This post was published 2 months 25 days ago which may make its actuality or expire date not be valid anymore. This site is not responsible for any misunderstanding.

This is a great time to be a fan of mobile technology. We are able to do more with small, mobile devices then ever before. In fact, there are times when it seems like we barely even need notebook PCs anymore, let alone desktops. Want to surf the internet and catch up on your favorite blogs? The iPhone’s internet experience rivals most notebooks, and is better than many…or try the Droid or one of the new MIDs or Smartbooks. Need to finish up a document for work? Using the cloud you can log on from your netbook or Windows Mobile smartphone from anywhere, download the document, edit it, then save it back on the cloud. Need to deal with your inbox? Using your BlackBerry or Windows Mobile phone you can read, forward, save and reply to all the important emails you need to while watching the pretty Barista mix you up another Skinny Double Mocha Frappe and never even need to look for a power socket.

However, as our mobile devices gain all the advantages of our PCs, they often gain some of the liabilities as well. The more we do with our smartphones the more vulnerable they can become to viruses, malware and spyware…and the more we use them for confidential business or financial matters, the more attractive a target they become.

Up until now, most people have dismissed mobile viruses as being nonexistent, or at worse a nuisance. Just paranoia. After all, the only people who need to worry about viruses are those running Windows XP or Vista, and it’s their own fault right?

Recent events and the changing mobile landscape suggest that the state of grace smartphones have enjoyed may be coming to an end…quickly.

There have been several situations that really should have caused more panic then they did regarding mobile security, but they seemed so trivial. An Australian named Ikee made use of a way to hack jailbroken iPhones running SSH with the default password, and changed their wallpaper to a picture of Rick Astley. Yes, he hacked their phones and Rick Rolled them. Silly, humorous, made for a lot of comical headlines and was impossible to take seriously. The laughing just got louder when a couple Dutch teenagers used the same exploit and tried to charge people seven dollars to fix their iPhones, until they were arrested of course. However, if you consider these stunts to not be simple pranks, but Proof of Concept tests, it becomes harder to laugh.

The fact of the matter is that very few mobile users take even the most basic security precautions because very few realize there is a threat at all…and phone vendors and service providers are working hand in hand to downplay the danger of hacking on mobile devices. A recent survey of 1000 adult smartphone users found that 44 percent believed that surfing the Internet from their smartphone is just as safe or safer as surfing from their PC, regardless of whether or not security software was installed. The same study found that a quarter of those users who are given free, preinstalled security software with their phone never even enable it.

You can’t blame users, they are just mirroring the naive, complacent attitude of many experts regarding mobile security. Charlie Miller, a principal analyst at Independent Security Evaluators was the man who discovered the first Android vulnerability on a G1, had this to say to CSOnline in an article from last November in which he said he saw no need for virus protection on Android….

Miller said that if people are worried about security on their phones, software from providers like SMobile might let them rest easier, although he probably wouldn’t bother to buy such software for himself.

If the man who DISCOVERED the first Android exploit isn’t worried, why should the average user make any effort to protect themselves?

In March of 2008, Zoe Markham has this to say on the blog of a maker of anti-virus software, Sophos Labs…

For the moment though, given the above, I’m content that there’scurrently no need for any AV protection on my iPhone.

Sophos actually would stand to profit by any concern over the iPhone’s security, and they are saying to chill out about it and just download some more groovy apps? Popular wisdom assumes that mobile security software is either a scam, a rip off or a placebo and the experts seem to back them up. At best many assume it is a solution for a nonexistent problem.

However, as we near the end of the decade the problem is HERE whether we admit it or not, and awareness of the risks are growing…but the tendency to do nothing about them remains unchanged. Just last week 300 federal IT pros were surveyed as to their prime security concerns currently, and 60 percent said that their worries about mobile security were increasing. However, of those who were growing more nervous about the security of their mobile users, more than 60 percent admitted they were using no wireless encryption, despite federal requirements to do so.

What sort of threats ARE out there? Just a lot of Rick Rolling? The growth of mobile OSes that are simply pared down versions of desktop software, such as Android as a form of Linux or iPhone OS being essentially Mac OS X, brings new dangers since often times commands or software elements that are not used in the mobile software are left there and be exploited.

Operating Systems designed just for phones also have their drawbacks. With Windows Mobile the long and tortured upgrade process is partially to blame. It doesn’t matter if Microsoft fixes a bug since it depends on the phone vendor to accept the patch for each phone and then distribute them to the service provider who then must provide the patch to the customers, and much of the time they simply don’t. New versions, which Microsoft DOES have control over, come along very rarely and then most existing phones can’t use the new version.

Add to these problems the fact that more and more smartphones are running on fewer and fewer operating systems, which means that they are growing easier and more lucrative to write viruses for. We are seeing more and more examples of instances where people are able to use an exploit to gain access to smartphones and then either sabotage it, copy data from it, or monitor it’s usage. These don’t just need to be illicit exploits. There are numerous applications which can be installed on a mobile device ostensibly to provide backups (you need physical access to the machine for the install only) which run invisibly in the background and logs all data sent from the device, all calls made, all calls received and emails those logs periodically without the users knowledge to a present address. Some of these applications can also be used to remotely turn on the phones microphone for eavesdropping.

