The modern mobile phone comes in two basic varieties. The more secure version is a stripped down 2G phone with very little data functionality. There are still some issues related to 2G confidentiality. First is the possibility that someone will eavesdrop your communications. The second concern is availability: what happens if everyone calls at the same time? But aside from these concerns, it is quite simple piece of equipment.
Then comes smartphones. If you think about it, a smartphone is a small PC. It comes with an IP stack, browser, e-mail, office suite and network-enabled games. What separates it from a PC is the usability. And that usability includes the ease of implementing security. Security is a huge business in the PC world, and it is created by the shortcomings of the software developers in that space.
Where a PC manufacturer can easily release a beta version and ask users to pay for it, a mobile handset manufacturer would have to recall a product if it had a critical flaw. Appliances come with product-related warranties and responsibilities. And that brings a completely new aspect of "risk" to the security equation for the manufacturers of mobile devices.
Take one hundred software companies and ask how much are they actually spending on quality and security. The answer is most probably that 90% are spending almost nothing. And why would they? There is no customer requirement for software security. Then take a bunch of software developers in the mobile industry. The difference is significant. And the customer pressure for quality is enormous. If the product does not work, it will not sell. If it has a security problem, it will be returned to the shop.
So what is the status of security in mobile phones? I get asked that question all the time, and can can answer it from my own experiences. If I go and sell security testing to a typical small software shop, they laugh me out. They could not care less. But if I talk to anyone in the embedded developer space, they get it. They see an immediate save, and differentiation in a challenging market. A mobile phone company that does not spend money on quality and security will very quickly leave the market with tail between its legs. Regulations, product liability, critical customers and a challenging competitive landscape will create requirements that no typical software company meets.
If you go and see the customer list of Codenomicon, you can see that the landscape is changing fast. Companies that expected hackers to look for the problems for them, and for free, are suddenly investing in security testing. Carriers and service providers will also do the tests in their procurement practices.
Major enterprises have also recognised that it is not features and purchase price that creates majority of the costs. It is downtime of services, loss of data, and other aspects of software that can be proactively prevented with quality assurance tools such as fuzzing and robustness testing. Maybe the software industry will eventually reach the same level as the mobile industry, or maybe the mobile industry will regress to the level where the software industry is. Only time will tell.
Ari Takanen is co-founder and chief technology officer at Codenomicon