Your smartphone isn’t just your phone; it’s your address book, your personal diary, your online banking system and fairly soon it could be your wallet, your train ticket and your front door key (when NFC handsets are common). That makes it an even more tempting target for hackers than your PC. If someone takes control of your phone they could potentially make money by sending premium rate text messages and downloading expensive apps and in-app purchases, and they could get your online banking password and use your Facebook account to spam your friends with malware.
Despite the lucrative potential and IBM’s recent prediction that there will be twice as many mobile exploits this year, mobile security isn’t yet a widespread problem. Phone operating systems are a lot more locked down than PCs and nearly all attacks rely on tricking you into clicking or accepting something rather than on being able to do that behind your back. Most third-party smartphone ‘security’ tools are just backup software, a way to track a phone’s location (a service many phones come with anyway) or a firewall, although there are some that scan downloaded apps for security threats.
But if the mobile security problem does get more serious, how well do the main platforms protect you?
The most recent Android security scare illustrates the dangers of a more open, less locked-down system. In this case, HTC was able to add logging tools that collect significant amount of user data and make that available to apps without your permission (the company is working on an over-the-air security patch). Phone makers who use Windows Phone wouldn’t be able to add tools like this (and Apple and RIM control everything on their phones). This difference in approach makes as much difference to how secure different phones are as the different architectures.
Malware and fraud
The biggest threats for PC users are viruses and Trojans. Mobile browsers don’t support plugins that hackers can attack, or use to put their own code on your system, which cuts out a lot of threats Smartphones run apps in their own ‘sandboxes’ and give them much less access to the operating system – and warn you when you install them what services and information they need access to. BlackBerry and Android apps present you with a specific list of permissions that an app wants when you install it; on BlackBerry you can allow or block these individually, with Android you can only choose to install the app or not. Windows Phone and iPhone warn you if an application wants to use location data. Because of these permissions, mobile malware nearly always masquerades as a legitimate program.
Because Google doesn’t approve apps going into the Android Marketplace the way Apple, RIM and Microsoft do for their app stores and runs only a number of automated security checks, Android has been particularly prone to this, with Google having to remove some 58 malicious Android Marketplace apps directly from around 260,000 phones. Although Google promised to find ways to stop a repeat of this DroidDream malware in the Marketplace, there are also many alternative app stores for Android and, like BlackBerry devices, you can ‘sideload’ apps onto Android handsets.
That and the popularity of Android devices makes them the number one smartphone target for hackers (ahead of Java ME feature phones, Symbian and BlackBerry) and this summer we saw ‘drive-by’ downloads for Android that start downloading an app as soon as you visit a Web page, usually from malicious adverts. Most Android malware comes from Asia or Russia (one Trojan sends text messages to a premium Russian number that only charges you if you have a Russian phone), but there are Trojans that target US numbers.
But Android has had vulnerabilities in the operating system as well, most notably a bug in the multimedia system of the Android browser that let a hacker take control of your browser remotely and look at your history and saved passwords. The DroidDream malware also used exploits to break out of its sandbox and run as root to install more malware.
All operating systems, including mobile operating systems, have vulnerabilities. Having much of its code available as open source may make Android easier to hack but it’s the popularity of the platform that makes it so attractive to hackers. Similar vulnerabilities for iPhone are often found by the jailbreak coders first, which has allowed Apple to fix many of them – and to check apps submitted to the ITunes store to see if it tries to take advantage of them.
Apple also makes iOS updates available to users directly (through ITunes or, with iOS 5, over the air). Google only provides updates directly for selected devices like the Nexus handsets –security fixes fir most Android handsets have to come from the handset manufacturers. That means that while the fixes to bugs in Android are often available in the Android Open Source Project very quickly, getting them onto your phone could take weeks or months, or for some handsets never happen. RIM regularly pushes out security updates to users. Microsoft works with handset makers and carriers to distribute updates, but insists they distribute at least every second update.
Find, lock and wipe
The biggest security threat on any phone platform is what someone could get from your phone if they steal it from you (or find it when you lose it). According to Equifax, last year 40% of us weren’t bothering to put a PIN or password on our phones. If you don’t do that, you’re not going to get the advantage of more powerful protection like encryption – and applications and Web sites with saved passwords will all be accessible. If you want to use more than a 4-digit PIN on an iPhone you need to upgrade to iOS 4 for full password support. If you find a PIN or a password awkward on a touchscreen, Android lets you log in by swiping your finger through a specific pattern on screen – but remember to clean your phone screen regularly as it can be far too easy to work out the pattern from the smears on screen.
Whether you know you’ve lost your phone or you just think you’ve dropped it down the back of the sofa, being able to check the location and lock or wipe it remotely is probably the second most useful security tool. That’s built into Windows Phone and you can find, lock or wipe your phone through the Live Website. For BlackBerry you need to install a free app, BlackBerry Protect and you can then find or wipe your handset from the BlackBerry Website.
For iPhone, you need to enable phone tracking on the handset; if you lose the device you can find or wipe it from the MobileMe site or install the Find My Phone app on another iPhone to track it. That’s free if you have iOS 4.2 or above; with older versions of iOS you have to pay for a MobileMe account. Google doesn’t offer a free service to find and wipe Android phones, although businesses can lock and wipe phones through Exchange or Google Apps; there are numerous pay-for third-party tools that will find your phone and let you lock or wipe it – and there are tools for the other platforms with options like setting a new password remotely.
Hardware encryption is one of the security features that has always made BlackBerry popular with business users. The iPhone 3GS, 4 and 4S have hardware encryption; previous models not only didn’t support this but would also accept a policy from an Exchange Server which said only devices with hardware encryption could receive mail – and then not hardware encrypt the messages. Security is far better in iOS 4, which allows individual files to be encrypted separately, although that’s something an app has to explicitly support.
Surprisingly with Microsoft’s enterprise heritage, Windows Phone doesn’t have hardware support for encryption, so although information can be encrypted by the OS or by apps, that’s all done in software. Few Android devices have hardware encryption either and Android didn’t add built-in support for encrypting the file system at all until 2.2, although there are apps like NitroDesk’s TouchDown which encrypts email, calendar and contact information. A third-party app like TouchDown is the only way to encrypt a microSD card in Android, something that both BlackBerry and Windows Phone support without extra software (if you can find a Windows Phone with a microSD slot, which not all models have, the card is used as part of the main file system).
Password protecting your phone is worthwhile for just about anyone. You only need to worry about encryption if you’re putting important business data on your phone – at which point you need to talk to your IT department first.