Mobile attacks and preventions – how security will change the mobile market
By Tam Hanna
I had the opportunity to meet Tam at SigInt earlier, so I simply had to attend his talk at Confidence.
The security of mobile systems is often weak because users are not willing to accept reduced battery life to run anti-virus. Also users and developers of do not think about security.
Tam mathematically shows how the chances of two users with a smart phone meeting goes up enormously as the market share of smart phones go up.
The current biggest problem to phones is theft. This is not stopped, because stopping theft does not benefit the carriers, phone manufacturers or governments.
Targeted phone theft is even a bigger problem, because data that resides on a smart phone is nearly never infected.
Mobile malware is now emerging. It is basically hacking without buffer overflows, etc.
Premium rate buggery is another classical example, user are tricked into sending text messages of calling premium rate numbers.
Developers are defending themselves by prompting users. This is suffering from the usual problems:
- Granularity – When do you click the warning
- False positives – If a users gets 30 warning from a single program they will either stop or ignore the warnings
- Users are not qualified to make the decision – They could be persuaded to click something they don’t want to.
Signing applications does not work, because it is not possible for vendors to do the full QA we all really require.
So what will happen in the future?
You can only stop the malware authors by hitting their cash-cow, by banning premium numbers of displaying the costs.
We can also hope that the users will be knowledgeable enough to not install malware
Ultimately if we all fail, the mobile app space will become a closed system.