Slashdot Mirror

← Back to Stories (view on slashdot.org)

Your Smartphone Is Safer Than Your PC — For Now

Posted by CmdrTaco on from the ominous-chords-go-here dept.

snydeq writes "InfoWorld's Galen Gruman reports on the future of mobile security — one that will see a significant rise in exploits as valuable information increasingly migrates to mobile devices. To date, sandboxing and code-signing have helped make mobile OSes relatively secure, when compared with their desktop brethren. But as devices store more valuable information than email, they will become more enticing to hackers currently breaking into Windows PCs. And the biggest bulls-eye appears to be on Android, in large part because its architecture is most like that of the desktop PC but also because there are so many variants in use — too many for Google or the carriers to patch securely. And as the PDF-jailbreak vulnerability showed, sandboxing has its limits when it comes to securing the browser — the most likely point of entry for exploits not due to the rise of extensions, helper objects, and plug-ins on the mobile Web."

33 of 125 comments (clear)

  1. Irrelevant to me by Anonymous Coward · · Score: 5, Funny

    I have a stupid phone.

    1. Re:Irrelevant to me by maxwell+demon · · Score: 2, Funny

      Give me your phone and an axe, and I'll show you. :-)

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:Irrelevant to me by rthille · · Score: 3, Funny

      Your bank account is 42910-44937
      You really shouldn't like to your girlfriend like that
      And call your mother more often.

      -The NSA

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    3. Re:Irrelevant to me by Jurily · · Score: 3, Informative

      your girlfriend

      You know this is Slashdot, right?

  2. Are variants a bad thing? by DrXym · · Score: 4, Insightful
    And the biggest bulls-eye appears to be on Android, in large part because its architecture is most like that of the desktop PC but also because there are so many variants in use -- too many for Google or the carriers to patch securely.

    So if an exploit occurs it will likely only affect some handsets as opposed to every handset.

    1. Re:Are variants a bad thing? by John+Hasler · · Score: 4, Insightful

      So if an exploit occurs it will likely only affect some [Android] handsets as opposed to every handset.

      But the scary news stories will omit that little detail.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    2. Re:Are variants a bad thing? by djdanlib · · Score: 3, Insightful

      So we'll all be depending on multiple carriers' good patching practices, to make sure the patch for foolib-1.2.3-r4 gets pushed to all their Frobnitz Model 200 phones that they released two years ago and have since deprecated and replaced with Model 201, 220, 240, and 250, now with more shiny (but everyone still gets them because they're free with a new contract.) And by the way, it's going to be on your data bill. Call me pessimistic, but I don't think it'll happen in a timely fashion when someone discovers a vulnerability.

      Crackers compete over who can own the most boxes just so they can have bragging rights. Oh look, such-and-such group disabled e911 for 20,000 people, why hasn't OUR group done that yet? We'd better do something even bigger so we can be elite again. Someone will find the loose rivet in the armor, and it'll be like a colonial land grab for a few months until the patch gets distributed.

    3. Re:Are variants a bad thing? by tlhIngan · · Score: 3, Insightful

      So we'll all be depending on multiple carriers' good patching practices, to make sure the patch for foolib-1.2.3-r4 gets pushed to all their Frobnitz Model 200 phones that they released two years ago and have since deprecated and replaced with Model 201, 220, 240, and 250, now with more shiny (but everyone still gets them because they're free with a new contract.) And by the way, it's going to be on your data bill. Call me pessimistic, but I don't think it'll happen in a timely fashion when someone discovers a vulnerability.

      It's already happened on Android. Manufacturers are out making their latest rev and they ignore the bugfiles to their current line of phones. Or they do and pass it onto the carriers who may or may not force an update. Of course, if said update will remove things like root and custom ROMs, they'll probably push it.

      But phones getting abandoned at whatever Android version they shipped with are already happening - I think the early Samsung phones were promised 2.0, but ended up with 1.6 only with an official letter. And others are stuck with 2.1 with no upgrade to 2.2. The only good part is these phones often are early models and easy to root and recover, so unofficial ROMs exist. But later ones may not be so lucky.

