Chris DiBona says that there is a lot of FUD going on around mobile security recently, Android in particular.  I agree with him that open source software gets a bad rap and isn’t inherently less secure than commercial software.  I also agree that traditional signature AV doesn’t make sense on Android (or anywhere else for that matter).  However, the rest of Chris’ comments are misguided.  He states that “No major cell phone has a ‘virus’ problem in the traditional sense that Windows and some Mac machines have seen”, and also “No Linux desktop has a real virus problem”.  This isn’t true except for a uselessly narrow definition of the word “virus” as something that has to propagate from phone to phone.

Chris’ comments lead to an incorrect conclusion that the sandboxing Android provides is “secure enough”.  This is also wrong.

Sandboxing is generally a good thing.  However, the way it is applied in mobile devices aggravates an already untenable security situation.  Android’s sandboxing model prevents third party security solutions.  You want whole device encryption, ASLR or DEP?  You can either root your phone to use real third party solutions (an unrealistic option), or you can wait for Google to offer it.  This is a monoculture which prevents the market from being able to provide solutions to real security problems.  Attackers know precisely what is on the target device because third parties can’t play there.

This results in a scale that is tipped in favor of the attacker.  Contrary to Chris’ comments that “No major cell phone has a ‘virus’ problem”, attackers can root the phone; zero day vulnerabilities do and always will exist in Android and its underlying Linux OS, as with all other operating systems, and threats will emerge that don’t require installing malicious apps.  To think otherwise is naïve.  If you think I have a bias, you may be right.  My phone runs Android and I’ve been an avid Linux user/developer since the days of Slackware 1.0 and Sasteroids, but the company I work for does not sell a mobile security solution.

Chris’ comments are too narrowly focused on what he calls “traditional viruses”.  But this ignores many relevant and important threats including one that enterprises face on a daily basis.  This threat is not FUD, not imagined, not theoretical and it goes by the name APT.  Simply, smartphones are the next major threat to the enterprise and to corporate intellectual property.  I will blog more about this in the days to come, but for now just consider following facts.

The actors who are most likely to find and exploit smartphone vulnerabilities are the ones you least want to find and exploit smartphone vulnerabilities.  Employees have their phones with them everywhere they go.  Software on phones can wake up and record boardroom conversations.  Software on phones can record phone calls, take pictures, and store large amounts of data.  Smartphones are often connected to corporate networks.  And phone data physically leaves the office building every day without going through all of the traditional information security mechanisms that companies rely on for security, ready to be uploaded through the unsecured unmonitored Internet connection at home.

Have you seen this happen?  Perhaps not.  But information security isn’t about sitting around waiting for theoretical threats to become real.  They’re about anticipating what we know is possible and doing what we can to stop it before it happens.  It’s about realizing that the next Aurora or Stuxnet that uses a mobile device is almost certainly already under development.

Android is growing in popularity and can no longer hide behind security through minority.