Yankee Group Blog

Blog Home

Analyst Pages

Categories

Search:

Blog Alert:

Enter your e-mail address to receive notifications when there are new posts.

Archives

Yankee Group RSS Feed

Setting the Record Straight on Mobile Security

by Andrew Jaquith
July 2, 2008

Recently I’ve been asked by several publications to comment about mobile security, and more specifically about the security issues that we are seeing on smart mobile devices. Jim Finkle at Reuters did a nice job rounding up the usual suspects in a widely-circulated article that I recommend highly. In it, he quotes Symantec COO Enrique Salem (a smart cookie) and McAfee’s CEO Dave DeWalt (someone I have not met, but who is also said to be a smart cookie). He also solicited some insightful comments from Mark Rasch, a cyber-security lawyer I haven’t met, but whose SecurityFocus columns I have been reading and enjoying for years. I contributed my own little soundbite, which attempted to put things in perspective. All of these parties have interesting things to say, but a multi-interviewee story like Jim’s cannot give you the True Yankee Perspetive. So here it is.

Our take on “mobile security” has always been contrarian, and different from that voiced by the most popular interview subjects, namely security vendors. That camp’s position, grossly simplified, is this:

  • Computers, particularly the Windows operating system, has long had a “malware problem.”
  • Mobile phones are increasingly taking on computer-like features
  • Because mobile phones are like computers, they will soon have malware too
  • And because everyone has a phone, everyone will soon have malware

The general point is that endpoint security vendors see mobile phones as just another endpoint that will obviously have the same issues as other platforms they provide products for. In other words: mobile phone security is an adjacent market that they can safely expand into, because we all know that the problem space is the same, right? Right?

Elementary enough on its surface, the logic breaks down under casual scrutiny. The logical flaws remind Yankee Group of the old Woody Allen syllogism from Love and Death: A) Socrates is a man. B) All men are mortal. C) Therefore, all men are Socrates.

My folksy-philosopher dad likes to say that the old saying “seeing is believing” works in reverse, too. In other words: if you believe that a mobile malware maelstrom is approaching, you will see storm clouds everywhere.

Even when the storm clouds are just vapor.

Now, I won’t deny that certain mobile platforms (for example, Symbian) have had some problems with mobile malware. Most security analysts who follow the mobile world are well aware that there are many variants of CommWarrior and Skulls circulating out there. And yes, we know that BlueTooth auto-discovery could well allow phones to be hijacked at close range. Thank you, Sophos, for staging a media event that demonstrated this. Brilliant and well done. We also know that some end-users will be frustrated and occasionally tricked by SMS messages they receive from fraudsters. But misdirection and mischief (social engineering) is not the same thing as malware.

Where I part company with the vendors is the notion that somehow the mobile malware maelstrom is inevitable. Yankee Group has long maintained a consistent position on the coming mobile malware epidemic: there won’t be one. Breathless predictions of impending maladies — regularly recited by sellers of miracle tonics — cannot disguise the fact that the necessary preconditions for pervasive mobile malware do not exist, and never will. Here’s why the tonic-sellers’ logic is fatally flawed:

  • Mobiles don’t have a monoculture operating system. Symbian, Windows Mobile, Android, iPhone and RIM all have significant shares, and we won’t see any of them gain more than 50% of the market.
  • Malware has no obvious mass-infection vector. Short-range, rifle-shot BlueTooth promiscuities don’t count.
  • Less-open operating environments. Most of the smartphone OSes (Symbian, iPhone, RIM for starters) require some form of digital signature to run a third-party application. This provides an audit trail, and gives the OS vendor (or carrier) an opportunity to revoke the certificate if the app misbehaves. I happen to like Apple’s model, because there’s one certificate issuer and thus one point of accountability. No, rogue apps run in jailbroken phones don’t count because they won’t be substantial.