      Really, the only Android phone that's not under carrier control is the Nexus One, which gets updates straight from Google. The wierd thing is, why can't Google pull an Apple? The iPhone gets updates from Apple, leaving out the carrier middleman, even if the user is paying a contract on the iPhone.

      Google's big enough, let's see it happen and end all this Android loaded with crapware stuff.

    4. Re:Are variants a bad thing? by Sancho · · Score: 3, Informative

      The wierd thing is, why can't Google pull an Apple? The iPhone gets updates from Apple, leaving out the carrier middleman, even if the user is paying a contract on the iPhone.

      Because Android is an open platform. The carriers take Android, mold it to fit their needs, and put it on their phones. Google, or rather the Open Handset Alliance, doesn't have any say on it. That's how carriers can get away with modifying the source of the Hotspot app to only work if the customer pays extra.

      This is the downside to GPLv2. The Tivoization loophole means that carriers can do this, release the source, and you still can't (necessarily) modify the source and put it on your phone.

      Google started taking steps to address some of this by moving more of their apps to the app store, but you still have issues with system libraries and the kernel. Without root, an app can't update these.

    5. Re:Are variants a bad thing? by beakerMeep · · Score: 3, Insightful

      Indeed. And as the Apple PDF exploit showed, Android is in trouble.

      --
      meep
    6. Re:Are variants a bad thing? by node+3 · · Score: 2

      And if a fix is created, it will only be applied to some handsets as opposed to every handset.

      Well, DUH! That's because not every handset will need it.

      But not every handset that needs it will get it, which is the whole premise of this article.

    7. Re:Are variants a bad thing? by bm_luethke · · Score: 2, Interesting

      "The wierd thing is, why can't Google pull an Apple? The iPhone gets updates from Apple, leaving out the carrier middleman, even if the user is paying a contract on the iPhone."

      Partly because it isn't that easy - these things are often using custom drivers or require custom kernels to run. Yea, some of it is junk but much of it isn't. How are they going to update a bug in Motorola's GPS driver? Or even *why* would they? Lets face it if you had a custom bit of hardware that you had a linux driver on would like Ubuntu to push a new kernel to your device because it can? Nope, especially if that device was a core operational feature. It would be a nightmare to push an upgrade and break phones - it isn't like these upgrades are within the Dalvik VM - those apps can fairly safely be updated across everything, low level upgrades not so much.

      If Android and the phone versions of Linux mature enough to have a true Open Source following we may get something like Linux is today. That is a lot of hard work by volunteers to make drivers for every major phone out there. Now some phones will still have restrictive boot loaders and such, but not all (and I will bet most) will not. It *can* happen but will require Android and it's linux underpinnings to stop it's rapid development and give volunteers time to get things in place - that isn't going to happen for some time. There is a devoted following right now making root exploits and custom roms - many times those custom roms are truly not wanted by the manufacturer but such is life in the open source world. When that happens we can run supported builds while under maintenance (or our carrier contract) and re-build with a Canonical build afterward :)

      There *will* come some point where the technology matures enough that there just isn't that many updates. Compare development in the early 2.x tree of the Linux Kernel to how stable the current 2.6 tree is - heck compare just the 2.4 to the 2.6! At some point we will also not really feel the need to upgrade hardware either - PC manufacturers are hitting that and simply reducing quality so you have to re-buy nearly the same thing every few years. Further I think our phones are marching towards becoming our general purpose machines. As that happens the market will force some level of stability and customability on it too as people *can* realistically reverse engineer things and write an community driver for it.

      Further it isn't even like Apple is immune to the issue - ask people with anything before a 3g how they like their current crop of updates with iOS 4 - chances are you are going to get some grumbling there. Then ask the iPhone 3 users who saw a significant slowdown after the update and you can see that even when you only have *one* hardware specification how hard it is to do. Even with the lockdown Apple has they can't do it to the point people want to make them out to have achieved - they only achieve that *if* you have compatible hardware which is true with Androids too. It's even arguable which is the larger group affected - only *some* older android users are whilst *all* older iPhone users are.

