Symantec just released a whitepaper titled "A Window Into Mobile Device Security" examining the security risks that surround iOS and Android mobile devices in the enterprise market. Some key conclusions:
- While offering improved security over traditional desktop-based operating systems, both iOS and Android are still vulnerable to many existing categories of attacks.
- iOS’s security model offers strong protection against traditional malware, primarily due to Apple’s rigorous app certification process and their developer certification process, which vets the identity of each software author and weeds out attackers.
- Google has opted for a less rigorous certification model, permitting any software developer to create and release apps anonymously, without inspection. This lack of certification has arguably led to today’s increasing volume of Android-specific malware.
- Users of both Android and iOS devices regularly synchronize their devices with 3rd-party cloud services (e.g., web-based calendars) and with their home desktop computers. This can potentially expose sensitive enterprise data stored on these devices to systems outside the governance of the enterprise..
- So-called “jailbroken” devices, or devices whose security has been disabled, offer attractive targets for attackers since these devices are every bit as vulnerable as traditional PCs.
As we are entering a world where the smartphone is on the ascent and rapidly replacing the desktop for a number of enterprise and consumer applications, the bad guys will start pointing their guns there as well. Apple was relatively safer vis-a-vis Microsoft-based PCs simply because the cost/benefit for targeting Macs made no sense in the past. Once Apples became more popular, the malware purveyors started targeting Apples as well. Most Man-in-the-Middle attacks target PCs. But a new generation of malware has started to emerge and the mobile variant is often referred to as Man-in-the-Phone (also known as Man-in-the-Mobile or MitMo attacks). Android versions like the Droid Kung Fu started to populate many of the Android application stores, and other applications that "stole" username/password credentials even managed to pass the strict Apple App Store process. Of course, there are also other ways of hijacking mobile platforms, such as exploiting zero day vulnerabilities and browser poisoning.
The very success of smartphones will make it a juicier target for malware authors and hackers, even if they are relatively more secure now, as Symantec argues. Just don't get carried away with a false sense of security: that is precisely the mindset that allows hackers to successfully fire their salvos.