Mobile security software, still a waste of limited resources?

Mobile malware has become a hot topic again this summer. The first widely reported worms and other harmful apps appeared on mobile platforms in 2004. They were mainly very simple Bluetooth and MMS worms for Symbian OS which then was by far the most popular smartphone platform.

A trial version of F-Secure Mobile Security comes pre-installed with the latest Symbian 3 smartphones. Some sales packages come with the anti-theft features. Usually the full service costs about 2,5 euros a month from the mobile operator.
A trial version of F-Secure Mobile Security comes pre-installed with the latest Symbian 3 smartphones. Some sales packages come with the anti-theft features. Usually the full service costs about 2,5 euros a month from the mobile operator.

Lately mobile malware has hit the news again mainly due to some apps infringing the privacy of user information on Google Android platform. Google doesn’t have as tight security as Apple (App Store) or Nokia (Symbian Signed Ovi Store apps). One could argue with more freedom and openness comes more responsibility for the individual user too.

Security researchers and anti-virus companies are warning about more advanced mobile malware, and several new proof-of-concepts are expected to be shown next month in the Black Hat conference, as ComputerWorld reports.

Generally, mobile devices can be tempting for criminals, because they are usually connected to the Internet and there’s possibility to make money with operator billing, by making unwanted phone calls or sending text messages. The risks can increase as mobile device are expected to become a method for payments too.

There have been reports of at least 35 malware apps on Android Market, or as many as hundreds of apps that send user information to the developer or third parties without the users’ permission. However, in most cases Android Market notifies the users exactly which rights the app is requesting.

So should you install some kind of a mobile security software? They are available from AVG, F-Secure, Kaspersky, McAfee, Symantec, Trend Micro and others too.  Usually these cost some 3EUR or 3USD a month or 30EUR or 30USD a year. Security company LookOut specialised in Android has warned about Android threats in their blog for many times. They have a free basic version available too.

I used to have F-Secure Mobile Security running on my Symbian phone (Nokia E51) years ago. I had to uninstall it, because it was taking too much CPU and memory resources. Today the latest version is better optimised, and the devices have faster processors and more memory. But still, Nokia E7 and N8 feel a lot slower with the active mobile security activated in background. So my personal device is still without a mobile security app.

I still believe a careful user can avoid malware just by being minding where you download apps and what kind of apps you install. Android even warns if the apps wants to access Internet, send user data, etc.

For IT support of large organisations, the situation is a lot more complicated. Once you have handed out smartphones to your employees, it can very difficult to install any security software afterwards, unless the devices are in an advanced centralized device management. Thus many organisations many been cautious in advance and pre-installed some mobile security software on Android and Symbian devices.

You also have to consider what’s the largest risk. It could be that devices are lost or stolen all the time, and with them valuable company information or user acoounts and password can get to outsiders. Security companies have responded to this by adding anti-theft features to their software in addition to mobile anti-virus and firewall. Anti-theft features typically allow you to remotely wipe the device clean or at least lock it.

The most common way to protect devices with company e-mails, calendars etc is to enforce a compulsory pass code after the device has not been used for a while. Apple’s iOS and Nokia’s Symbian also have encrypted file systems by default. Unfortunately, this doesn’t mean criminals can’t even possibly get access to your files, as the security company Nixu reports in their blog post about encryption in iOS.

On Android and Windows Phone the situation is even worse, because as fars security experts have reported, they don’t encypt all the files by default. Windows Phone Mango, shipping in devices later this year, will support some level of multi-tasking, and will probably enable mobile security software in the background too. However, as far as I know, it still won’t bring the same level of file encryption Windows Mobile 6.x used to support.

Apple has not allowed mobile security software for iOS yet, even though there have been public reports of malware. For example, there was the case of a ”jailbreak hack” just by visiting a web page taking advantage of a vulnerability in the iOS platform, and after the the device was open to more attacks and root access. Fortunately Apple quickly fixed this hole.

Having discussed this with many security experts, they seem to agree the best protected platform for business use seem to be Symbian and the old Windows Mobile 6.x. Too bad, these are not the most popular platforms anymore.

One thought on “Mobile security software, still a waste of limited resources?

  1. The main problem is platforms that require permissions beforehand and have too broad categories. Example: my IRC client needs to connect to the Internet. On Symbian, the permissions it has to ask for include also making phonecalls. How do the users know that it will never ever make phonecalls, even if it has the permission to do so? They have to trust my word.

    This is the norm in Android and Symbian and it’s totally wrong. The user cannot infer from the installation what the application actually does.

    iOS, on the other hand, has a different way of doing things. If the application needs to get your location (which in Symbian is ”read user data”, not clear), it will prompt for permission runtime. This way the user can understand what’s happening. If the application wants to send push notifications, the permission is asked runtime. Not before.

    This is how it should be, but Nokia and Google don’t want to have it that way, for some reason. Too bad 😦

Kommentointi on suljettu.