Mobile browsers bring new security headaches

The new generation of mobile Web browsers is going to introduce for enterprise IT departments a rash of security challenges. The good news is that many of those challenges are familiar ones, from desktop browsers.

A December online survey by F-Secure found that about 30% of U.S. and Canadian mobile phone users access the Internet, broadly similar to other regions. The scary thing is that two-thirds of the North American users (and 83% of all respondents) said they lack any security software on their mobile phone — and at a time when mobile Internet use is on the rise with the emergence of mobile browsers that can access the same Web sites as their desktop cousins. AT&T, for example, reported a big jump in data usage among iPhone subscribers, who were using the phone's Safari browser.

IT departments, according to experts, need to focus on three areas: assessing the security architecture and features in the mobile browser and the underlying operating system; working with users on smart and safe browsing practices; and creating a solid handheld device management system.

"Browser vulnerabilities are the easiest way to get remote code running on a smartphone," says Charlie Miller, principal analyst for software security at Independent Security Evaluators (ISE), which has identified a range of mobile security problems. "That's because browsers are pretty complex compared to most programs on a smartphone. Once exploitation occurs, the remote code can do a variety of things."

Click to see: Chart showing issues with securing the mobile Web

Browsers make requests to Web sites, downloading HTML pages, images, PDF files, music and video, and applications. Depending on the how the browser is designed, and the underlying operating system, these downloads and file executions can create a range of problems — some accidental, some intentional. The result is that mobile enterprise users could find themselves with an inoperative handset, or compromised corporate and personal data.

One growing area of concern is Web widgets, bits of downloadable code embedded in a Web page. They're growing in popularity on handsets because they offer fast, focused ways to send or retrieve data, without having to go through multiple steps with a mobile browser. Many of the programs available via online application stores, such as Apple's App Store, are widgets.

"They're great because you can certify the application [with a signed digital certificate], but the widget's data may not be controlled, or even controllable," says Norman Woodward, senior manager for wireless at Accenture's mobile communications division. "You can't screen the data before it's downloaded."