The modern mobile phone comes in two basic varieties.
The more secure version is a stripped down 2G phone with very
little data functionality. There are still some issues related to
2G confidentiality. First is the possibility that someone will
eavesdrop your communications. The second concern is availability:
what happens if everyone calls at the same time? But aside from
these concerns, it is quite simple piece of equipment.
Then comes smartphones. If you think about it, a smartphone is a
small PC. It comes with an IP stack, browser, e-mail, office suite
and network-enabled games. What separates it from a PC is the
usability. And that usability includes the ease of implementing
security. Security is a huge business in the PC world, and it is
created by the shortcomings of the software developers in that
space.
Where a PC manufacturer can easily release a beta version and
ask users to pay for it, a mobile handset manufacturer would have
to recall a product if it had a critical flaw. Appliances come with
product-related warranties and responsibilities. And that brings a
completely new aspect of "risk" to the security equation for the
manufacturers of mobile devices.
Take one hundred software companies and ask how much are they
actually spending on quality and security. The answer is most
probably that 90% are spending almost nothing. And why would they?
There is no customer requirement for software security. Then take a
bunch of software developers in the mobile industry. The difference
is significant. And the customer pressure for quality is enormous.
If the product does not work, it will not sell. If it has a
security problem, it will be returned to the shop.
So what is the status of security in mobile phones? I get asked
that question all the time, and can can answer it from my own
experiences. If I go and sell security testing to a typical small
software shop, they laugh me out. They could not care less. But if
I talk to anyone in the embedded developer space, they get it. They
see an immediate save, and differentiation in a challenging market.
A mobile phone company that does not spend money on quality and
security will very quickly leave the market with tail between its
legs. Regulations, product liability, critical customers and a
challenging competitive landscape will create requirements that no
typical software company meets.
If you go and see the customer list of Codenomicon, you can see
that the landscape is changing fast. Companies that expected
hackers to look for the problems for them, and for free, are
suddenly investing in security testing. Carriers and service
providers will also do the tests in their procurement
practices.
Major enterprises have also recognised that it is not features
and purchase price that creates majority of the costs. It is
downtime of services, loss of data, and other aspects of software
that can be proactively prevented with quality assurance tools such
as fuzzing and robustness testing. Maybe the software industry will
eventually reach the same level as the mobile industry, or maybe
the mobile industry will regress to the level where the software
industry is. Only time will tell.
Ari Takanen is co-founder and chief technology officer at
Codenomicon