Recent developments are demonstrating that our mobile phones are not as secure as they ought to be.
First, the Carrier IQ mess. This has been front-page material on a lot of news sites recently. Here's the story, in brief: A systems administrator from Connecticut named Trevor Eckhart has discovered an application that serves as an undocumented keylogger on more than 140 million mobile phones, even when they are sending SMS messages or browsing the web via HTTPS. Eckhard demonstrated the data-collecting behavior in a 17-minute YouTube video. The application comes from California Carrier IQ, which refers to its business as “mobile service intelligence.” Carrier IQ says it gives phone-service providers “a mission-critical tool to improve the quality of the network, understand device issues and ultimately improve the user experience.” Critics – including the Electronic Frontier Foundation and U.S. Senator Al Franken – say the software is a rootkit, and they are very concerned that the information Carrier IQ collects may be stored, transmitted, or yielded up to third parties (including law enforcement, with or without a subpoena). Apple says it will phase out use of Carrier IQ software. RIM has responded to reports that the software runs on BlackBerry phones with a denial. AT&T, Sprint, and T-Mobile install Carrier IQ software on phones they resell, while Verizon claims not to use it. If you're concerned about your phone, do a Web-search. This news is easy to find.
Second, researchers at North Carolina State University have published a report about security vulnerabilities they found in a range of Android-based phones. The problems aren't with the Android OS itself, but with utility applications that are frequently preloaded on customer handsets. The researchers found that these apps could serve as infection points for malware that could send SMS messages, sign users up for third-party SMS services, record phone calls, send text messages to premium numbers that charge for such calls, or factory-reset the system.
Third, vendors continue to find malware applications in the app stores. Due to the wild-west nature of the Android market, most of the malware has been found there. But a few apps have slipped into Apple's iPhone software store too. Vendors ban these apps from their Web sites as soon as they are reported, but new malware is quick to appear.
How serious is the malware threat? That depends on who you ask. Security-software vendor McAfee captured headlines when it issued a news release saying that Android-based malware was up 37 percent in the third quarter of 2011. The company was announcing the publication of its third-quarter “Threats Report,” which gives details of viruses and trojans detected during the past 90 days. Naturally, McAfee, which makes its money selling anti-malware applications, wants the threat to look serious. And the 37 percent rise does sound like a big deal...until you dig through the report and find that the figures are based on a rise from 60 infections detected during the quarter to 82. That's out of 75 million malware detections McAfee finds per year – 95 percent targeting Windows systems.
So the threat is small. But growing.
Compounding the problem is the lack of a coherent security strategy in the Android market, which is the fastest-growing part of the mobile industry. There are dozens of hardware vendors and service carriers, and they are probably unable to work together effectively to patch the security holes that threaten users. Makers of Windows-targeted malware-detection software are starting to pay attention to the Android platform, but early reviews suggest that their software isn't yet up-to-snuff.
In an amusing turn of events, Research in Motion, the maker of the BlackBerry, is offering security software that will run on iPhones and Android-based phones. The software, BlackBerry Mobile Fusion, will allow system administrators to create groups, update user profiles, roll out or update software, and recover lost devices. Whether this will lead to new business for RIM or destroy the uniqueness of BlackBerry's last remaining selling point remains to be seen.
Why does all this matter? Because where there are smart phones, there's software. Where there's a security risk, there's a need for tech-savvy personnel to craft and administer solutions. Where there's a new hardware platform, there's an opportunity. That's right, I'm talking to you. This is a career opportunity. In the face of downsizing and outsourcing, your cubicle may not be as secure as you think it is. The smartphone security market is in its infancy and it's growing. Food for thought.
Web recommendation: Version 11 of Microsoft's venerable Visual Studio software-development environment is currently in beta. If you work in a Microsoft shop, you will probably upgrade as a matter of course. But it's still worth knowing about the new features and how well they work. The most comprehensive review I've seen so far is this one, written by Peter Vogel for Visual Studio Magazine. J.D. says check it out.
J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. Boy, could he use a neck massage!