Recently there have been several reports of security flaws in a product provided by a company called Mobile Spy. The product is an application for Windows Mobile smartphones. The application logs various forms of communication data transmitted to and from the phone and sends it to a hosted database. A user can log in to the web service and view all the data that has been logged.
The idea behind this product is that it’s installed on a device without the knowledge of that device’s user (for example, an employee, child, spouse, etc.). The party who installed it can then monitor the user’s activity to ensure that the device is not being abused. A company manager, for example, can make sure that an employee is not making personal calls or sending personal text messages from a company device.
For the most part, this seems like a reasonable idea, but the security flaws in both the...
I was interested in getting some rough numbers on publicly disclosed vulnerabilities in Symbian and Windows CE/Mobile platforms and applications. I cannot say with any degree of confidence that what I present below is reflective, simply due to the fact that different bugs get categorized under different vendors, platforms, or keywords. What I can document is the method I used to arrive at the below numbers. I used cve.mitre.org and did the following:
• searched by vendor, platform for Windows Mobile & Windows CE • searched for keyword MMS picking out those relevant • searched for keyword SMS picking out those relevant • searched for keyword Symbian • searched for keyword Nokia picking out those relevant
So the summary is that there are 16 for Windows CE/Mobile and six for Symbian. I guess this demonstrates people are finding vulnerabilities in these two platforms. If we take out the third party applications on Windows CE/...
All of the recent rumors about Google releasing a "gPhone" were finally put to rest with their release of Android, which is a software stack for mobile devices. Android includes an operating system (Linux), middleware, and some default applications like a browser.
(Click for larger image)
Applications are developed using Java and use a framework provided by Google including their own virtual machine (Dalvik virtual machine). The entire framework is open source and Google (as part of the Open Handset Alliance) wants to bring openness to the mobile ecosystem, allowing anyone to write applications and make use of all of the functionality available on handsets.
Well, we’ve arrived at where we’ve been trying to get to for some time. That is to say that we now have the ability to release security advisories for Windows CE & Windows Mobile after working through the accepted responsible disclosure process with Microsoft. It hasn't been easy, with us initially reporting issues back in February 2006, but we’ve finally got here. This really marks a milestone for COTS mobile platforms even though we did achieve something similar back in 2003 with Nokia and their proprietary OS and recently with Palm OS, but getting vendor responses on mobile security issues (with maybe the exception of RIM) has historically been hard work.
A quick thanks to all those involved here at Symantec: Katie (before she left), Tyler, as well as the folks over...
