Q&A: How we sliced open Palm and Android security

 

Gallery

By Nicole Kobie

Posted on 12 Aug 2010 at 11:37

Q. Will you be testing out any other handsets?

A. We’ve now started a research programme around other phones. We expect to have some more news in a little while.

Q. What needs to happen for smartphones to be more secure?

A. Broadly, we don’t feel that smartphones can be considered secure. We’ve looked at enough now to realise that there are significant problems with the way the security is being integrated with the operating systems.

Mobile phone companies have missed the opportunity to really start integrating security properly

Because the functionality being demanded is on the increase, and now you’ve got increasing internet functionality, the attack surface area is increasing. This isn’t going to go away, this problem is only going to get worse.

It’s following the trend in the early days of computer security, five or six years ago... when companies and vendors at that stage were unused to having to patch and release patches swiftly.

Because operating systems on mobile phones are considered a secure unit, there’s very little a user can do to secure it. They can’t really install their own software such as antivirus or firewalling, they’ve got to rely on the mobile phone companies to have got it right. And if the mobile phone companies haven’t, then that’s a very exposed position.

Q. What can users do to avoid being hit by these two flaws?

A. If you feel that you’re about to go into a highly sensitive situation or scenario, take the battery out of the phone, because that’s one surefire way of making sure that if it has been compromised, nothing can be recorded.

We would always recommend using a wireless network that has been encrypted and is something that you trust. We would recommend that unless you can help it, you do not keep sensitive information on your phone, and never use an untrusted wireless network that isn’t encrypted.

Q. Should people avoid services such as online banking on their phone?

A. It’s up to them – they’ve got to make a judgement on their risk. There are enough issues now out in the wild for people to start to be informed about what level of risk they’re willing to accept. If they think there’s too much risk involved in them accessing their bank account, then it’s entirely up to them.

We’ve got to start educating the users that these things may not be as secure as people think. At the moment, it seems to be just a common perception that using a mobile phone is secure, but what we’re saying is that we don’t think it is anymore, and we’ve got the proof.