Editor’s Note: The following article is reprinted from Network World.
All evidence points to the fact that smartphone viruses will be a threat to your network even though they aren’t at this moment. After all, the latest mobile devices are packed with more and more applications and corporate data, are enabled for real Web browsing and online collaboration, and can access corporate servers. What’s more, they live outside your firewall and often make use of three wireless networks (Bluetooth, Wi-Fi and cellular).
“It’s definitely something I worry about a lot,” says Sam Lamonica, CIO of Rulph & Sletten, a Redwood City, Calif., general contractor. “With the proliferation of smartphones throughout our business, it poses a great risk if and when hackers get good at pumping malware through those devices.”
A 2007 survey of 450 IT managers found Lamonica is not alone. Eighty percent had antivirus products installed. Yet about 40 percent had been hit by a worm or virus in the past 12 months Of those that were hit, 30 percent said that being unable to reach mobile users who were disconnected from the network contributed to the intrusion or failure that allowed a virus onto their network.
“The phone has advanced exponentially, while users have not caught up and realized that they are walking around with a computer,” says Mark Olson, Manager, Beth Israel Deaconess Medical Center in Boston.
That’s shown by the success of Apple’s iPhone. Its users are among the first to do intensive and extensive mobile Web browsing, enabled by the performance of the phone’s Safari browser. But Web browsing also enables a range of malware for smartphones in general. “If you go to Twitter [on the Web], you have to rely on Twitter security,” says Tom Henderson, a Network World Clear Choice tester, and managing director for ExtremeLabs in Indianapolis. “You can get cross-site exploits that can dive down into the phone’s browser. Then, it’s a problem.”
“Anything that is network connected and can be altered is a potential threat,’ says Rob Enderle, principal analyst for Enderle Group, a technology advisory firm in San Jose. The growing “socialableness” of smartphones, via everything from e-mailing to instant messaging and even texting, all provide opportunities for tricking users into downloading malware, he says.
To date, major malware outbreaks on smartphones, on the scale of PC infections of past years, are almost unheard of. Early mobile phone viruses, such as Cabir, Skulls and Fontal, targeted a specific operating system, usually Symbian, and required users to accept a download and then actually install files. Infections were limited to a few score of devices typically.
But if those few score smartphones are all yours, it’s actually worse than some malware romping through millions of PCs. As companies standardize on a specific smartphone platform, they run a growing risk of malware reaching a significant percentage of those devices, Olson says.
“Most of the known viruses and Trojans will propagate through Bluetooth or Multimedia Messaging [MMS],” Olson says. “So all it takes is one person walking into a meeting with an infected device, and the rest of the room now needs a dose of ‘penicillin.’”
Now is the time to start thinking systematically about these issues, because there is no simple, formulaic solution to the problem of smartphone security.
“It’s really important in planning a mobile deployment of devices outside your firewall, that you establish a mobile security strategy, including application security,” says Scott Totzke, vice president of the Global Security Group for Research in Motion. That means creating a comprehensive security scheme that can be monitored and enforced through a collection of software products, enforceable policies, and user awareness and training.
A key element in this strategy is handling the software that users can, or can’t, load on these devices, Totzke says. “You create an approved list of applications, and the privileges they have when they’re running on the handset,” he says.
Unauthorized downloads can be blocked, and so can unauthorized actions by “legal” applications.
One emerging option, already established in Europe, says Stan Schatt, vice president for wireless connectivity at ABI Research, is a managed service for mobile security, such as the one recently unveiled by Sprint. For a monthly fee, the carrier pushes out regular patches and security fixes. Some vendors, such as Fiberlink Communications, offer a managed service for mobile security.