Today, your mobile phone knows where you are, where you are supposed to be and who you should be talking to. We can now instantly connect our real lives to digital information – purchasing tickets, sharing business data or connecting with friends who happen to be nearby.
While we may worry about malware and phishing attacks on our smartphones and tablets, new functionality also breeds new opportunities for the bad guys.
Augmented reality, for example, connects location information with a user’s social media “friends”, enabling them to identify digital contacts nearby.
Unfortunately, users are generally more scrupulous about their real friends than they are with their digital connections. This in turn opens up new prospects for social engineering, such as knowing when you are away from your home for crime purposes.
The more applications and new capabilities we use, the more we increase the attack surface area for cyber criminals. We can expect our lives to come under greater scrutiny with mobiles becoming the combination of a passport, personal record store and social life.
However, mobile devices are not just smaller versions of the PC, even though they increasingly perform identical tasks.
The underlying operating systems, from Android to Apple iOS, use fundamentally different architectures to PCs and manufacturers have introduced new concepts based on traditional operating systems over many years of computing.
Modern mobile platforms tend to have capabilities that can isolate applications. The access control and permission systems have also undergone drastic reform from the conventional OS. Rather than a permissions system based on access to arbitrary items like registry keys, they instead focus on more human access permissions, such as whether an application needs to access your location data or SMS messages.
These capabilities show great promise for producing a more secure, usable OS but they are, as yet, far from perfect.
Many of these controls do not come with smart, secure defaults, or just rely on the user to edit the permissions (and we all recognise the tendency for users to just click “okay”).
These capabilities are not bad news however, as security vendors can manage them to bolster the security of the device.
There have of course been examples of malicious code but this is minimal when compared to those targeting the PC.
Android, in particular, has suffered more attacks from malicious code due to its more open application market, although even those with a strong security reputation like BlackBerry have been victims too.
While malware attacks for mobile devices are undoubtedly different, they are still entirely possible. Mobile malware we’ve seen to date includes fake Internet banking applications which steal your credentials and your money, and in some cases your bank authentication token code sent by a bank via SMS.
Many users assume their mobile devices are eminently secure as they’ve never been affected by malware. The reality is that, until recently, most of us were just not placing data that was worth stealing.
Now that smartphones contain valuable assets, the bad guys are paying attention. We can expect a significant increase in the volume of malware over the coming years.
Anti-virus capabilities will be important, though the defence technologies will work differently from the PC, focusing more on reputation and behaviour rather than traditional content security.
Anti-malware capabilities will be increasingly required. The most interesting area is perhaps data protection to avoid those awkward accidental email forwards and continuous encryption of data as it flows between different devices.
Recent events and changes in mobile technology indicate that it is likely that the threats on these devices will both diversify and significantly increase in number in the short term. We must then be ready to address them with available security controls as they evolve over time.
James Lyne is director of Technology Strategy at global IT security and data protection firm Sophos.