Security: The Grinch of mobile technology

Mobile devices such as the iPad and the Android smartphones have excited individuals and businesses alike with all the wonderful possibilities they bring for communication, entertainment, and productivity. Of course, the mobile security firms are now pissing on the mobile parade, employing their usual techniques of creating fear, uncertainty, and doubt to sell products.

Turning a positive into a negative is an essential sales technique for such firms. Maybe I shouldn’t have been surprised to see Symantec’s warning that workers would take their smartphones and iPads with them for the holidays and do work on them — a generous gift from employees to their employers for what is supposed to be time off from work.

If it’s popular, it must be risky In Symantec’s view, of course, this is a risk: By working from mobile devices over the holidays, employees will cause harm, letting untold evil into the corporate systems. I guess we’ll all have to carry our work laptops to Christmas dinner. Never mind that few laptops are as secure as mobile devices. Businesses that insist mobile devices have on-device encryption often don’t require laptops have the same level of protection, even though laptops typically have much more sensitive data on them. Or maybe we’ll all actually not work on the holidays. (Fat chance, I know.)

As off-putting as I find the security vendors’ glee in casting doubts about anything good, there are of course security risks in mobile, as there are with everything. The issue is what are those risks.

Thus, I asked Symantec mobile product manager Khoi Nguyen what are the actual threats and their prevalence. I came away unconvinced there are serious mobile security risks from the stuff that Symantec wants to sell products for: malware. There simply is little of it, perhaps because of the fragmentation of mobile platforms and the fact that organized crime is finding richer, easier pickings from Windows users to be bothered (yet) to go after mobile users.

It’s also ironic that Symantec offers endpoint security software for just two essentially dead mobile platforms: Windows Mobile and Nokia Symbian. Apple won’t allow such security software, one industry analyst tells me, but if the threat is so significant, it’s surprising that Symantec doesn’t have an offering for BlackBerry or Android devices — especially Android, whose app store is unmanaged and could be a swamp of malware masquerading as legitimate apps. Oh, wait — Symantec is working on an Android product.

Phishing is the real threat, though users know better Still, one insight that Nguyen shared did concern me. Mobile users are treating security on their smartphones the same way they treated security on their early PCs: very naively. It’s nice to see such bright-eyed enthusiasm, but also disconcerting to discover that people who know not to open attachments on their PCs’ email open links on SMS messages from strangers. It shows they haven’t understood the essential element that information networks are inherently dangerous, not just Internet-connected PCs.

That kind of phishing attack is where the majority of actual threats exist in mobile devices: People open a link to buy a ringtone from a stranger, who then bilks them out of hundreds of dollars through their carrier’s billing system. Or people install a free app recommended by such a message, only to see their contacts list raided to send phishing attacks to all their friends and colleagues. Nguyen says this kind of attack happens mainly in Asia, where people routinely download pirated software from questionable sources on their PCs and are willing to do the same on mobile, and in Europe, where SMS-delivered phishing attacks had been a problem a few years back.

The United States so far has avoided such problems, though it’s not clear why, given that the criminals behind such attacks act globally. We may have Apple to thank. The concept of SMS as a transaction system — popular in Europe, Africa, and Asia — never really took off in the United States, where SMS is used mainly for text messages. Instead, Apple’s iPhone got U.S. users to go to an official app store instead, rather than rely on random sites. Almost every other mobile platform has followed suit.

Although it’s not clear how much security vetting they do, the fact that they are central stores means that the platform vendors — Apple, Palm/Hewlett-Packard, Microsoft, Nokia, and Research in Motion — take at least some responsibility for such attacks. When Apple’s App Store was hacked and user information was compromised, Apple acted. Carriers routinely reimburse customers bilked through the carrier billing systems — it’s the same model as the credit card companies covering fraud and theft.

Note that Google is not in that list: The Android Market is a free-for-all, either unregulated or lightly regulated by Google. As Nguyen notes, the Android Market could be a significant venue for malware, spyware, and phishing attacks. If any mobile platform needs endpoint security, it’s Android.

Tell the Grinch to take a hike As the holiday season approaches, enjoy your days. Don’t let the security Grinch get you down or cause you to reduce the many benefits of a mobile workforce. The cranky Grinch clearly needs its own holiday time off.

If you must work over the holidays, by all means use whatever device is convenient for you, assuming it meets your company’s security and access requirements. If you manage security, don’t get bummed out about users’ enthusiasm for mobile devices. You may have to deal with the consequences of phishing attacks, but doing so is essentially the same as handling malware campaigns from corporate and personal PCs: by using in-the-network tools that examines all traffic, no matter what device was the initial conduit.

This article, “Security: The Grinch of mobile technology,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com.