      Ultimately the more freedom one has the more responsibility one has. This includes things like making sure you purchase upgradeable hardware and know how to do it. The more locked down a system is the less you have to worry with it but also the less you can deal with it when it occurs. Apple chose the latter route, Google chose the former. I think Google will win for a number of reasons - the above being one (Apple could win handily if they simply opened up the app store and ability to install unsigned software - but I do not think they will as long as Jobs is at the helm).

      --
      ------- Sorry about the spelling, I suffer from two problems. Dyslexia makes it difficult to spell well, lazy makes it
  3. And the first ones out of the gate will be easy by elrous0 · · Score: 3, Insightful

    People have such a false sense of security about their smartphones right now that the first virus or truly inventive hack is going to have a frickin' field day. iPhone users are particularly cocky about how secure their phone is (and Apple isn't exactly a speed demon when it comes to security patches for their OS's either).

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:And the first ones out of the gate will be easy by node+3 · · Score: 4, Insightful

      People have been saying this about the Mac for a decade now, too. I'm glad I didn't hold my breath waiting for this supposed apocalyptic day of comeuppance...

    2. Re:And the first ones out of the gate will be easy by recoiledsnake · · Score: 4, Funny

      The real reason is that malware authors cannot afford Macs :)

      --
      This space for rent.
    3. Re:And the first ones out of the gate will be easy by bm_luethke · · Score: 2, Insightful

      And it hasn't been because of some great security model either - there has been now for weeks an iOS exploit that if you open a correctly formed (or rather malformed) PDF it silently roots your phone and installs any software it wants on your phone. It has access to *everything*. You can not tell me that is "good security". The Mac isn't any better either.

      It hasn't been an issue for one of several reasons.

      One is that no one had taken advantage of it beyond jail breaking phones. One needs to think through the implications of *that level* of an exploit out in the wild for this long and it not being taken advantage of. There is no *technical* reason why it couldn't this day be used to send your e-mail, browser history, all forms your fill out, pretty much everything you do to someone and unless you monitored your traffic and only used your own wifi would you know for certain. For the most part I think the macs have been in this category - if you are going to spend that effort it is better spent elsewhere.

      Next is that exploits do not make news unless they are large enough. Windows exploits are often scripts that almost anyone can run and almost anyone does. iOS ones are more likely going to be one off custom scripts that may gather 10000 credit card numbers - unless someone has an anti-apple leaning (or anti-android if it happens on that platform - nothing remotely Apple centric here) it just isn't news. If I were to guess - and I think I'm more correct than not - there are a number of malformed PDF's out there that do just that. There just aren't any that propagate themselves through e-mail to everyone in your users list and thus make the news.

      Lastly - and most unlikely - is that there is some conspiracy to silence it. Too many places out there that can say it for this to be true.

      Ultimately there is going to be a major worm or virus out there for one of the main hand helds - RIM, Google, or Apple. They are becoming too much a general purpose machine. Whichever one gets it first will loose a great deal of market share for a while while the other two crow about how wonderful they are. They aren't and never have been. Android is more open to attacks on older phones, Apple more open to attacks on all their phones, and RIM is somewhere in between. Apple and RIM can probably handle it quicker but you are more bound to them deciding it is worth fixing and doing so. Lastly what the OP said is true - Apple and RIM users often seem to think they are immune to this. Both phones have some fairly major exploits that have happened and went further than they should because of this.

      Such is life in our industry - number of known bugs, number of known exploits, and number of exploited users are irrelevant when talking about how secure a system is. There is a saying: security through obscurity isn't security. This has certain logical implications - one of those is that not being secure means you have a lot of *known* bugs (thus not obscure). It also implies (but doesn't logically prove) that just because you haven't had one means you are secure - it means there are MANY other factors there.

