SC Magazine published my comments on mobile malware: why I believe there will not be mobile malware pandemic any time soon, and probably not ever. My reply exceeded their length limit, so some of the context was lost. Here are my comments in their entirety.
Security software vendors like to bleat about how mobile phones will be the next big target for malware writers. There’s a sense of inevitability about this, and the story goes like this: Mobile operating systems are becoming a lot like PCs. PCs have lots of malware. Therefore smartphones will have lots of malware — any day now. Security vendors are hoping this will become true so they can sell mobile security software. This idea has at least three problems:
- No monoculture. There is no monoculture (read: no Windows equivalent) for mobile operating systems. There are at least four major mobile operating systems (iPhone, BlackBerry, Android and Symbian) and one minor one (Windows Mobile, which is falling fast). If you are writing malware, which one do you write for? Answer: none of them. It’s much easier to set up a phishing website that hacks the user, rather than a targeted piece of malware than hacks the device.
- Mobile phones have much smaller attack surfaces compared to PCs, with no (or very few) listening network ports. And the operating systems themselves are locked down. Android and BlackBerry feature Java-based runtimes that are largely immune to buffer overflows. Also, at least two OSes, and the iPhone, require applications to be signed by a trusted source. Smartphones aren’t cut-down PCs — they are much closer to toasters. There just aren’t that many moving parts inside. I spoke with Dino Dai Zovi about this at RSA last week — he says that mobile operating systems like iPhone OS 3.0 are far, far more secure than their PC-based cousins.
- Most of the demonstrated attacks have been very impractical. For example, the iPhone “malware” that made the rounds several months ago only affected phones that users had jailbroken — in other words, they had taken active steps to disable the code-signing protections.
None of these inconvenient facts seem to trouble the vendors much, and every few years someone new makes a fuss. A few years ago, F-Secure and Sophos were banging the drum; then, it was Symantec, then McAfee, and now Kaspersky. Not one of these vendors’ predictions have come remotely true, and none of the vendors are making any money (or even selling much product) in this space.
Now, I don’t mean to dismiss some of the valid concerns about privacy. We’ve seen some articles about how easy it is to write code that will riffle through your BlackBerry’s phone address book looking for e-mail addresses to steal. Veracode demo’ed some proof-of-concept code that did that. And we’ve seen some iPhone apps pulled from the App Store because they sent personally identifying information for “instrumentation” purposes that compromised users’ privacy.
But these aren’t security problems. They may be potential privacy problems, but at this point we’re talking about authorization battles that are being fought inside the operating system, and on the vendors’ terms. That is a far better situation than what we have today in PC Land. [Ed: I’d include all of the traditional untrusted OSes in this camp: Windows, OS X, and Linux; none of these were built with a “root of trust” bootstrapping model that ensures system integrity, unlike modern smartphone OSes. That is what I meant by mobile OSes being more like toasters.]
To date, enterprises regard mobile security suites (such as they are) as providing marginal benefit. There just haven’t been enough malware incidents to justify purchase of mobile AV or anti-spyware. For the most part the feature that enterprises want most is remote wipe/remote kill — you can do this easily with the BlackBerry today, and for iPhone and Windows Mobile devices, you can do with existing Windows client management tools. So there’s not much of an aftermarket.
Rob Smith, CEO of Mobile Application Development Partners, published the counterpoint to my position. He states fairly unequivocally that the mobile security threat is real. I suspect we were actually answering different questions: I was commenting about mobile malware, whereas his comments seemed to be about mobile threats generally. I agree with him that plenty of unscrupulous characters will try to take advantage of innocent people. I also agree that the increasingly sophisticated mobile technology those innocents carry with them will undoubtedly be the conduit for some of those attempts.
But I do disagree with the general notion that mobile malware is inevitable (to be fair: Rob does not actually state this as his position). We will not see the proliferation of malware like what we have seen on the PC. We will surely see plenty of attempts to compromise the user’s trust that do not need to compromise the integrity of the device. Scams, spam, confidence games and phishing — these threats will keep coming fast and furious. But these are not mobile security or mobile malware problems, just security problems generally. And because the threats have nothing to do with the mobile device, the solutions have nothing to do with the mobile device earlier.
Last but not least: enterprise endpoint security for PCs is a $2.8 billion business. The mobile share of that is, at most, $10 million, or 3/10ths of 1% of the size. I will buy a bottle of champagne for the person who can show me it has exceeded just 1% by the end of 2011.