Judging from the crowded shelves of mobile security software, you’d think that there’s been an explosion in smart phone threats. Not exactly. According to a recent survey by PhoneFactor IT, only 16.6 percent of IT professionals surveyed said they considered mobile malware to be the greatest threat (nearly a third give desktop threats precedence). SMobile Systems, a company whose security software is tailored for mobile devices, reports that the rate of infection for its customers is only 1 in 63.
These numbers, while not alarming, indicate phone security should be taken seriously.
Should You Be Afraid?
Mobile threats are out there and becoming more prominent, but in the U.S. they’re hardly commonplace. Even the companies that sell mobile security software are quick to clarify that while there is malware for phones, it’s not as big a security risk as leaving your phone in a taxi.
Sean Sullivan, a security advisor who specializes in smart phones for F-Secure, says that while trojans and worms are growing problems in markets such as Europe, Americans don’t have much to worry about on that front—yet. “If you think about the PC side six years ago, that’s where we are with mobile phones now, except with mobile phones there’s a wider variety of platforms,” he said. “It won’t evolve as quickly as with PCs.”
Daniel Hoffman, executive vice president and chief technology officer at SMobile Systems, agrees that malware isn’t the biggest threat facing users. But he argues that the risks created for phones are likely to be particularly dangerous. Such threats include spyware that allows calls, e-mails, and text messages to be intercepted.
Hoffman also pointed out that users might be more susceptible to phishing attacks on mobile browsers, if only because less sophisticated smart phones render Web pages in a simplistic way. This can make it more difficult to tell a legitimate site from a phony one.
However malicious the threats are by design, Carl Howe, director of Anywhere Consumer research for the Yankee Group, agrees they’re few enough in number for the carriers to manage. “To date, we have not seen evidence that it’s a significant challenge for most phone platforms or on most carrier networks,” he said. “It’s really more theoretical than reality.”
Sizing Up the Platforms
Analysts agree every OS is vulnerable—albeit, some more than others. According to Howe, the BlackBerry OS—while not perfect—is the least penetrable, while Android is one of the most porous.
“[Android] is all open source: anybody can get access to anything if they work hard enough at it,” he said.
Howe added that BlackBerry has another leg up on security: Only an authorized person (an IT manager, for example) can remotely wipe the device. iPhone users can do this themselves, a policy that Howe believes leaves the phone more vulnerable.
Not all mobile browsers are created equal, either. Although many, including those native to the Android, iPhone, and Palm webOS, are built on the WebKit architecture, each platform implements these standards differently. For instance, F-Secure’s Sullivan notes that the iPhone’s Safari browser has truncated links (meaning you might see ellipses in the middle of a long URL where characters should be), which can make phishers’ jobs easier.
But SMobile’s Hoffman says people overestimate BlackBerry’s security. “When people think about all the security around BlackBerry, it’s really around the BlackBerry Enterprise Server, even though most devices are not managed by them,” he said. “And the BlackBerry Enterprise Server isn’t really about security; it’s about limiting what you can do with the device.”
In the end, all mobile platforms might be safer than the desktop, because most employ some form of sandboxing, a quarantining for malware. “They don’t let code go out and wander around the phone,” Howe said.
Your Own Worst Enemy
While most U.S. smart phone users don’t have to lose sleep over trojans and other malware, Howe and other security experts say users are still likely to reveal sensitive data stored on their phone—and mostly through fault of their own. According to Howe, hundreds of thousands of people leave their phones in cabs every year.
F-Secure’s Sullivan said the problem is that we rely too heavily on apps which keep us logged into our e-mail accounts, social networking profiles, and a host of other services. “It’s very easy to pick up the device, tap on the e-mail account, and boom—you’re in their primary e-mail account,” he said. “They don’t realize putting [the phone] down to get a cup of coffee somewhere [means] they’ve given other people keys to the kingdom.”
The obvious solution is common sense. Create a passkey for your phone, and use the settings to adjust how much idle time passes before it locks. Purchasing an extra layer of security, however, can allow you to remotely lock and wipe your device. Before you plunk down any money, you might be best off simply using common sense.
According to SMobile’s Hoffman, users’ indiscretion—everything from loudly reciting a social security number on a public phone call to letting passersby peek at on-screen text—can pose a security threat. In addition to keeping your voice down in public, he recommends investing in a shield for your smart phone’s screen.
Mobile attacks are real, and no smart phone platform is completely impenetrable. The good news? The odds of getting hit by a mobile worm or trojan are fairly low. The bad news? The chances that your phone will get lost or stolen, exposing your sensitive data to the world, are incredibly high. Even if you take the risk of mobile malware, spyware, and viruses with a grain of salt, consider investing in additional security software to make it easier to remotely back up, lock, and wipe your device.