No security winner from iPhone, Blackberry, Android

By on
No security winner from iPhone, Blackberry, Android
Amit Klein, Trusteer, told AusCERT information security delegates that all the desktop baddies were on their way to mobile devices. photo: Nate Cochrane

Walled gardens, sandboxes equally insecure.

If you think BlackBerrys are more secure than iPhones, and Android users are simply victims in wait, then you’re wrong, according to the head of Trusteer.

Walled gardens and sandboxes do not significantly improve security nor does their absence reduce it. Rather, malware can operate effectively across all mobile environments.

“I am not a believer in sandboxing or the closed app stores,” Amit Klein said.

“At the end of the day, the security of the mobile devices will depend more on the availability of the operating system APIs to security vendors, and the ability of vendors to integrate with the devices, rather than with any feature [in the smart phones] today."

Klien said it was too early to determine which device was more secure. That decision would ultimately be decided by the availability and quality of security products for the devices, he said.

Presently, mobiles are not a big enough target for malware writers, but Klien said this would change in the next 12 months.

“We are seeing the desktop malware lifecycle being ported to the mobile world,” he said. “Browser add-ons, keylogging, plug-ins, HTML injection all of [these techniques] can be ported without much effort to make effective mobile malware”.

Back-end technologies like GUIs, databases, distributed command and control servers and encrypted traffic, and mule servers can also be ported to build mobile malware.

Malware that would take years to develop would now take months. “There are tools available to make malware move very quickly to mobile,” Klien said, adding criminals were waiting for mobile banking to become more popular.

“They will be there in months once the money is there.”

He said out-of-band channels, like SMS-token authentication, were not sufficient defences and could be all compromised by mobile malware.

Klien also expected remote-controlled botnets to be built for mobile phone platforms by the year’s end.

Defensive technologies like anti-virus and firewalls would move to mobile platforms too, but the former was ineffective, Klien said.

Banks would also harden up against malware, and look to detect infections and jailbreaks on devices, as well as securing mobile banking web sites.

Klien's statements follow news that German researchers have discovered flaws in the way Android phones handle tokens that expose application user data.

Researchers said user details were vulnerable to man-in-the-middle attacks because they did not use HTTPS, and tokens remained valid for weeks.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia


Most Read Articles

Log In

  |  Forgot your password?