I'm more worried about losing my cell phone than I am about getting my wallet lifted. Probably I shouldn't fret over a physical loss -- with password protection, you can set your misplaced iPhone or BlackBerry to wipe its data after 10 unauthorized access attempts (unless your password is "password"). What troubles me more, though, is that we haven't begun to seriously grapple with mobile security, mostly because hackers aren't flooding the space. But they will be.Mobile security is distinct from standard PC protection, but not for the reason that you'd think. It's not from any inherent differences in how the computing engines on smartphones work. Rather, it's because there are so many different platforms, that misanthropic virus creators have to do lots of work to port their nasty stuff onto enough phones to wreak real havoc. It's analogous to the security advantage (perceived or real) that Apple has had over the PC because there are fewer Macs than PCs, so they've presented less of a hacker target.
At least, that's the way the argument used to go. Seems to me that there are enough iPhones, BlackBerrys, and Windows Mobile devices out there that a hacker does indeed have a couple of ripe targets. (What about Symbian-based phones? Actually, they fall under the multiplatform exception, because there are numerous slight differences between the many hardware/software combos and permutations, which necessitate multiple virus ports if a hacker is seeking to spew widespread infection.)
Which leads us to the two different approaches toward smartphone security. There's back end, and there's user-facing.
Take BlackBerry. Research In Motion, the maker of the device, eschews PC-like security programs installed on the handset. Instead, it applies an iron-clad lock-down approach to make sure it has good security on its enterprise server, which is funneling e-mails and calls from your company out to your trusty BlackBerry.
"Our approach is defense in depth -- containment," Alan Panezic, VP of RIM's platform product management group, told me at a recent briefing where the company preview RIM Enterprise Server 5.0.
Containment also is the how Apple comes at the problem, though it's much less voluble on the subject than are the folks at RIM. When I talked to the RIM folks, they were extremely forthcoming and I got the impression they'd be happy to walk me through all their detailed documentation. Which was great, but I had to get home for dinner. Apple, which I spoke with last fall for my story, "Is The Smartphone Your Next Computer?," was gracious but succinct. Folks there pointed to a laundry list of features, including support for Microsoft Exchange. (This means, practically speaking, that the security on Web-mail-enabled Exchange extends out to when you access the stuff on the iPhone.)
Here's the relevant quote from that story:
"Jozwiak [Greg Jozwiak, VP of iPhone marketing] points to a long list of iPhone security features implemented after the company listened to enterprise IT pros. Those include Exchange support, industrial-grade VPN and Wi-Fi security, and Cisco IPsec VPN support. Apple also supports two-factor authentication and the ability to remotely wipe the devices of data should they be lost or stolen."]
A big part of Apple's security presumably comes from their tight control over the iTunes App Store. Presumably it would be difficult for developers to sneak malware into one of the downloadable iPhone apps, because they go through the approval process. As an iPhone user, though, I sometimes wonder how you would be able to distinguish a rogue app from one that's just badly written and crash-prone, like so many of the current third-party offerings.
OK, so the final approach, applicable on Windows Mobile (and many Symbian) devices, is the traditional, forward-facing security program. This is where you have a cell phone analog of, say, Norton AntiVirus. Or, in the example I'm going to use, Kaspersky Internet Security. Here's a nifty screenshot of Kaspersky Mobile Security. It's available for Windows Mobile and Symbian phones. (Dept. of Disclaimer Dept: Note that I'm not saying there's no back-end security under Windows Mobile. Just that you have these user-facing programs, too, which you don't tend to see on the other platforms.)
Trend Micro also offers mobile security products. It's got the client end covered for Windows Mobile and Symbian phones -- there's a free trial download here -- and it also offers endpoint (aka network-end) protection.
McAfee's mobile products, including its Mobile Security for Enterprise package, are posted here.
Symantec's Norton Smartphone Security, for Symbian and Windows Mobile, is here.
Here are some cool screenshots of Kaspersky Mobile Security:
Kaspersky Mobile Security running on a Windows Mobile smartphone. (Click picture to enlarge, and to see 10 additional screens.)
So here's the rub, though. With all this heavy-duty security in play, will we succeed in tamping down mobile hacking? Unlikely, because most protection tactics won't effectively stop what's likely to be the most dangerous mobile scam: mobile phishing.
Think about it: The mobile Web browser is the upcoming uber portal for e-commerce. Mobile banking hasn't really taken off yet, but it will. Think of the Chase Bank "Texting Chad" commercial (YouTube not available), which shows mom checking her bank balance while shopping at the mall with her two kids. It's more realistic than an earlier rev which had rock-climber text-obsessing over overdraft protection. Which means mobile banking is like ATM usage back in 1978 -- namely, it's going to be widespread soon. So is mobile phishing.
What's your take? Let me know, by leaving a comment below or e-mailing me directly at [email protected].
Like this blog? Subscribe to its RSS feed: (here)
For a microblogging experience, follow my daily observations on Twitter: (@awolfe58)
My videos on ( YouTube)
Alex Wolfe is editor-in-chief of InformationWeek.com.