Posted by: David Harley | February 10, 2010

Smartphone Security: Apples to Blackberries comparison?

[Was that title a bit too subtle? ;-)]

Sophos researcher Vanja Svajcer has published an interesting commentary on a couple of recent presentations. 

Nicolas Seriot presented at Blackhat on “iPhone privacy” discussing “iPhone privacy issues and [challenging] Apple’s stance and assertions regarding iPhone security.”  The presentation apparently demonstrated a rogue application can access personal data on an unmodified device “in spite of AppStore tight reviews”.

Tyler Shields presented on “Blackberry Mobile Spyware – The Monkey Steals the Berries” at SchmooCon, making the point that “Your phone holds all of the same personal information as your computer, only in a smaller form factor,”  and releasing full source code to spyware .

Vanja’s thoughtful piece makes an excellent point on the limited effectiveness of application whitelisting and certification by smartphone vendors. One of the interesting points about Seriot’s presentation is that it talks about “unmodified” devices. Whatever your views on the ethics of jailbreaking, and irrespective of whether you think it’s a good in terms of security, I have to agree. Expecting a vendor to shield you proactively from all malicious applications, whether it’s phone apps or browser plug-ins, is naive.

In fact, there’s another SchmooCon presentation I’m hoping to get a closer look at in the near future, too: Trevor Hawthorn’s presentation on “The New World of Smartphone Security – What Your iPhone Disclosed About You.” According to the presentation summary:

“In this talk we will examine mobile to mobile attacks within cellular IP networks, the iPhone attack surface, iPhone worms, iPhone location-based gaming privacy concerns, and iPhone web application security. Proof of concept attacks, metrics gathered over the last six months, and redacted data gathered during our research will be presented.” 

While I suspect that Vanja’s views and mine are not too far apart on the issue of publishing spyware code, the sad fact is that since such code is being published by legitimate researchers, it can’t be ignored, any more than the more surreptitious code that’s being sold or traded in the more sinister corners of the Internet.

David Harley FBCS CITP CISSP
Mac Virus
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/threat-center/blog
http://avien.net/blog/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: