Slashdot Mirror

← Back to Stories (view on slashdot.org)

Your Smartphone Is Safer Than Your PC — For Now

Posted by CmdrTaco on from the ominous-chords-go-here dept.

snydeq writes "InfoWorld's Galen Gruman reports on the future of mobile security — one that will see a significant rise in exploits as valuable information increasingly migrates to mobile devices. To date, sandboxing and code-signing have helped make mobile OSes relatively secure, when compared with their desktop brethren. But as devices store more valuable information than email, they will become more enticing to hackers currently breaking into Windows PCs. And the biggest bulls-eye appears to be on Android, in large part because its architecture is most like that of the desktop PC but also because there are so many variants in use — too many for Google or the carriers to patch securely. And as the PDF-jailbreak vulnerability showed, sandboxing has its limits when it comes to securing the browser — the most likely point of entry for exploits not due to the rise of extensions, helper objects, and plug-ins on the mobile Web."

17 of 125 comments (clear)

  1. Irrelevant to me by Anonymous Coward · · Score: 5, Funny

    I have a stupid phone.

    1. Re:Irrelevant to me by rthille · · Score: 3, Funny

      Your bank account is 42910-44937
      You really shouldn't like to your girlfriend like that
      And call your mother more often.

      -The NSA

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    2. Re:Irrelevant to me by Jurily · · Score: 3, Informative

      your girlfriend

      You know this is Slashdot, right?

  2. Are variants a bad thing? by DrXym · · Score: 4, Insightful
    And the biggest bulls-eye appears to be on Android, in large part because its architecture is most like that of the desktop PC but also because there are so many variants in use -- too many for Google or the carriers to patch securely.

    So if an exploit occurs it will likely only affect some handsets as opposed to every handset.

    1. Re:Are variants a bad thing? by John+Hasler · · Score: 4, Insightful

      So if an exploit occurs it will likely only affect some [Android] handsets as opposed to every handset.

      But the scary news stories will omit that little detail.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    2. Re:Are variants a bad thing? by djdanlib · · Score: 3, Insightful

      So we'll all be depending on multiple carriers' good patching practices, to make sure the patch for foolib-1.2.3-r4 gets pushed to all their Frobnitz Model 200 phones that they released two years ago and have since deprecated and replaced with Model 201, 220, 240, and 250, now with more shiny (but everyone still gets them because they're free with a new contract.) And by the way, it's going to be on your data bill. Call me pessimistic, but I don't think it'll happen in a timely fashion when someone discovers a vulnerability.

      Crackers compete over who can own the most boxes just so they can have bragging rights. Oh look, such-and-such group disabled e911 for 20,000 people, why hasn't OUR group done that yet? We'd better do something even bigger so we can be elite again. Someone will find the loose rivet in the armor, and it'll be like a colonial land grab for a few months until the patch gets distributed.

    3. Re:Are variants a bad thing? by tlhIngan · · Score: 3, Insightful

      So we'll all be depending on multiple carriers' good patching practices, to make sure the patch for foolib-1.2.3-r4 gets pushed to all their Frobnitz Model 200 phones that they released two years ago and have since deprecated and replaced with Model 201, 220, 240, and 250, now with more shiny (but everyone still gets them because they're free with a new contract.) And by the way, it's going to be on your data bill. Call me pessimistic, but I don't think it'll happen in a timely fashion when someone discovers a vulnerability.

      It's already happened on Android. Manufacturers are out making their latest rev and they ignore the bugfiles to their current line of phones. Or they do and pass it onto the carriers who may or may not force an update. Of course, if said update will remove things like root and custom ROMs, they'll probably push it.

      But phones getting abandoned at whatever Android version they shipped with are already happening - I think the early Samsung phones were promised 2.0, but ended up with 1.6 only with an official letter. And others are stuck with 2.1 with no upgrade to 2.2. The only good part is these phones often are early models and easy to root and recover, so unofficial ROMs exist. But later ones may not be so lucky.

      Really, the only Android phone that's not under carrier control is the Nexus One, which gets updates straight from Google. The wierd thing is, why can't Google pull an Apple? The iPhone gets updates from Apple, leaving out the carrier middleman, even if the user is paying a contract on the iPhone.

