There have been increasing reports of intentional and unintentional data compromises associated with smart phones. A smart phone is basically a small computer. Apple has already taken this metaphor to the next step with the release of the iPad, which uses the iPhone operating system.
Each smart phone operating system uses applications, or apps, from the smart phones app stores. The leaders are Apple’s iTunes store and Google’s Android Marketplace. Each store has to manage hundreds of thousands of these apps. No wonder nefarious apps can slip in.
Here are some issues I’m aware of:
Last July there was a text messaging flaw that targeted iPhone, Android and Windows smart phones, a series of SMS text messages would allow the attacker to execute a file to take over the phone. More recently criminals have installed Trojans which trick the phones to text to premium rate 900 numbers.
Criminals developed and deployed mobile banking applications on the Android Marketplace, which targeted several financial institutions, to compromise the user id and password the consumer entered to log into their financial institution. These applications were identified and removed.
A major financial institution came forward with the news that one of their iPhone Apps contained a flaw which logged data entered into the app into a hidden file on the user’s phone. The data included the mobile banking user id and password. They did the right thing to identify and fix the issue, then let everybody know about it. We can and should learn from each other’s mistakes.
A much more serious flaw is the iPhone keystroke logger which Apple developed to “help” the user by recording everything they typed in the iPhone keyboard cache. This is a significant issue not just for the personally identifiable information (PII) that a user enters into their phone on a daily basis, but also for the corporate information when smart phones are dual purposed.
Bottom line, as with any new technology, convenience trumps security to get users onboard with new technology. Additionally, it is very difficult for the people who create something to find all of the flaws in a product or service. They cannot imagine the ways criminals will attack it. Even the creators of the Maginot Line failed to lock their back door. We need to learn from the last 15 years of desktop computer insecurity, and implement best practices, particularly in the area of secure application coding, testing and deployment.
With the speed at which technology change comes, a once secure application can become undone with one line of code. The key is to bring security experts into the product development process early, so their input can create a layered defense which is easily modified over time to respond to novel criminal attacks and mistakes.