None of these inconvenient facts seem to trouble security vendors too much, and every few months Yankee hears about another mobile security product launch. But mobile anti-malware software isn’t selling. John Thompson (Symantec CEO) more or less admitted it at this year’s Vision conference in Las Vegas, where he said that substantial investments in mobile security software wasn’t a very good use of shareholder money. Hats-off to JWT for telling the truth.

Setting the record straight on mobile security means talking straight about what is actually needed, and what is just hype. Enterprises certainly need the ability to remotely kill devices that have been stolen or lost. And certain kinds of mobile phones will probably also need encryption to keep sensitive contents safe from casual prying eyes. But on-board anti-malware software to prevent phones from contracting hypothetical future maladies? As Mike Rothman might say, “not so much.”

Filed under: Anywhere Enterprise, Mobile Internet, Mobile and Data Apps |

3 Responses to “Setting the Record Straight on Mobile Security”

Yonadav Leitersdorf
July 3rd, 2008 - 4:34 am

Hi Andrew,

Nice post summing up the current state - but I think you’re not completely listening to the security vendors. They all know that for malware to become a serious issue in the mobile phone market, you will need a convergence of operating systems. If you take a look around you, you’ll see this:

1. Nokia bought Symbian - further emphasizing the fact that the vast majority of future Nokia phones will be Symbian-based (one OS, with many different versions…).
2. The iPhone is becoming more and more popular with people who can actually get hurt by malware (mobile workers). The iPhone has a single, Unix-based, OS which can be easily targeted (see JailBreak).
3. Windows Mobile is getting more and more popular.
4. Linux based OSes (such as Android) are now reaching the market as well.

As a person who had to code for multiple target platforms in the past (whether they are OSes, browsers, etc), I can tell you we will soon see malware that is able to overcome these obstacles and be able to infect phones of different OSes.

I suggest taking this issue a bit more seriously…

yoni

airflow
July 7th, 2008 - 3:21 pm

please correct the dead link to the “widely-circulated article”.

thx, airflow

Andrew Jaquith
July 9th, 2008 - 10:56 am

Yoni –

You are right. I am not completely listening to the security vendors — it would be an occupational hazard if I did. And yes, many of the thoughtful people I speak to at some of those companies, indeed, realize that phone OS convergence is needed for mobile malware to become a problem. They also realize that because convergence hasn’t happened, there isn’t a mobile malware problem today. But that dose of reality hasn’t reached their marketing and PR departments, who continue to make all sorts of dire predictions to try to scare people into buying mobile anti-malware software they don’t need.

Your points 1-4 about the mobile phone operating systems are accurate. However, taken together, these do not point to convergence. The emergence of Android and other Linux-based OSes will add to heterogeneity, not subtract from it. Indeed, you are making my point for me.

Finally, I do not fully agree with your claim that multi-platform malware is coming to mobile phones. Certainly not at the binary level, anyway. It’s hard enough to do with desktop OSes, and I don’t see how mobile phones, with their smaller and less capable platform APIs, and (very) different processor instruction sets, make this easier. So I reject the notion that malware will be able to infect multiple phone OSes simultaneously with the same binary.

More to the point, even if it were possible, it’s not worth the effort for attackers to go the multi-platform malware route for mobile operating systems. That is because there are much easier ways to make money than by writing malicious binaries that infect phones.

Which brings me to a point on which we can agree, sort of. “Cross-platform” attacks will be possible via the phone’s web browser, in the sense that attackers will serve up fake web pages to mount phishing or other kinds of social engineering attacks. At that point, though, we are not talking about “attacks on mobile phones” or “mobile malware” — we are talking about attacks on people. These are far easier to mount, and also likely to be more successful.

But again, exploiting human failings as they surf the web, via their phone’s web browser, is not a “mobile malware” issue. It’s a social engineering issue. And users can solve that problem without spending any money at all. I probably should have made this point — that there are cheaper ways to make money than by writing “mobile malware” — more forcefully in my post.

Leave a Reply