      Were I to bet I would say Android will get the first followed closely by Apple simply because they are the two big players in the consumer market (corporate being fairly locked down) and the fact that there are more older Android out there means more known issues. Though given how Apple has responded to the PDF remote exploit I wouldn't give much more than even odds on it either. There have been more than a few truly serious exploits on Apple systems go out that were either never exploited (and you can supply your own reason for this given the length of time a number of these exploits remained live) or were not generally reported on. You response when one takes the whole PDF remote exploit into account more or less validates with the OP was saying - that I left my alarm off, all the doors and windows open on my house, and I put a big sign in yard that told people of this fact yet I wasn't robbed doesn't mean I was secure. That you think you are is *exactly* what he/she was posting about.

      --
      ------- Sorry about the spelling, I suffer from two problems. Dyslexia makes it difficult to spell well, lazy makes it
  4. Android less secure? by cyber-vandal · · Score: 4, Insightful

    Windows is an easy target because it's a huge badly-secured monoculture. How does having several different versions of Android to attack make it similarly insecure?

    1. Re:Android less secure? by Microlith · · Score: 3, Interesting

      I don't think it makes it more insecure so much as harder to close the holes. Handset vendors and carriers, for a long time, have worked with devices that generally could not be exploited in such a fashion, and probably don't have any means of getting such fixes out to their users within an acceptable time frame.

    2. Re:Android less secure? by bsDaemon · · Score: 4, Insightful

      The mistake of letting users interact with them. Users are the number one security flaw in any system.

    3. Re:Android less secure? by jonescb · · Score: 2

      Ah yes, the old security by obscurity argument. If these "hackers" were worth their salt they'd be doing something a bit more sophisticated about exploiting Linux servers than slamming them with botnets with DDOS/brute force attacks.

    4. Re:Android less secure? by node+3 · · Score: 2, Funny

      The mistake of letting users interact with them. Users are the number one security flaw in any system.

      Sure, a daemon would say that, wouldn't it?

    5. Re:Android less secure? by akadruid · · Score: 3, Interesting

      Windows is a high value target, which was once crippled by it's backwards compatability with DOS and low skilled userbase. Microsoft, whatever their flaws, have some properly clever people and serious vested interest in addressing this problem, and they've finally put out a release that is fairly secure out of the box and somewhat usable - while still providing fairly timely security patches for a 10 year old release. Which is why the most serious threats are now coming from widely deployed software from less responsible companies (Adobe).

      Android is the exact opposite. Very few smartphone manufacturers care enough to issue regular updates for their phones, especially once you get outside of the US market. Even on the US market, most smartphones have had exactly one update: from 1.5/1.6 to 2.0/2.1 usually. No monthly security updates, and nothing at all for obsolete phones over 12 months old. You'd better hope that nobody else has the time to look at your phone that your carrier has forgotten about.

      --
      "Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
  5. Re:This is why I prefer my BB by jedidiah · · Score: 2, Interesting

    The problem with all of this nonsense is that there seems to be the implicit
    assumption that Windows is the yardstick. Windows is the single worst thing
    out there. Even all of the other desktop OSen are much less of the problem.

    Clearly the dividing line isn't "desktop OS' versus 'mobile OS'.

    They are really more alike then they are different.

    So it used to be "PCs are bad, flee to Macs and you will be safe".
    Instead now it's "PCs are bad, flee to iPods and you will be safe".

    --
    A Pirate and a Puritan look the same on a balance sheet.
  6. Re:This is why I prefer my BB by RyuuzakiTetsuya · · Score: 2, Funny

    my iPod nano's never had a virus, a worm or a trojan, but a Greek dude with a bad cold did sneeze on it once.

    --
    Non impediti ratione cogitationus.
  7. Marketing by Kupfernigk · · Score: 3, Interesting
    Apple is trying to attack Android, which is growing in marketshare much faster than the iPhone. So they are trying to encourage the view that a monoculture is a virtue, and the various flavours of Android are somehow fracturing the market. (One phone to rule them all...)

