sandboxing and code-signing have helped make mobile OSes relatively secure, when compared with their desktop brethren. But as devices store more valuable information than email, they will become more enticing to hackers currently breaking into Windows PCs. And the biggest bulls-eye appears to be on Android, in large part because its architecture is most like that of the desktop PC but also because there are so many variants in use — too many for Google or the carriers to patch securely. And as the PDF-jailbreak vulnerability showed, sandboxing has its limits when it comes to securing the browser — the most likely point of entry for exploits not due to the rise of extensions, helper objects, and plug-ins on the mobile Web."
Re: (Score:2)
What about anti-wizard software?
Re: (Score:3, Funny)
Re: (Score:2)
Wouldn't that void my warranty?
Re: (Score:2)
Only if you roll a natural 1.
Re: (Score:2)
Irrelevant to me (Score:5, Funny)
I have a stupid phone.
Re: (Score:2, Insightful)
Agreed. I'd love to see someone hack into my $10 Alcatel.
Re: (Score:2, Funny)
Give me your phone and an axe, and I'll show you. :-)
Re: (Score:2)
Ummm what if you are with an axe and demand the phone and the password? Maybe we are not considering some oldschool attacks :D
Re:Irrelevant to me (Score:4, Funny)
Your bank account is 42910-44937
You really shouldn't like to your girlfriend like that
And call your mother more often.
-The NSA
Re: (Score:1, Funny)
Surveillance flatters me. My narcissism knows no bounds.
Re:Irrelevant to me (Score:4, Informative)
your girlfriend
You know this is Slashdot, right?
Re: (Score:2)
not only did I screw up on that, but I typo'd 'lie' as 'like'!
Re: (Score:1)
Re: (Score:1)
Well, there is always the secure option. (Score:1)
This is why I prefer my BB (Score:1, Interesting)
Re: (Score:2)
Like the article says, Android is becoming a big target these days and yet no one has found any significant exploits to its security model. Everything that I've read seems to think that it is as bulletproof as a modern, complex OS can be. That isn't to say that there won't be the occasional flaw but it is almost certainly orders of magnitude more secure than a certain piece of software that runs on a few billion computers around the world (including, I suspect, the majority of Slashdotters).
Re: (Score:3, Interesting)
The problem with all of this nonsense is that there seems to be the implicit
assumption that Windows is the yardstick. Windows is the single worst thing
out there. Even all of the other desktop OSen are much less of the problem.
Clearly the dividing line isn't "desktop OS' versus 'mobile OS'.
They are really more alike then they are different.
So it used to be "PCs are bad, flee to Macs and you will be safe".
Instead now it's "PCs are bad, flee to iPods and you will be safe".
Re: (Score:3, Funny)
my iPod nano's never had a virus, a worm or a trojan, but a Greek dude with a bad cold did sneeze on it once.
Re: (Score:1)
http://www.pcworld.com/article/127565/ipod_virus_fallout.html [pcworld.com]
Re: (Score:1, Troll)
Windows is the single worst thing out there.
Or more likely, your simply inept [charlespetzold.com].
Re: (Score:3, Insightful)
Windows is the single worst thing out there.
Or more likely, your simply inept [charlespetzold.com].
Ah ... the irony!
Are variants a bad thing? (Score:5, Insightful)
So if an exploit occurs it will likely only affect some handsets as opposed to every handset.
Re:Are variants a bad thing? (Score:5, Insightful)
But the scary news stories will omit that little detail.
Re:Are variants a bad thing? (Score:4, Insightful)
Re: (Score:1)
Re: (Score:2, Flamebait)
And the biggest bulls-eye appears to be on Android, in large part because its architecture is most like that of the desktop PC but also because there are so many variants in use -- too many for Google or the carriers to patch securely.
So if an exploit occurs it will likely only affect some handsets as opposed to every handset.
And if a fix is created, it will only be applied to some handsets as opposed to every handset.
Re: (Score:2)
Well, DUH! That's because not every handset will need it.
Re: (Score:3)
And if a fix is created, it will only be applied to some handsets as opposed to every handset.
Well, DUH! That's because not every handset will need it.
But not every handset that needs it will get it, which is the whole premise of this article.
Re:Are variants a bad thing? (Score:4, Insightful)
So we'll all be depending on multiple carriers' good patching practices, to make sure the patch for foolib-1.2.3-r4 gets pushed to all their Frobnitz Model 200 phones that they released two years ago and have since deprecated and replaced with Model 201, 220, 240, and 250, now with more shiny (but everyone still gets them because they're free with a new contract.) And by the way, it's going to be on your data bill. Call me pessimistic, but I don't think it'll happen in a timely fashion when someone discovers a vulnerability.
Crackers compete over who can own the most boxes just so they can have bragging rights. Oh look, such-and-such group disabled e911 for 20,000 people, why hasn't OUR group done that yet? We'd better do something even bigger so we can be elite again. Someone will find the loose rivet in the armor, and it'll be like a colonial land grab for a few months until the patch gets distributed.
Re: (Score:2)
Man, am I glad that I got a Nexus One. This kind of thing is the reason that Google pushed to get people to buy phones separate from the carriers. Too bad the carriers are too strong.
Re: (Score:2)
Re: (Score:2)
Look at T-Mobile: http://www.t-mobile.com/shop/plans/Cell-Phone-Plans.aspx?catgroup=Individual&WT.z_shop_plansLP=individual [t-mobile.com]
The Even More Plus plans mean you buy the phone, and then pay the service at a lower rate.
Re: (Score:2)
Look at T-Mobile
Has T-Mobile fixed the lack of coverage that it had a few years ago? And with the Nexus One officially out of stock at Google.com [google.com] and not available from T-Mobile [t-mobile.com], where would a non-developer buy one?
Re: (Score:2)
As for coverage, it depends. I used it for work for a couple years and got service in every city I went to consult in, as well as through most of Alaska. Their 3G and general coverage isn't great across the whole of the US, but it's great in most metro-ish areas.
You can buy most any phone that T-Mobile offers outright instead of leased, as far as I know. The Nexus One was just a failed Google experiment. You can also buy various other phones unlocked online.
Re: (Score:2)
Re: (Score:1)
( if you can get it), and be more secure (patchwise and services wise) than those
'upstream carriers' ?
unlimited access is nice for adding features or doing different things with them
so for locking down the (purpose-specific) system-util for better security on your OWN.
Re: (Score:2)
build a cross platform compiler
Why would you need to do that?
Re: (Score:1)
Re: (Score:2)
Most likely Google will throw the kill switch and the offending app gets purged from devices.
Assuming the malware didn't get root access, of course. If the user does allow it through su, all bets are off.
Re:Are variants a bad thing? (Score:4, Insightful)
It's already happened on Android. Manufacturers are out making their latest rev and they ignore the bugfiles to their current line of phones. Or they do and pass it onto the carriers who may or may not force an update. Of course, if said update will remove things like root and custom ROMs, they'll probably push it.
But phones getting abandoned at whatever Android version they shipped with are already happening - I think the early Samsung phones were promised 2.0, but ended up with 1.6 only with an official letter. And others are stuck with 2.1 with no upgrade to 2.2. The only good part is these phones often are early models and easy to root and recover, so unofficial ROMs exist. But later ones may not be so lucky.
Really, the only Android phone that's not under carrier control is the Nexus One, which gets updates straight from Google. The wierd thing is, why can't Google pull an Apple? The iPhone gets updates from Apple, leaving out the carrier middleman, even if the user is paying a contract on the iPhone.
Google's big enough, let's see it happen and end all this Android loaded with crapware stuff.
Re:Are variants a bad thing? (Score:4, Informative)
The wierd thing is, why can't Google pull an Apple? The iPhone gets updates from Apple, leaving out the carrier middleman, even if the user is paying a contract on the iPhone.
Because Android is an open platform. The carriers take Android, mold it to fit their needs, and put it on their phones. Google, or rather the Open Handset Alliance, doesn't have any say on it. That's how carriers can get away with modifying the source of the Hotspot app to only work if the customer pays extra.
This is the downside to GPLv2. The Tivoization loophole means that carriers can do this, release the source, and you still can't (necessarily) modify the source and put it on your phone.
Google started taking steps to address some of this by moving more of their apps to the app store, but you still have issues with system libraries and the kernel. Without root, an app can't update these.
Re: (Score:2)
Open handset or not, Google does make approvals for their platform which is the only way that their own 'proprietary' apps like market and maps get shipped to phones.
Re: (Score:2)
Re: (Score:2, Interesting)
"The wierd thing is, why can't Google pull an Apple? The iPhone gets updates from Apple, leaving out the carrier middleman, even if the user is paying a contract on the iPhone."
