Mobile threats: an update

Hotly tipped for years but with little action to date, is mobile security about to dominate the agenda?

Mobile security has been a hot topic for years and although mobile working is now an accepted part of everyday life, there have been no outbreaks of malware or security scares on a level with desktop PCs – so what has been going on behind the scenes?

Deperimetisation has meant that a huge percentage of workers now have a laptop instead of a desktop, and security models have had to become more flexible to deal with the problems this raises. Mobile phones have moved on too, to become multimedia entertainment devices, with gigabytes of storage, email and web clients and the widest range of connectivity methods on the planet. The massive corporate success of the Blackberry, the media coverage of the Iphone, and the all-singing-all-dancing power of Nokia's N/E series have made them evermore tempting targets.

According to analysts at Gartner, the number of smart phones shipped to end users will out number the volume of laptop shipments to customers as early as 2008, while rival analyst firm IDC estimates that as many as 304 million smart phones will be in user's hands by 2011.

Security professionals used to say of mobile that when devices became as widely deployed as PC's, and a single Operating System (equivalent to Windows) became the norm, then criminals would begin to attack it in earnest. The belief that the mobile threat is just around the corner has prompted all the major names in desktop anti-virus to release mobile-specific versions of their software, which many operators have licensed.

I do worry about the increase in use of open-source code for mobiles, as this is an inherently insecure method of developing a platform
Matias Impivaara
Director of mobile security, F-Secure
"We've seen a huge increase in trial usage of our mobile anti-malware solution for Nokia devices, and although this area is not yet high risk, I think we'll see it become more important," said Kimmo Alkio, CEO of security company F-Secure, whose mobile operator customers include Orange UK, "The growth in the use of reverse billed MMS as a method of extracting financial rewards from mobile handsets is also a worrying sign. I believe that the availability of sub-hundred dollar devices will be the turning point of this market though, and we see mobile security as a central plank of our strategy in the future."

Public disagreement over the issue has been fierce, with many critics pointing to the lack of actual malware for these mobile anti-malware engines to detect – it's thought that there are less than 400 individual pieces of malware for mobile platforms, as opposed to hundreds of thousands for Windows PCs. However, it's certain that the range of malware attacking the increasingly important and varied data on mobile devices is increasing, with recent releases of Trojan-like programmes that allow third parties to monitor an infected handset's communications. The bar is set to be raised still further, as wave-and-pay technology (Near Field Communication) is set to be deployed, and would present a clear financial incentive to hackers.

However, the platform standardisation game itself is yet to be played out, as web giant Google launched its Android platform in November 2007. Android is an open source development platform that contains a complete set of components, including an operating system, a middleware stack, a UI, and applications based on Linux. Nokia has a long history of flirting with Linux, using it in its series of tablet handhelds such as the N800 and 770. However, some experts fear that open-source programming may shatter a security model that seems to be working well currently. For example, Symbian S60 applications need to be signed by Symbian to be deployed, and this process has so far throttled the release of malware.

Matias Impivaara, director of mobile security, F-Secure said: "Attacks that use social engineering to subvert mobile security will certainly grow in the future. In fact, the increase in security of Symbian S60 v3 has already forced criminals down this path. I do worry about the increase in use of open-source code for mobiles, as this is an inherently insecure method of developing a platform…"

While the technologies continue to develop, the use of existing mobile technology as a marketing channel is rocketing. Bluetooth marketing is beginning to appear on the high street, with recent deployments in cinemas across the UK by Bluepod Media, while barcode/QR code scanning technology is included in the latest smartphones. Laura Marriott, President for the Mobile Marketing Association said: "Many of the globe's top brands such as P&G, Toyota and Coke have set up separate marketing teams for mobile, recognising its unique skillset. However, it's still early days for the market and too soon to spot trends within mobile marketing, but I'd expect to see this change within 18-24 months."

The rise of importance of the channel to businesses alone has made securing it a boardroom topic, as Lorcan Burke, CEO, Adaptive Mobile explained: "Implementing AV protection and spam filtering technology will help operators distinguish the bad apples from the good and ensure paid-for advertising messages are not lost in a flood of spam. This will increase the credibility and appeal of mobile phone marketing and ensure that tier one brands do not inadvertently end up paying for their advertising to be delivered alongside adverts for second-hand cars and tips and treatments to increase the chances of romantic encounters."

Interestingly, the increase in importance of mobile to both users and advertisers has occurred in tandem with the growth of cybercrime-driven PC malware, as opposed to the older hobbyist approach. This has led to a huge spike in stealthy rootkits and Trojans, instead of bandwidth-hungry network worms and the like. It's likely that the mobile space will never see the big security headlines that the PC-based internet did, because the threat has changed in the meantime. One thing is certain – mobile's rise will inevitably become a serious target for criminals, and without a careful approach to security, the headlines will not be good.

Read more on Network security management