The companies that produce this software says it is for backup, or for employers to monitor how their workers are using company property, or for jealous spouses to keep an eye on their significant other’s phones calls. However, wouldn’t your competitors love to know who your sales manager called this month, who called him, and what was said? As more and more banking and purchasing are done from smartphones, these programs can access all kinds of credit card and password information just by logging your activity. For now, people scoff at such threats since they need to be actively installed on the device, but already worries are being raised about malicious websites which can install programs on your phone without your knowledge, just like on your PC.

Often you even helpfully install the spyware or virus YOURSELF, as in the case with the Storm8 games which were quietly logging and sending your phone number back to their servers as you played. There is also the danger of good old fashioned phishing, as 1 in 5 mobile users have already reported phishing attempts…and those are just the ones that failed.

However, the greatest threat to the security of any Smartphone isn’t what you do with it…it’s what it does WITHOUT you. WiFi is becoming more and more common on phones where once it was reserved for notebook computers, and with it come a whole new range of security threats. Most of the more advanced smartphones, such as the iPhone or the Droid, are constantly accessing the internet either via WiFi (or 3G if you have WiFi disabled) whether you know about it or not, therefore they are constantly leaving a window open into your valuable data. If you doubt it, watch the data icon for an hour or so and observe it turning on and off as all your various push capable apps check in with their servers.

For example, T-Mobile offers a service called “unlicensed mobile access” (UMA) for it’s BlackBerry users, which means when ever it can it will use WiFi for calls, to save you money. When near an access point it can use it opens a VPN tunnel back to T-Mobile using VoIP for the call. Should you be on one of those calls and you move, the calls will handover smoothly to a cell tower. This all happens automatically, without your knowledge. However, in order to work it means your BlackBerry is constantly searching for and querying strange access points, This could easily open the device up as a target.

iPhones are also typically seeking and querying WiFi access points all the time due to the massive number of apps that need internet connections to function or to update basic information like weather or movie times. Everyone loves the seemingly magic prescience of an iPhone, but it comes at a price. After all, just as a chain is only as strong as it’s weakest link, your iPhone is only as secure as it’s most sloppily (or maliciously) written App and most people think nothing of loading any app from the App store. The dangers multiply for those who use jailbroken or unlocked iPhones. The cracks the Dev Team opened to allow you to hack the iPhone OS can then be used by others.

Beyond the growing reliance of smartphones on WiFi in addition to 3G connections, a new danger has also been popularized by Twitter and texting…the shortened URL. Most tech savvy people can usually tell when a full URL looks a bit fishy, or out of place. Why would your elderly Aunt Gladys be sending you a URL to www.HoT_WaReZ_n_BrOaDs.com? However thanks to the need to conserve characters on SMS messages or such social networking programs as Twitter, now URLs are often shortened to something like http://bit.ly/goHw1h which look perfectly harmless even when it isn’t. Admit it, how many of us have clicked on a link in a Tweet or a text message from a friend that just said something like “RT This is INCREDIBLE! http://bit.ly/goHg42”? We have seen many times in the past how malicious messages can be passed on or retweeted, or twitter accounts hacked or spoofed….yet we click those little URLs as if we believe the popular wisdom that smartphones are immune to viruses.

What can you do? There are many mobile antivirus programs available, many of them for free or included with desktop versions, but I cannot vouch for any of them. Some may indeed be simply placebos but many are made by leading firms as Symantec or Norton as well as others such as F-Secure, AVG, Kaspersky and Trend Micro. Mobile antivirus programs now exist for ALL mobile operating systems, often provided with the phone itself. It makes sense that each user should investigate what options they have regarding antivirus software and see if any are worthwhile for the way we use our devices.

Beyond that, people should take the same safety precautions they use on their laptop or desktop PC and implement them with their smartphone or MID.

• Do not leave your device laying around in an unsecured location.
• If your device can be password protected, enable it and change the password regularly.
• Use different passwords for different devices or logins. For example, don’t use the same password for your phone and your twitter account (which are easily found using a WiFi Sniffer and a little knowledge).
• Do not click on shortened URLs in retweets or messages from someone you don’t know.
• Be careful of the sites you visit with a mobile browser.
• Disable your WiFi antenna when you know you won;t be needing it.
• When possible avoid push applications, opting for manual download of such things as email.
• Read notices and warnings, don’t just click through.
• Remember no reputable company or service provide will EVER request your user name or password in an email or text message…so don’t provide it.
• Never store any unencrypted data on a mobile device that is confidential, or any unencrypted information you can’t allow someone else to see.
• Backup all essential data on the device regularly, and keep a backup separate from the device (that is not just on a memory card IN the device for restoration).

As mobile devices become more and more important in our business lives as well as our leisure activities, security threats will become more common and infinitely more dangerous. Dismissing them as paranoia or simply scaremongering only makes it easier for hackers and data thieves to use what bugs and exploits there are against us. The more chance they have to practice with the relatively innocuous exploits available now, the harder they will be to stop the next time. If we all get into the habit of using better safety procedures on our smartphones and mobile devices, up to and including mobile antivirus and security software, then perhaps we can help ensure that the worst a hacker can do in the future is force us to have Rick Astley wallpaper.

Horrible, I know…but it could be A LOT worse.

(Sources: Business Week, CSOnline, DarkReading, IDG, Network World, Computer World, Gizmodo)