Partly because it isn't that easy - these things are often using custom drivers or require custom kernels to run. Yea, some of it is junk but much of it isn't. How are they going to update a bug in Motorola's GPS driver? Or even *why* would they? Lets face it if you had a custom bit of hardware that you had a linux driver on would li
Re: (Score:2, Funny)
Send it flowers or candy instead and you might get lucky...
And the first ones out of the gate will be easy (Score:4, Insightful)
Re:And the first ones out of the gate will be easy (Score:5, Insightful)
People have been saying this about the Mac for a decade now, too. I'm glad I didn't hold my breath waiting for this supposed apocalyptic day of comeuppance...
Re:And the first ones out of the gate will be easy (Score:5, Funny)
The real reason is that malware authors cannot afford Macs :)
Re: (Score:2)
Less threats, sure. But far from completely secure.
Re: (Score:1, Troll)
*cough* sure [iantivirus.com]*cough*
Sounds like you're coming down with something there PC.
Less threats, sure. But far from completely secure.
Please quote where I said Macs are "completely secure".
That list you linked to is bogus. There are no viruses for Mac OS X AT ALL. And there are only a handful of actual trojans/malware, none of which is widespread, and none of which is of the level of concern where a Mac user should feel compelled to run anti-virus/anti-malware software.
If this is your idea of Mac's comeuppance, you're really stretching it.
Re: (Score:2)
I wish you held your breath waiting for the supposed day where there were enough Mac's to make that apocalyptic day viable.
Re: (Score:2, Insightful)
And it hasn't been because of some great security model either - there has been now for weeks an iOS exploit that if you open a correctly formed (or rather malformed) PDF it silently roots your phone and installs any software it wants on your phone. It has access to *everything*. You can not tell me that is "good security". The Mac isn't any better either.
It hasn't been an issue for one of several reasons.
One is that no one had taken advantage of it beyond jail breaking phones. One needs to think through th
Re: (Score:2)
It's worse than that. There are some people who are actually upset with Apple for fixing this security flaw.
Re: (Score:2)
Does that little fact really matter when someone's phone is still compromised once all is said and done? And couldn't a trojan open the door to viruses and rootkits?
Android less secure? (Score:5, Insightful)
Windows is an easy target because it's a huge badly-secured monoculture. How does having several different versions of Android to attack make it similarly insecure?
Re: (Score:2)
Re: (Score:3, Interesting)
I don't think it makes it more insecure so much as harder to close the holes. Handset vendors and carriers, for a long time, have worked with devices that generally could not be exploited in such a fashion, and probably don't have any means of getting such fixes out to their users within an acceptable time frame.
Re: (Score:2)
...what I want to know are what are these similar mistakes that Android or PhoneOS is supposed to be making?
HELL: what similar mistakes are Linux, Solaris, MacOS and FreeBSD supposed to be making?
Re:Android less secure? (Score:5, Insightful)
The mistake of letting users interact with them. Users are the number one security flaw in any system.
Re: (Score:3, Funny)
The mistake of letting users interact with them. Users are the number one security flaw in any system.
Sure, a daemon would say that, wouldn't it?
Re: (Score:2)
Replying to undo incorrect moderation...
Re: (Score:1, Offtopic)
Usually when I mess up my moderation, I try to play it off by overusing some already overused /. meme.
For instance, in this situation, I would have posted something along the lines of 'I, for one, welcome our security-flaw-noticing daemon overlords.'
Re: (Score:2)
The root of the problem: people make really crappy users. Robots and animals are a far better choice.
Re: (Score:2)
Re: (Score:2, Insightful)
The mistake of letting users interact with them. Users are the number one security flaw in any system.
No, this is a myth perpetuated by second-rate programmers and system administrators to cover up their own incompetence.
The number one security flaw is incompetent programmers and administrators not designing their systems for their target audience.
e.g. Putting executable content into documents by default when it is almost always not needed or wanted. It's not rocket science.
---
Anonymous commercial speech
Re: (Score:2)
The "mistake" that non-Windows platforms make is the fact that developers on that platform actually value what they are developing on. There isn't any of that on Windows, and Windows devs feel free to crap where they sleep.
