The hand-held market is growing rapidly but security for these devices hasn't kept pace. Common vulnerabilities include malware, backdoors, and insecure storage of sensitive user information. While platforms like Blackberry and iOS are more secure, Android allows direct app installation which increases risks. Timely software updates are also a challenge. As functionality increases on these powerful devices, so does potential for misuse. Security vendors are working to provide anti-virus, encryption, and other tools to enhance mobile security.

1. Securing hand-held computing devices :
The cyber-security challenge of the decade
Jagadeesan R,
Senior Consultant

2. The hand-helds have arrived
 The growth rate for the hand-held market (including
smartphones and tablets) is leapfrogging the
desktop/laptop market growth rate by some length
It is estimated that around 73.5 million iPhone OS
devices( iPhones and iPod touches) had been sold
globally till Jan 2010
Global iPad sales are projected by Piper Jaffray to reach
23.3 million units in 2011 - up from an estimated 13
million in 2010
 A large number of consumer and business
applications are being made available for hand-
helds

3. The hand-helds have arrived
• Deutsche Bank, Bank of America, Citi, JPMC,
Standard Chartered and UBS are all running pilots with
BlackBerry alternatives – iPhones/ Android phones
• Starbucks already has a mobile payment app for
the iPhone
• Union Bank of India to introduce mobile payments
network including person-to-person payments
• ICICI bank-Vodafone, SBI-Airtel, Yes Bank – Nokia
have launched mobile payments initiatives
• Barclaycard, Orange and T-mobile are set to launch
the UK's first commercial contactless mobile phone
payments system this year

4. But hand-held security hasn’t!
 With the exception of the tightly controlled
Blackberry platform, Powerful handhelds are a
recent entrant into Corporate IT
 The handheld market resembles the PC market of
the mid 1980’s to the early 90’s
 Poor awareness of most security threats
 Dynamic market with keen competition
between several players and platforms
 Very rapid growth – “Get it out to the retailer”
mind-set
 Highly driven by retail consumer adoption

5. Typical vulnerabilities seen so
far
• Malware
– Zeus mobile trojan intercepts One-time banking
passwords sent by certain banks by SMS; affects
Symbian and Blackberry devices
– Geinimi trojan for Android can allow infected phones
to be controlled by a remote server, tracks geo-
location and unique device ID's
• Backdoors
– Android vulnerability allows malicious website to read
files from SD card

6. Typical vulnerabilities
encountered
• User information trails in phone memory from poor
design
– Mobile financial applications(Android, iPhone) from
USAA , Wells Fargo were found to insecurely store
account numbers and balances in phone memory
(subsequently fixed)
• Cross-site scripting
– A cross-site scripting bug in the Android market
allowed anyone to silently install a malicious app on
the user's Android phone (when the user clicks on a
link while browsing the Market on a desktop)(later
patched)

7. Typical vulnerabilities
encountered
• Signal interception
– Bluetooth hacks can help make calls on
hacked phone, read/send SMS, access contact lists,
tap phones, divert incoming calls, surf web
– Rogue base stations can be used to tap phones
• Poor privacy controls
– There is a suit filed in court alleging that Apple and
other app creators have been passing along user's
personal information by tracking Unique device
ID's/geo location without getting prior consent

8. Mobile device platforms - How
do they compare?
• For BlackBerry, Apple and Windows Phone platforms,
apps have to pass review before being made available
for download; This blunts some of the attack points
• Android allows apps to be distributed through websites
directly on the Market; This opens up more attack
points for malware bundled into apps - to exploit
vulnerabilities
– Google recently applied a master kill-switch( for the
first time) to clean up more than 50 virus-infected
apps from individual Android phones

9. Mobile device platforms - How
do they compare?
• Google is taking the tack that more open-ness will lead to
a more dynamic and secure Android platform in the long
run
• However currently, there are broken links in the software
update chain(unlike the desktop market)
• Here, there is a dependency on telecom carriers which
typically do not push OS patches fast enough on to
smartphones
- There will be a significant amount of pain in stabilizing
Android as a secure platform

10. Prominent mobile security-
related products in the market
Authentication
• RSA Secure ID 2.2 for Symbian OS and UIQ
Encryption and authentication
• Checkpoint's Pointsec
Comprehensive cloud-scanned web-security
• Zscaler mobile
Data-loss Prevention
• WebSense Mobile DLP

11. Prominent mobile security-
related products in the market
Anti-virus
• NetQin Mobile Anti-virus
• CA's eTrust anti-virus software for Palm, Windows
Mobile
Anti-virus and Anti-theft
• McAfee WaveSecure + VirusScan
remote lock
GPS tracking
remote wipe
malware scanning

12. Prominent mobile security-
related products in the market
Anti-virus and Anti-theft
• Kaspersky Mobile Security 9
– Mobile filtering
– Anti-theft features(use of Phone's GPS to track
location, Remote data-wipe/block/lock, SIM Watch) ;
SMS find shows missing device's location on
GoogleMaps using GPS data
– Encryption, Parental controls
– Anti-virus, Firewall Privacy protection
– Supports Symbian OX 9.1 and higher, Windows
Mobile 5.0 to 6.5, BlackBerry 4.5 to 6.0 and Android
1.6 to 2.2

13. In summary….
• Blackberry continues to be the most secure platform for
Corporate IT, followed by the iPhone/iPad
• Android is likely to catch-up in the long term with it’s open
philosophy; not at the top for security in the short term
though - Timely pushing of patches to devices is a major
concern.
• Windows Phone is a clear laggard even with an early
start and a recent deal with Nokia
• Very sophisticated security applications are becoming
available in the marketplace
• An extraordinary range of powerful functionality is
available on these handhelds -> More power for mischief
in the age of “Information anywhere”

14. Citations
• http://gigaom.com/apple/ipod-touch-now-outselling-
iphone/
• http://www.mobile-tech-
today.com/story.xhtml?story_title=Apple_May_Boost_i
Pad_Production_To_6M_Per_Month&story_id=10100
CJ4GFWG
• http://www.finextra.com/News/fullstory.aspx?newsitemi
d=22199
• http://www.finextra.com/community/fullblog.aspx?ID=4
933
• http://www.finextra.com/News/Fullstory.aspx?newsitem
id=22207

15. Citations
• http://www.finextra.com/News/fullstory.aspx?newsitemi
d=21982
• http://spotlight.getnetwise.org/wireless/wirelessguide.p
df
• http://www.ameinfo.com/56628.html
• http://www.eweek.com/c/a/Security/From-Android-to-
the-iPhone-Security-Vendors-Target-Mobile-Devices-
198446/
• http://www.eweek.com/c/a/Security/Kaspersky-Adds-
Android-BlackBerry-OS-Support-to-Mobile-Security-
Suite-200955/

16. Citations
• http://www.eweek.com/c/a/Security/Zeus-Trojan-
Mobile-Variant-Intercepts-SMS-Passcodes-from-Bank-
Sites-480154/
• http://thomascannon.net/blog/2010/11/android-data-
stealing-vulnerability/
• http://www.netqin.com/en/security/newsinfo_3897_2.ht
ml
• http://www.gizmag.com/researcher-demonstrates-
vulnerabilities-of-mobile-phones/17366/
• http://www.veracode.com/images/pdf/the-challenges-
of-developing-secure-mobile-applications1.pdf

17. Citations
• http://viaforensics.com/appwatchdog/viaforensics-
uncovers-vulnerabilities-smart-phone-financial-
applications.html
• http://jon.oberheide.org/blog/2011/03/07/how-i-
almost-won-pwn2own-via-xss/