      Google's big enough, let's see it happen and end all this Android loaded with crapware stuff.

    4. Re:Are variants a bad thing? by Sancho · · Score: 3, Informative

      The wierd thing is, why can't Google pull an Apple? The iPhone gets updates from Apple, leaving out the carrier middleman, even if the user is paying a contract on the iPhone.

      Because Android is an open platform. The carriers take Android, mold it to fit their needs, and put it on their phones. Google, or rather the Open Handset Alliance, doesn't have any say on it. That's how carriers can get away with modifying the source of the Hotspot app to only work if the customer pays extra.

      This is the downside to GPLv2. The Tivoization loophole means that carriers can do this, release the source, and you still can't (necessarily) modify the source and put it on your phone.

      Google started taking steps to address some of this by moving more of their apps to the app store, but you still have issues with system libraries and the kernel. Without root, an app can't update these.

    5. Re:Are variants a bad thing? by beakerMeep · · Score: 3, Insightful

      Indeed. And as the Apple PDF exploit showed, Android is in trouble.

      --
      meep
  3. And the first ones out of the gate will be easy by elrous0 · · Score: 3, Insightful

    People have such a false sense of security about their smartphones right now that the first virus or truly inventive hack is going to have a frickin' field day. iPhone users are particularly cocky about how secure their phone is (and Apple isn't exactly a speed demon when it comes to security patches for their OS's either).

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:And the first ones out of the gate will be easy by node+3 · · Score: 4, Insightful

      People have been saying this about the Mac for a decade now, too. I'm glad I didn't hold my breath waiting for this supposed apocalyptic day of comeuppance...

    2. Re:And the first ones out of the gate will be easy by recoiledsnake · · Score: 4, Funny

      The real reason is that malware authors cannot afford Macs :)

      --
      This space for rent.
  4. Android less secure? by cyber-vandal · · Score: 4, Insightful

    Windows is an easy target because it's a huge badly-secured monoculture. How does having several different versions of Android to attack make it similarly insecure?

    1. Re:Android less secure? by Microlith · · Score: 3, Interesting

      I don't think it makes it more insecure so much as harder to close the holes. Handset vendors and carriers, for a long time, have worked with devices that generally could not be exploited in such a fashion, and probably don't have any means of getting such fixes out to their users within an acceptable time frame.

    2. Re:Android less secure? by bsDaemon · · Score: 4, Insightful

      The mistake of letting users interact with them. Users are the number one security flaw in any system.

    3. Re:Android less secure? by akadruid · · Score: 3, Interesting

      Windows is a high value target, which was once crippled by it's backwards compatability with DOS and low skilled userbase. Microsoft, whatever their flaws, have some properly clever people and serious vested interest in addressing this problem, and they've finally put out a release that is fairly secure out of the box and somewhat usable - while still providing fairly timely security patches for a 10 year old release. Which is why the most serious threats are now coming from widely deployed software from less responsible companies (Adobe).

      Android is the exact opposite. Very few smartphone manufacturers care enough to issue regular updates for their phones, especially once you get outside of the US market. Even on the US market, most smartphones have had exactly one update: from 1.5/1.6 to 2.0/2.1 usually. No monthly security updates, and nothing at all for obsolete phones over 12 months old. You'd better hope that nobody else has the time to look at your phone that your carrier has forgotten about.

      --
      "Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
  5. Marketing by Kupfernigk · · Score: 3, Interesting
    Apple is trying to attack Android, which is growing in marketshare much faster than the iPhone. So they are trying to encourage the view that a monoculture is a virtue, and the various flavours of Android are somehow fracturing the market. (One phone to rule them all...)

    Personally I think this is complete nonsense. Android runs on a lot of devices - soon to be added is the Toshiba AC100 netbook, so it will run on everything from entry level phones to small computers - which involves numerous changes in UI arising from optimisation and features. But the underlying architecture should make it possible to ensure that things are properly partitioned to give a robust security model, and Google isn't exactly short of brainpower. I suspect that just as we had the Microsoft trolls trying to minimise reports of Windows security issues, here we have Apple trolls trying to find narratives to attack Android.

    And no, I don't use Android.

    --
    From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."