Platform loyalty is important. Not many programmers on Windows would go out of their way to deal with the latest worm or Trojan (unless it fattened their wallets, of course), but on other platforms, almost everyone would ensure that it would be stopped. Mac devs don't like viruses (esp
Re: (Score:2)
Marketing (Score:4, Interesting)
Personally I think this is complete nonsense. Android runs on a lot of devices - soon to be added is the Toshiba AC100 netbook, so it will run on everything from entry level phones to small computers - which involves numerous changes in UI arising from optimisation and features. But the underlying architecture should make it possible to ensure that things are properly partitioned to give a robust security model, and Google isn't exactly short of brainpower. I suspect that just as we had the Microsoft trolls trying to minimise reports of Windows security issues, here we have Apple trolls trying to find narratives to attack Android.
And no, I don't use Android.
Re: (Score:2)
Devil's (or more exactly Apple's) advocate here:
From a QA perspective, having eight devices to have to test on (four iPhones, iPad, iPad 3G, two iPod Touch models) is a lot easier than checking to see if your device works with different displays, resolutions keyboards, trackballs (physical and virtual), status lights, cameras, and so on.
One mistake on your Android app, and your app's review status starts going deep in a hole with tons of "Force closes on the Blarf, refunded." on the Marketplace review sheet
Re: (Score:2)
Re: (Score:2)
Re:Android less secure? (Score:4, Interesting)
Windows is a high value target, which was once crippled by it's backwards compatability with DOS and low skilled userbase. Microsoft, whatever their flaws, have some properly clever people and serious vested interest in addressing this problem, and they've finally put out a release that is fairly secure out of the box and somewhat usable - while still providing fairly timely security patches for a 10 year old release. Which is why the most serious threats are now coming from widely deployed software from less responsible companies (Adobe).
Android is the exact opposite. Very few smartphone manufacturers care enough to issue regular updates for their phones, especially once you get outside of the US market. Even on the US market, most smartphones have had exactly one update: from 1.5/1.6 to 2.0/2.1 usually. No monthly security updates, and nothing at all for obsolete phones over 12 months old. You'd better hope that nobody else has the time to look at your phone that your carrier has forgotten about.
Re: (Score:1)
"the most serious threats are now coming from widely deployed software from less responsible companies (Adobe)."
FAR less responsible...
Insecure (Score:1)
Yes, if a large portion of those version are old, with known exploits, and unpatched...
Any less secure than other phones? Maybe not compared to some, though Apple is actually fairly "pushy" when it comes to the "there's a new update for your phone/itunes/whatever" thing.
What pisses me off is companies like Motorola. My phone has known bugs with known fixes, but since it's a Milestone and not a Droid, I can't upgrade the firmware myself, and they've yet to have an NA release date for Droid 2.2. Eventually, I
Re: (Score:2)
Re: (Score:2, Troll)
it [Windows] is more secure than any other operating system
Um...
Prime example, in 2006 Mac OS X had 3 known viruses written for it
Wrong. There are *no* viruses for Mac OS X. There are a handful of trojans, none of which are even remotely wide-spread (even adjusting for OS X's relative install base) and all of which require the user to enter in their admin password (a huge governor which helps limit the rate at which malware can spread).
Snow Leopard has antivirus embedded in the OS
Wrong. Snow Leopard checks for a handful of trojans/malware. There are no viruses for Mac OS X. Embedding anti-virus would be pointless, unless you just want to be nice and scan for Windows viruses
Re: (Score:2)
Though Linux is not exactly visible on consumer PC's, it still runs on the majority of servers around the world.. targets you'd normally count as even more attractive as they are connected 24/7 and not even hidden behind NAT's, presenting a wide and valuable targeting space. Your argument is invalid, come up with something that is founded on some real data please.
Re: (Score:2)
Re: (Score:2)
I've read lots of books. I've also been using Windows since 1995 and granted while it's not the disaster it once was it's still more of a mess than it needs to be. Mac OS is a shit example. It's still not a tenth of the target Windows is even though it now has a tenth of the market.
Re: (Score:2)
According to TFS, Android is the most like the desktop PC. Now I was under the impression from my Mac fanboi friends that the iPhone runs OS X with only a different GUI -- either they're wrong, or the proposed justification for why Android is less secure than iOS is wrong...
First, iOS is a variant of OS X, but with all the software signed, vetted(weakly), and in sandboxes as a requirement. Those are all optional and used for a small subset of software on the desktop version of OS X. By analogy, both the NSA document portal (running SELinux and strictly maintained) and my former company's remote development wiki are running Linux. That doesn't mean the OS is the important factor as to whether they are both secure or not.
