By
updated 2/23/2012 5:25:33 PM ET 2012-02-23T22:25:33

This is the seventh article in a series about the future of digital security.

Thanks partly to Google's arguably haphazard security model, mobile malware writers have spent the past year attacking the Android platform while largely ignoring Apple's iOS, Research In Motion's BlackBerry and Microsoft's Windows Phone 7.

But Android security is starting to improve. Will we soon see more attacks on the other platforms, or will Android continue on its course toward becoming the Windows XP of this decade — widely used and just as widely attacked?

"If you look across the popular platforms, there's not a huge difference in the fundamental [operating system] security," said Nicko van Someren, chief technology officer at Good Technology, a mobile security provider based in Sunnyvale, Calif.

The real difference among the four modern platforms is market share, and the pattern of attacks has so far followed that. Android made up 53 percent of worldwide smartphone sales between January and October 2011, with Apple a distant second at 29 percent, according to market research firm NPD. It's not hard to see which OS a hacker will code for if his goal is to reach as many potential victims as possible.

Popular platforms get a lot of man-hours devoted to them, and open-source ones such as Android come with a huge knowledge base as well.

"A lot of [Android] exploits were ported over from Linux," said Jimmy Shah, mobile security researcher at Santa Clara, Calif.-based McAfee.

The increasing sophistication of phones also means there will be many more vulnerabilities.

"Before, the phones were just windows to the Internet," Shah said. "There wasn't much to attack."

Even the mobile version of the fearsome Zeus banking Trojan is basically an SMS forwarding program that depends on the PC-based version to do the heavy lifting. But as hackers get better at figuring out what smartphones can do, malware targeting them will get more sophisticated.

The Android disadvantage

Yet popularity isn't the only factor determining which platforms get attacked. There's still a big difference between Android and iOS when one considers how apps are vetted before release — or not.

Since the iPhone was introduced in mid-2007, Apple has had teams in place whose full-time job it is to make sure iOS apps don't do anything that violates Apple company guidelines. They may reject apps that are otherwise legitimate, but it's been very hard for a malicious hacker to slip something through.

Google, on the other hand, has always let anyone who can pay $25 for a developer license write Android apps. (The first Android phone came out in late 2008.) Anyone can put any app into the official Android Market, and until recently, it was up to users to alert Google that certain apps might be misbehaving.

On Feb. 2, Google unveiled a service called Bouncer, scanning software that is meant to prevent malicious apps from staying long in the Android Market. But the jury is still out on how effective it is. Bouncer also doesn't solve Android's confusing permissions model, in which average users are expected to understand technical details and procedures as they install apps.

"When you go to the Android Market and download, say, an animal-matching memory game, it asks for a load of permissions," van Someren said. "Apple simply doesn't allow that kind of flexibility in the [application program interfaces] they make available."

Nor does Bouncer do anything to clean up the dozens of "off-road" Android app bazaars, mostly aimed at the Chinese-language market, where pirated, cloned and sometimes malware-ridden apps are sold and downloaded in a Wild West free-for-all. Until Google takes even more control over the security of Android, it may continue to have a serious problem with malicious apps.

Not entirely flawless

Even so, it's best for iOS users to not get too complacent. A sufficiently clever hacker could still design an iOS app that gets past Apple's vetting process.

Accuvant security researcher Charlie Miller did just that in November 2011, writing an app that bypassed Apple's restrictions against downloading and running post-installation code that can change a benign app to a malicious one — and getting it approved and placed in the iTunes App Store.

Miller knows much more about iOS than the average hacker, and Apple quickly fixed the loophole he exploited, but his proof-of-concept app showed that every system is vulnerable. And as Apple's iOS solidifies its market share, especially in rich countries, the situation may only get worse.

"Attackers always come up with new techniques," said Shah. "As iOS becomes a bigger target, it becomes more feasible."

For the best security, try a BlackBerry

While no system is inherently more secure than any other, there's also a difference in the kind of attacks your smartphone is likely to get depending on its OS.

For example, BlackBerry devices have been relatively safe from certain kinds of attacks partly because, ironically, the BlackBerry has been until recently a less sophisticated device. The target market was businesspeople, who needed email and a secure messaging system, not the ability to play "Angry Birds."

As Tom Kellerman, chief technology officer at Columbia, Md.-based mobile security vendor Airpatrol Corp. put it, BlackBerry users were "high-value targets."

That means hackers who cracked the BlackBerry's tough security weren't ordinary cybercriminals looking to steal a credit card. They were well-trained spies trying to find an executive's location for a kidnapping attempt, or to steal high-value corporate data such as trade secrets or defense-contract blueprints.

BlackBerry's global smartphone market share is around 10 or 11 percent, half what it was just a couple of years ago, as users have flocked to the more versatile Android and iOS platforms. Its maker, Research In Motion, is working on a completely overhauled platform, but until that hits the market it's a safe bet that few malware writers will bother attacking BlackBerrys.

Microsoft, the underrated underdog

Microsoft is an interesting case in this regard. According to technology research company Gartner, Microsoft's well-reviewed Windows Phone 7 platform had only 1.5 percent of the market in October 2011, so it is a tiny target.

Microsoft has taken a kind of middle course between Google's wide-open approach to Android and Apple's tightly vetted app store. For starters, Microsoft has limited the handset makers it works with, and most Windows Phone 7 handsets have been made by HTC, Nokia or Samsung.

By contrast, 30 different handset makers use Android. Most tweak it to work best with their phones, and even some carriers further modify the Android OS for their own networks. That means there are at least as many versions of Android as there are compatible handsets.

Second, Microsoft has exerted more control over the application programming interface (API) than Google. It allows handset makers to customize the apps, but not the user interface itself.

That said, like Android, there's a lot of information about Windows out there for hackers to learn.

"There's already a huge amount of understanding of how to build malware for a Windows API," van Someren said. "Once [the Windows Phone platform] gets some traction, I think it will gain [among hackers] quickly."

Future strengths, and an eternal weakness

Going forward, there are several ways the big four mobile platform makers might address security.

Kellerman said one method could be "dynamic sandboxing." Instead of assuming that a mobile OS is secure, he explained, its maker could assume it will be breached at some point.

Faced with that, the simplest thing to do might be to lock down certain functions when the user is doing something sensitive, such as connecting to a bank's website or to a corporate virtual private network. For example, one could turn off the phone's SMS or email functions at those times.

Van Someren disagreed that dynamic sandboxing would be practical for many users, saying that it is harder technically than it sounds. He suggested that Google instead alter the Android API to be more like iOS's or Windows Phone's, restricting its functions more.

But even if Apple, Google, RIM and Microsoft all take their best steps possible to boost security as phones become more like computers, there's still one factor they'll never be able to account for: the user.

Ojas Rege, vice president of products and marketing at Mountain View, Calif.-based device-management company MobileIron, noted that boosting security can often make the user experience bad enough so that people will try to work around it. For example, many people might email sensitive documents to their unsecured personal email addresses because it is simpler to do.

In the mobile world, a similar thing happens when people jailbreak iPhones or aren't careful about the apps they download. Rege's solution, geared to businesses, is to notify users who download a "blacklisted" app that their mobile enterprise functionality will be locked down until the app is gone.

"There are some constraints so you don't have obvious 'oops' moments," Rege said.

Other articles in this series:

© 2012 SecurityNewsDaily. All rights reserved

Discuss:

Discussion comments

,

Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments