Mobile Active Defense for iPhone
As a long-time Mac user, I take some comfort in knowing that my system is, arguably, a safer computing environment than most. However, I try not to be too arrogant when it comes to computer security. As a developer myself, I know that all software contains bugs, and some of these can be serious enough to allow malicious hackers to exploit them. The overwhelming market share of Windows machines makes them a bigger—and easier—target for malware creators, but if the tide were turned, OS X could just as easily be on the defensive.
With that “comforting” thought in mind, let’s now think about the smartphone market. A smartphone is really just a computer in a cell phone’s clothing, running flawed software built by imperfect humans. (Yes, even Apple’s iOS is not perfect!) Thus, just like “real” computers, smartphones also have the potential to be compromised by the exploitation of critical software bugs. Now, consider which mobile OS has the largest share of Internet use (as of this writing, anyway) and, therefore, a big target on its head too.
At this point you’re probably thinking… How on earth could malware get on my iPhone, iPod touch or iPad? Well, the easiest way to compromise a computer is to send its user a malicious e-mail message. Simply opening or viewing a document or image that takes advantage of a flaw in the software that’s used to view it (like Microsoft Word, Adobe Acrobat Reader or your Web browser) can compromise your computer. E-mail messages can also contain links that will send the your Web browser to phishing sites that try to trick you into revealing usernames and passwords, or to sites containing malicious code that will run automatically on the your local machine. Now, with more and more people accessing their e-mail on their mobile devices, it seems only logical that malicious hackers will inevitably extend this exploit to the smartphones too.
There are many solutions available for desktop computers which help protect you from this sort of attack, but smartphones are currently lacking in this sort of protection. MAD Partners wants to address this shortcoming by providing an e-mail security service, including a $17 iPhone app, targeted at both regular consumers and IT professionals, which is designed to help protect iPhones, iPod touches and iPads from being exploited via malicious e-mail attacks.
This app, called Mobile Active Defense, or MAD for short, acts as an ever-watchful e-mail filter, nabbing the bad stuff and letting only the good stuff through. As of this writing, the company also provides an app for Windows Mobile, with versions for Symbian and Android still under development. Additionally, the service can also be used with desktop e-mail clients, such as OS X’s Mail and Microsoft Outlook. It reportedly supports all IMAP and POP3 e-mail services, but does not yet support Exchange servers. Exchange support is reportedly under development as well.
The MAD app actually doesn’t run continually on your iPhone; it’s used only to set up and configure a special e-mail account on the company’s servers. This account, which sits between your regular e-mail account and the Mail app on your iPhone, is the key to how the system works. Setting everything up is not difficult but, due to Apple’s security restrictions, the app can’t access the existing e-mail settings on your iPhone. You’ll need to re-enter that info during the set-up process. Therefore, before you begin, it’s a good idea to visit your iPhone’s Mail settings screen and write down that info, including your SMTP settings.
Once you’ve done your homework, open the app and go through its short setup wizard. When you’re finished, you’ll have an account on MAD’s servers (with a year of e-mail protection included; additional years are available via in-app purchase) and a new e-mail account on your iPhone—this is your “protected” account. You should then go to your Mail settings and disable your main account. (It’s not necessary to delete it from your iPhone if you don’t want to; just disable it so that the only mail coming into your phone is from your protected account.) From then on, the system at MAD periodically queries your main e-mail account, copies new messages to its servers, and then analyzes each one for Evil. Malicious messages are discarded and the safe ones are transferred to your protected e-mail account, where they then show up in the Inbox on your iPhone. (Remember… all the original messages continue to be available on your main e-mail account, which you can still access directly via your desktop computer or Web browser.)
As you might imagine, this process adds some overhead between the time a message is received in your main e-mail account and when MAD’s system has retrieved it, vetted it, and then made it available on your sanitized… account. My tests resulted in a delay ranging widely between 2 and 10 minutes.
If you think such a delay is an acceptable tradeoff for the promise of greater security on your iPhone, then the next question to ask is: how reliable, effective and secure is this service? Unless you’re a professional security research firm, this can be difficult to test absolutely. I don’t claim to be a security expert, so my tests are more anecdotal than scientific. But here’s what I did. First, I setup a special Gmail account to use only for testing MAD. I then performed the following tests:
• I sent myself attachments that exceeded the size I setup in MAD’s settings. Gmail happily let them through, while MAD successfully blocked them from my iPhone. (Oddly, e-mail attachment size is the only setting under your control, at least in the consumer version of the product.)
• I then sent myself some messages that every properly configured mail server should consider unsafe—that is, ones containing attachments of Windows executable files (.exe, .com, .dll, and so forth). As I figured, those messages were filtered by Google, so they never made it to MAD’s servers. (Granted, those would have been benign on an iPhone anyway.)
• I ran an e-mail security test provided by GFI, a company that produces a variety of enterprise-level e-mail security products. Of the 17 vulnerabilities tested, Google let nine of them through, and MAD’s system didn’t filter any of them further. (Again, these vulnerabilities are ones commonly found on Windows machines.)
• I then gathered a group of URLs of alleged phishing and malware sites, as reported by SpamCop and Google. Because my main account is hosted on Gmail, I assumed it would block these messages, which it did, so they never made it to MAD’s service.
Based on these admittedly unscientific tests, in my case, MAD didn’t provide much improvement over Google’s built-in measures. However, depending on where your e-mail account is hosted, and the types of e-mail you receive, your mileage may vary.
Based on my testing, I think the following improvements would make the system much more useful:
• Provide greater control over all the filter settings, beyond only the email attachment size that’s offered currently.
• Supply reports showing MAD’s filtering activities, with the ability to tweak your settings to control what is being blocked and/or allowed through.
Even though smartphone exploits are few and far between today, it’s sure to get worse in the future. Plus, one can say that there’s some value in filtering out e-mail garbage, beyond reducing the inconvenience of deleting it from your inbox manually. Even though the majority of e-mail exploits today fall short on iOS devices and Macs, they may still pose a danger to other machines should you inadvertently forward them to other users. So, why risk being a Typhoid Mary and innocently pass along infected e-mails to your friends while remaining uninfected yourself?
How you guard against that depends upon a variety of factors. If you feel you need an additional layer of software protection, then MAD is a possible solution, although, in my case anyway, its effectiveness was inconclusive. Luckily the developers provide a 30-day trial of MAD, so you can try it for free and judge for yourself.
In any case, developing smart e-mail habits—for starters, turning of the automatic display of images, not clicking on links in e-mail messages and being careful about opening unknown attachments—goes a long way in safeguarding oneself from nasty messages beyond running protective software on your computer or phone.
[Brian Beam is a web developer and partner with BOLD Internet Solutions, living somewhere near Kansas City.]