The way Android handsets are most similar to security plag
Wrong (Score:2)
it's almost like we did a complete reboot (Score:2)
The PC was invented before the internet and the security model was set up to allow everyone to do almost anything
the smart phone was made for the internet and manufacturers seem to be locking them down. completely opposite of the PC
Re: (Score:1)
Except you're being put in the position of an unprivileged user even if you buy the device outright, and the carrier/handset vendor is retaining the position of "system admin" and treating you like a potential hostile.
I wouldn't mind if, like the Nexus One or N900, you could assume root via a few non-trivial but non-PITA steps, but they seem determined to force you to exploit your own prope
Re: (Score:3)
I am particularly hostile: because I cant login as root! I also want to open a terminal window and SSH into my servers.
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
Re: (Score:2)
Smart phones came from dumb cell phones. Appliances that you had no control over. If anything, Cell Phones are going the way of the open architecture. Give 5-10 years and we'll probably have the same environment for development as we do for PC's. This is amplified by the fact that there's so much competition right now to get developers onto their platforms. The more you entice them, the easier you need to make the system to development on. Short-sided market driven decisions in OS and API design can cause l
Intel buying mcafree (Score:1)
Re: (Score:2)
Tech media has no clue about true security (Score:3, Interesting)
I keep hearing a lot of theories about security from the tech media like they know security. The problem is that security is a great way to scare up hits and freak people out so it's useful to write articles pandering in one direction or another, but there's rarely any true science to the articles, no figures, no statistics, no hard examples. This is because all that is boring and doesn't get hits, but it's what it takes to truly determine what is and what is not secure. Nothing is 100% secure, but then again we have this false sense of how architectures and security work. It's just BS.
This is the same kind of argument about how pundits spread the myth Macs are not any more secure than windows because hackers aren't targeting it. There's no evidence to back that statement up, and there's no evidence that Android less secure just because there are various flavors. In fact that can make it harder because one hack might not work on multiple flavors. That's even one of Androids problems now, that it's sometimes difficult to get a single app to work on multiple Android OS devices. You could then posit that the iPhone is easier to hack because the OS is so similar and the number of iOS devices in the wild is much higher than Android. But that's BS too because the iPhone is such a locked down system that in order to install anything you have to go thru the iTunes app store gatekeepers. The other way in is thru Safari, but that's really the only other way, and well now we know the security of Safari is BS because of that hole that they found in iOS 4 they used for jailbreaking. But compared to windows and compared to each other, which of these has had more critical vulnerabilities? The article gives me nothing.
Despite all this positing, it comes down to number of hacks, and what the hacks are. I could not truly begin to tell you which handhelds are more secure than others because no one, including this article, has any facts. The article eludes to "security circles" but who knows who those people are.
I think we should ban security articles from Slashdot unless they have a certain level of scientific statistics or hardcore evidence. Most articles about computer security on slashdot are not news for nerds, they are news for "platform fanboi weenies who want to start a flame war about which platform is more secure."
Re: (Score:2)
My old palm phone is the most secure handheld in existence... at least once I ran it over with my motorcycle. =\
One print page for InfoWorld article. (Score:3, Informative)
http://infoworld.com/print/135570 [infoworld.com] ... You're welcome! :)
iOS is probably more like the desktop than Android (Score:1)
"And the biggest bulls-eye appears to be on Android, in large part because its architecture is most like that of the desktop PC"
This seems like a very dubious claim to me. From my perspective, iOS seems much more similar in architecture to the desktop than Android.
iOS apps are native compiled, written in dialect of a language that is famous for buffer overruns (C), and the userland is a modified version of a desktop operating system.
Android, while also based on a desktop OS (Linux) at the kernel level, has
Re: (Score:2)
To me as well.
But not for this reason. Android has a lot in common with Linux desktops, far more then IOS has in common with OSX desktops but unlike OSX, Linux does not make serious security concessions for "Just Working".
But what will ultimately decide what platform will be targeted will be two factors. First the ease of finding an exploitable vulnerability, in this
I don't think so, Tim... (Score:1)
I don't see my phone (Android) having that problem. The only thing I foresee happening realistically any time soon is by means of social engineering, as opposed to other methods.