So, it's started. In terms of security, we are seeing first generation mobile operating systems transition into second generation mobile operating systems. While the threats mobile embedded devices face today are relatively small, they are very real threats. We often see samples of backdoors, spyware, worms, Trojans, and arbitrary code execution for either one or both of two key commercial mobile operating systems (Symbian and Windows Mobile).
What strikes me, however, is that the vendors seem to be learning from the tribulations in the desktop space. What I mean to say is, they could sit around and wait for these issues to become as rampant as they are today in the desktop arena before they addressed security in the mobile environment; however, initial evidence suggests that mobile OS companies like Symbian, Microsoft, and ARM are becoming more proactive with security.
With the release of Symbian 9 we are seeing a more granular permissions model. With the recent announcement regarding Windows CE 6 from Microsoft, we are seeing quite a conscious effort around application programming flaws and general operating system security. And last but not least, with ARM we have seen the advent of the XN (eXecute Never) bit—the equivalent of the NX bit in both Intel’s and AMD’s desktop CPUs.
Obviously Symbian 9 is shipping today, and with Windows CE 6 I think we can realistically expect its appearance in devices in about 18 to 24 months time. While all of these will admittedly help the security situation, they won't solve all of the issues. Firstly, because mobile devices are low-powered and battery life is a premium, there have to be certain trade-offs. Secondly, in such a price-competitive market there has to be a strong case to use more expensive components (such as the ARM processor with the NX bit). Thirdly, even with all of the honest intentions in the world there are going to be some OEMs who will sacrifice security in the name of usability. Finally, many third parties will write code for these systems; so while the OS ISVs can attempt to control the code that is introduced into the kernel or provide connectivity applications and similar critical components, they can't control it all, which will create a degree of exposure.
I, for one, applaud these efforts but as we know technology doesn't solve everything. One could argue that even with the best security system in the world Trojans and certain types of worms can still exist if users allow them to, either through lack of knowledge or simply by not being aware of the true intentions of an application.
Aside from the security issues that ISVs and OEMs can directly influence, there are still going to be problems facing enterprises and consumers such as policy compliance, secure data storage, secure communications, backups, and knowing what data was actually on a device if it is lost or stolen. I am of the opinion that these “next generation” operating systems will certainly help, but a large legacy of alternative mobile devices and operating systems will remain out there for a number of years yet.