In the beginning, cell phones could only place phone calls, take pictures, play music and play some basic video games and all was well.
Now however, the most popular Smartphones (e.g.: BlackBerries, iPhones and Androids), in addition to web browsing and synchronization with your company’s email will also allow you to install 3rd party applications.
Installing third party software presents a security risk. It is currently not a great risk, but the trend does indicate that this risk is increasing as malware developers become familiar with these new platforms.
The risk is somewhat less with Blackberries and iPhones as RIM and Apple examine third party apps before making them available on their official sites. Third party applications for the Blackberry that are not from RIM’s official site, App World, are not examined by RIM.
Nominally, iPhones apps can only be installed though iTunes or the App Store and therefore, all iPhone apps are examined by Apple. If you wish to load unexamined 3rd party applications on your iPhone (bad idea?), you will need to google “iPhone jailbreak”.
Google does not currently examine any Android apps, so your best chance of loading malware into your smartphone is with Android.
So what sort of badness can you expect? Examples are still fairly rare, but one Android App was described as an interface that would allow you to do banking on your smartphone. After a few weeks Google pulled the app as there was the sudden realization that no one really knew what the app’s code did with account names and passwords.
In 2008, Apple found that an online RPG called “Aurora Feint” would ask you if you wished to join the “community” on install. If you said yes, the app would copy the phone’s contacts list and send it to the game servers so that the servers could check which of your friends were currently online. This was deemed too much of an intrusion by Apple who then pulled that version of the game.
Apple and RIM actually decline or pull few apps. About 5 to 10% of all submissions. Most are pulled simply for being poorly written and causing crashes. Just a few apps are declined or pulled for being security risks.
At this point defining a smartphone security risk is partly an evolving science. Note how the above examples are not exactly glaring violations. As such, it is unrealistic to expect Apple or RIM to catch all malware, though they are trying. For example one banking app was recently pulled even though it was not clearly malware. However, it was written so that future updates could turn it into malware.
What would I do for the Blackberries or iPhones or other smartphones distributed as business communication tools for my business? I would only allow third party application to be installed if they were of direct benefit to the business, from a trusted vendor with a proven track record. No more emoticon, mirror or beer drinking apps.
Peter: “He said he was gonna really cavet the guy’s eruptor.”