Application Malware is a Security Threat for Smartphones
The number of smartphone units sold worldwide is increasing every day. There are valid reasons that justify the exponential sales figures -- smartphones are more intuitive and encourage mobility at a degree users have never experienced before. You will hardly find a corporate employee today who is not busy checking and replying to e-mails on his phone or performing other functions that previously required him to be sitting in front of his office PC or lugging around a notebook.
As a direct result of this, the mobile application market has grown almost uncontrollably with millions of people downloading applications for all purposes. As always the good brings with it the bad. So while some apps aid you by sending your position to a remote server to provide you with guidance using the GPS on your phone or by using the location of mobile cells, some others modify their behavior in the name of ‘intuitive intelligence’ without notifying the operator or you [the end user] by granting themselves more permissions than they were legally signed for. And this brings us to the main point of this story -- security on smartphones.
The advent of open operating systems for mobile devices allows independent developers to upload and publish their applications for users to download promotes rich and compelling applications for end customers. However, this also provides an almost unguarded gateway for malicious software or malware to be injected in to the network, causing harm to both operator and user.
Of course, mobile malware has not caused a major disaster till date besides a few functionality issues. The ‘KBlock’ virus which hit the networks in the first half of 2009 replaced all system applications with non-functional versions rendering the phone useless, and the ‘Enoriv’ released late 2009, silently sent text messages to premium numbers without the user’s approval or knowledge.
With the increase in dependence on smartphones to perform critical financial transactions and enterprise-centric functions, the plausibility of a major identity and data theft through mobile applications does not seem far fetched.
A majority of smartphones in the market today run in the Symbian operating system. The security procedures for applications developed by Symbian are fairly elaborate. A Symbian application developer goes through a serious vetting procedures that requires him to provide identification details and use a credit card for the registration process before uploading an application. The uploaded code is further tested by a third party and then made available for users to download. In spite of this, in 2008 a Spanish hacker found a way to bypass the security model, theoretically allowing an unsigned application full access to a phone running on the S60 Platform.
Currently, the Symbian security model is considered to be the most secure. Serious flaws in the ‘Apple Developer Program’ and lack of any vetting procedure in Google’s mobile application development system have often been identified and criticized. It will probably take a massive attack on users for operators to take a hard look at beefing up their OS' security. Until then, if you have your heart set on buying Nexus One of iPhone 4G, drop a note to the makers encouraging them to make tested digital certification and efficient vetting norms the industry standard. Then buy the phone and get an antivirus installed to control the operating system.