Mobile security was a hot issue at the CanSecWest conference, especially with the prolific use of smart phones for both enterprise and personal use. During my commute to work, it seems that everyone on the train is using their smart phone, pushing those little buttons on their little keyboard to send emails, surf the Web, or check the score of last night’s hockey game. A smart phone is more than just a phone; users can use them to download applications to do anything from update their profile on social networking sites to search for a great Thai restaurant to bowling downhill. My husband even has an application on his smart phone whose sole purpose is to make the most annoying noise on the planet (needless to say, I was not excited when he showed it to me).
So why would an attacker target smart phones? Smart phones have properties that traditional computers may not have: they are always on, 24 hours a day, 7 days a week; they have a permanent, high-level of connectivity; updates for them are not as frequent for traditional systems; and they represent a new attack surface. They also contain a lot of sensitive information that may be of value to the attacker. This information may range from email addresses, to account information, and for those who shop and bank on their smart phones, it can contain banking and credit card information. This gives attackers huge economic incentive to attack these platforms.
Most importantly, many smart phones serve a double-duty as both a personal and work device, which may be a key entry-point to any attack. Users who bring their device home may use it for personal use, such as connecting to their favorite social networking site or downloading a highly rated <ahem> farting or beer drinking application. Once back at work, the user syncs the device with their enterprise workstation and network. If the application they downloaded the night before contained malicious code, by syncing it with the enterprise network, an attacker may now have gained access to not only the smart phone but also the enterprise network.
Since vendors want as many users as possible to purchase and/or install their applications, how can users protect themselves from malicious ones? There are a number of security considerations that users should consider when downloading applications: is the information used by the application sent directly to the home website or through a third-party one; can the user control the application permissions; and can the user modify the existing security settings?
So, buyers beware: especially for smart phone applications. As for me, I just found a free zombie application that I want to try out.