    Personally I think this is complete nonsense. Android runs on a lot of devices - soon to be added is the Toshiba AC100 netbook, so it will run on everything from entry level phones to small computers - which involves numerous changes in UI arising from optimisation and features. But the underlying architecture should make it possible to ensure that things are properly partitioned to give a robust security model, and Google isn't exactly short of brainpower. I suspect that just as we had the Microsoft trolls trying to minimise reports of Windows security issues, here we have Apple trolls trying to find narratives to attack Android.

    And no, I don't use Android.

    --
    From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
  8. Re:This is why I prefer my BB by dc29A · · Score: 2, Insightful

    Windows is the single worst thing out there.

    Or more likely, your simply inept.

    Ah ... the irony!

  9. Re:PDF by emocomputerjock · · Score: 2, Funny

    That's what saving throws are for.

  10. Re:PDF by grub · · Score: 2

    Your iPhone needs to be made with finely ground unicorn horns, that means only the 3GS and up. The older models were made with pixie dust embedded in the circuit boards.

    --
    Trolling is a art,
  11. Re:it's almost like we did a complete reboot by Anne+Thwacks · · Score: 2
    Fair enough - a week of playing with my new HTC desire has left me feeling pretty hostile to my carrier!

    I am particularly hostile: because I cant login as root! I also want to open a terminal window and SSH into my servers.

    --
    Sent from my ASR33 using ASCII
  12. Tech media has no clue about true security by hellfire · · Score: 2, Interesting

    I keep hearing a lot of theories about security from the tech media like they know security. The problem is that security is a great way to scare up hits and freak people out so it's useful to write articles pandering in one direction or another, but there's rarely any true science to the articles, no figures, no statistics, no hard examples. This is because all that is boring and doesn't get hits, but it's what it takes to truly determine what is and what is not secure. Nothing is 100% secure, but then again we have this false sense of how architectures and security work. It's just BS.

    This is the same kind of argument about how pundits spread the myth Macs are not any more secure than windows because hackers aren't targeting it. There's no evidence to back that statement up, and there's no evidence that Android less secure just because there are various flavors. In fact that can make it harder because one hack might not work on multiple flavors. That's even one of Androids problems now, that it's sometimes difficult to get a single app to work on multiple Android OS devices. You could then posit that the iPhone is easier to hack because the OS is so similar and the number of iOS devices in the wild is much higher than Android. But that's BS too because the iPhone is such a locked down system that in order to install anything you have to go thru the iTunes app store gatekeepers. The other way in is thru Safari, but that's really the only other way, and well now we know the security of Safari is BS because of that hole that they found in iOS 4 they used for jailbreaking. But compared to windows and compared to each other, which of these has had more critical vulnerabilities? The article gives me nothing.

    Despite all this positing, it comes down to number of hacks, and what the hacks are. I could not truly begin to tell you which handhelds are more secure than others because no one, including this article, has any facts. The article eludes to "security circles" but who knows who those people are.

    I think we should ban security articles from Slashdot unless they have a certain level of scientific statistics or hardcore evidence. Most articles about computer security on slashdot are not news for nerds, they are news for "platform fanboi weenies who want to start a flame war about which platform is more secure."

    --

    "All great wisdom is contained in .signature files"

  13. One print page for InfoWorld article. by antdude · · Score: 2, Informative

    http://infoworld.com/print/135570 ... You're welcome! :)

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  14. Re:it's almost like we did a complete reboot by Sax+Maniac · · Score: 2, Interesting

    ConnectBot lets you ssh anywhere without rooting. As for root, it's not as useful as it seems once you have CyanogenMod installed.

    --
    I can explanate how to administrate your network. You must configurate and segmentate it, so it can computate.
  15. Re:it's almost like we did a complete reboot by RMH101 · · Score: 2, Interesting

    Head over to xda-developers.com and install a rooted ROM. It's pretty easy, and they're very nice. Tend to be faster, more featureful and more stable than OEM if you pick the right one. I like AuraxTSense 7.1 on my Desire. It also adds open VPN, which is pretty nice.