Are smartphones your weakest link?

The PC in your pocket is a boon for business people on the move but it needs the same if not greater protection as your office-based technology

It has been estimated that around a quarter of mobile phone users have a smartphone, essentially a microcomputer handset in their pocket or handbag that can make and receive phone calls.

But using a smartphone – which can be an Apple iPhone, BlackBerry or Google Android-based mobile – for a voice call is a bit passé, since the handset can, like its desktop computer cousin, do a whole lot more.

Unlike a desktop computer, however, today’s smartphones run mini-applications known as apps, which are what computer programmers call “extensible”. That is, they have the ability to run not only on the smartphone itself, but also to extend a communications link – usually across the internet – to interact with a distant computer running the website or system being accessed. It’s this extensibility and interaction that gives apps their power.

Instead of, for example, a railway timetables app storing all the train timetables for the UK, the app can interact with the train operators’ websites to access live train information, including details of delays plus cancellations, as well as the platform the train uses.

But what happens if the website or computer system that your smartphone is interacting with is infected with malware or some other form of electronic nastiness?

While a desktop computer probably has one or more security applications installed, it’s difficult to find an off-the-shelf security app for your iPhone, BlackBerry, Android, Symbian or Windows Mobile smartphone.

But the situation is rapidly changing and not before time. In late February, one of the main sources of apps for the Android flavour of smartphones – the Android Market – was hit by cyber criminals.

According to the appropriately named Android Police, the cyber criminals downloaded more than 50 legitimate apps, infected them with credential-stealing malware and then re-uploaded them under different names. More than 200,000 apps were downloaded in the four days before Google, operator of the Android Market, realised what was happening and removed the offending software.

The PC in your pocket is a boon for business people on the move but it needs the same if not greater protection as your office-based technology

A few days later, the hackers were back, with the same DroidDream malware as the original 50-plus apps. DroidDream is nasty, as it allows the hackers to remotely download data from the infected Android handset. This data can include the serial numbers of the phone and its SIM card, allowing – in theory at least – for the hackers to impersonate a user on a cellular network to make calls, download expensive apps and generally fraudulently run up a large tab at the legitimate owner’s expense.

Steve Durbin, vice-president of the Information Security Forum (ISF), an independent security association, says that as many as 240,000 Android users were hit by this infection.

“Every time an individual downloads an app, some software or accesses a website using a mobile device, it introduces risks, risks that are often outside the control of the individual and of the security professional,” he says.

Businesses as well as users need to be more aware of the risks of using smartphones, he adds, and to be more aware of the fact that smartphones are more affordable, more powerful and better connected. Businesses need to strike a balance between the end user and the protection of the organisation and confidential data, for example, by establishing security policies for the use of personal mobile devices and educating users about the security risks.

David Harley, a security fellow with ESET, the IT security specialist, and former director of the NHS’s threat assessment centre, says that the Android infected apps incident is not that surprising, given the nature of the Android platform. Google Android, he explains, is an open source platform, meaning that almost anyone can create and modify apps for the smartphone, which can then be offered for download on the internet.

This, he says, differs markedly from the Apple approach of carefully controlling and vetting the apps it makes available for the iPhone and the iPad tablet computer.

This is not to say that Android is alone in posing a risk as a smartphone operating system to companies and their IT systems, as well as personal computers of users. The problem with smartphone apps, says Harley, is that they are difficult to control.

“Researchers are now saying that there will be 17 billion smartphone apps [on all smartphones] downloaded by the end of 2011,” he says, adding that this makes it an almost impossible task to track them.

Steve is technical editor on Infosecurity magazine. He also writes on cellular and communications matters.

Tags: ,