Symantec taps mobile apps as next threat

Symantec's security response team has begun building a database of common API calls made by mobile applications, with a view to developing a whitelist to inform the security and privacy tools mobile users will require in the future.

The vendor has no immediate product plans for protecting this emerging mobile space, owing to the low number of threats recorded to date. The number of malware threats targeted specifically at mobile users has remained relatively low, even as the sale of smartphones and mobile apps have gone through the roof.

But the folks at Symantec's Security Response Team - the frontline of the vendor's war on malware and the "eyes and ears" that inform the vendor's future product plans - are concerned about a future where ad-supported applications - and even commercial applications - cross the line in terms of security and privacy.

The programs made available on mobile app stores, says security response team director Kevin Hogan, often ask users for permission to access data that should ring alarm bells in terms of security and privacy. But that assumes that a user actually understands how the app works.

At an event in Tokyo yesterday, Hogan conceded that the app store model, under which applications are vetted by vendors such as Apple or RIM, has shielded mobile computing from the malware plague that hampers the PC industry and not left security vendors a lot of work to do.

"I would agree that this vetting process mitigates risk," Hogan said. "But it doesn't entirely remove risk."

While the 'closed' approach taken by Apple and RIM in particular has just about shut the door on mobile malware, the approach is consistently under threat by more open platforms such as Android, where there is less vetting involved.

Telcos such as the largest two operators in Japan and Telstra in Australia have abandoned 'closed' mobile platforms in favour of Android to cater to user demands.

The Symantec Security Response Team thus feels obliged to prepare for a future in which malware is inevitably spread via these channels. Today the team demonstrated the use of one Android-based threat - Geinimi, to gain access to user phone numbers, SIM card numbers, geolocation information, calls and short messages.

Hogan said he doesn't expect the mobile device to become a target for zombie clients, being that such devices lack the compute and network resources to effectively build a successful botnet.

"I don't think for the next two years we should expect malware to be a problem on mobile," he said. "But what will be an issue is privacy - what information you agree to share."

Hogan said users often accept requests for new applications to make questionable API calls - and that increasingly security vendors may be called upon to interpret these messages, inform users or take appropriate action when the calls are unreasonable.

Symantec's secuirty response team has been crawling common API calls on the world's most popular mobile app platforms (iOS and Android) with a view to building a database of what devices should reasonably expect an application to ask for without breaching security or user privacy.

"We need to know what is normal," he said.

He said that there are "disclosure issues" at play around what an API call actually does with a user's data. Organisations can interpret this information - but not on the device itself. Such static analysis, he said, requires computational power that is a better fit for a cloud service.

Although there are no products available for the market yet, Hogan predicted the response team's data will prove valuable to Symantec's bottom line one day in the future.

"We are the eyes and ears at threat-level," he said. "Its our job to identify what might be needed."

Brett Winterford travelled to Tokyo as a guest of Symantec