This post is probably going to get my mobile phone hacked, but conflicting news reports have got me wondering whether mobile devices are really as vulnerable as some vendors and doomsayers would suggest.
It would be crazy to say that all mobile devices are perfectly secure. Given that Angela Merkel, the Chancellor of Germany, had her phone hacked, it’s probably closer to the truth that NO mobile device is completely secure. But are mobile phones en masse more or less vulnerable than other systems?
It’s an important question. With the rise of BYOD and shadow IT, in particular, a wide variety of mobile devices are now critical parts of the enterprise network infrastructure, whether or not they’re managed and security by enterprise IT.
Is the hype justified?
The security industry seems to take for granted that mobile devices are vulnerable and that various kinds of bad actors are busy mobilizing massive attacks on them. But we haven’t actually seen successful mass attacks on mobile devices in the way that PCs have been compromised by the millions by worms and viruses and Trojans and keyloggers.
For example, Android is usually cited as the most vulnerable and most attacked of the major mobile platforms – the Windows of the mobile world, if you will. Studies show that Android has 97% of all mobile malware, and that many international Android app stores contain very high percentages of malware. At the same time, though, Google is employing a full-court press to reverse the perception that its mobile operating system is a virus nightmare waiting to happen, and indeed the Google Play store in the U.S. reportely contains relatively little malware.
More to the point, there are few statistics on how many phones are actually infected with malware, where those devices are located, and what that malware is actually doing. So here’s my question - If mobile devices are so incredibly vulnerable, and almost no mobile users employ third-party anti-malware solutions, why haven’t we seen a major mobile security meltdown yet?
It can’t be for lack of tempting targets, can it? Given the billions of devices now out in the field, many still relying on older, ostensibly less secure operating systems, it seems like the bad guys would be operating in the Warren Buffet of target-rich environments. And as people and companies around the world increasingly do anything and everything on their mobile devices-–from online banking to mobile payments--attacking mobile devices should be just as lucrative as going after desktop PCs.
Smartphones vs. PCs
Maybe, just maybe, mobile security doesn’t present the same kinds of security risks that we all learned from the world of PCs. If mass malware hasn’t shown up yet, maybe we all learned something and the new mobile operating systems don’t lend themselves so much to those kinds of exploits.
Like I said, that doesn’t mean mobile devices are safe. Simply because they’re so easy to eavesdrop on or even physically steal, there’s always the risk of losing data or allowing unauthorized access to various apps and online services. Social engineering seems to work even better for hacking into mobile devices than it does on PCs (see, News of the World, scandal). Humans will always be the least secure part of any system.
But those are fundamentally different threats than big-name PC viruses like Mydoom, Sobig.F, ILOVEYOU, Code Red, Slammer, Storm, Sasser, Nimda, Melissa, and Conficker that built a huge PC security industry over the last 20 years.
Until we see mass mobile malware important enough to get its own name, I think we have to step back from worrying about mobile security the same way we worry about PC security. That could change in an instant. Heck, that probably will change all too soon. But it hasn’t happened yet.