Got a mobile phone? Then you've got a Trojan problem too Something wonderful has happened: phones have got smart, but the bad news is they may open the door to those you don’t want to let in. Time was when getting software to run properly on your mobile phone was such a challenge that it was nigh on impossible for bad guys to write malware that worked. Most phones used proprietary …
Half a million users, so 500 infected of which 265 are Android and 235 are iOS. But Android market share 80% and iOS 15%? So 400,000 Android users, 75,000 iOS users in total? So 0.066% Android devices infected, 0.313% iOS devices infected? ie Almost 5x as many iOS infections as Android? Or is my maths failing me?
"Half a million users, so 500 infected of which 265 are Android and 235 are iOS. But Android market share 80% and iOS 15%? So 400,000 Android users, 75,000 iOS users in total? So 0.066% Android devices infected, 0.313% iOS devices infected? ie Almost 5x as many iOS infections as Android? Or is my maths failing me?"
No you math isn't failing you but your English is!
Perfect would assume 0 infections.
>He contends that BlackBerry is the most secure, both in its BB7 and BB10 incarnations – although for security you have to sacrifice the openness of the BB10 system and then you have to wonder what is the point of going to BB10 in the first place.
Wow, cheap shot there - instead of lauding BB's security ethic from an objective perspective, you take the opportunity to stick the knife in. Great journalism, well done.
Heh, no, not really fussed about people I'll never meet having a go at BB (the company, phone *or* OS), and yes, I've seen a lot of abuse levelled their way (I do wonder if any of the abusers have actually tried to use the OS though). I was actually just intrigued that in a pretty level-headed and objective report on the state of things (ie no wild "Android is crap" headlines), he slipped in a cheap shot to BB, who in the context of the article come out on top.
I miss those amusing Edon rants as well. I've almost considered resurrecting him in chatbot form. Maybe this weekend I'll modify the dictionary file for an old bot I wrote at uni. I figure it'll only take 2-3 of my MS hating friends and a case of beer to prefect it.
"The model of using a container for applications cuts the risk of the data leakage associated with BYOD (bring your own device). A secure container is set up for corporate applications such as email, calendar, browser, storage clients and so on.
"Data downloaded from the enterprise, such as email attachments and files, cannot be accessed by applications outside that container."
That pretty much exactly describes how BB10 was explained to our team at unveiling. By far, the coolest feature of BB10 was the ability to have your corporate and personal stuff on the same device AND easily transition between the two AND satisfy corporate security types that there was no co-mingling of said stuff.
Is it something that does something unintended, like an app that sends data about your phone to the developers, even something rather innocuous like a wireless MAC? Or is it only ones that are actively doing something evil, like texting premium numbers or stealing your contact lists?
I'd sure love to see examples of the kinds of software they consider spy software, especially those that just barely make the cut. I have a feeling they're inflating their numbers, but maybe I'm cynical since they're a security company and undoubtedly feel that creating worry about smartphone security will help their business.
They probably consider any rooted Android or jailbroken iPhone as "spy software", as if it was someone other than the owner who did it.
Simple fact of life: Any device that accepts downloaded code is of course threatened by malicious code downloads. That's why no smartphone/tablet/laptop/PC will ever be really secure.
If you want real security, you need to get back to something like dumb terminals. Not necessarily those 3270 or VT100 character-oriented terminals of the past, but to dumb phones or hardcoded browser terminals that don't accept any code downloads. Updates only by inserting new ROM modules supplied by your trusted dealer or IT support staff ...
Less flexibility ? Yes. More security ? Yes. More stability and lower support cost ? Definitely yes ...
And dumb terminals are ideal for cloud computing ...
The terminal is secure in that manner, sure, but what about the mainframe or whatever server which powers that? If you are expected to be able to run code of your choosing then the terminal server would be vulnerable in some degree.
Beyond the 90s definition of downloading code, even just simple browsing opens up a whole a world of infection vectors. Java, Flash, or other "rich content" plug-ins which the user will want (or need) are not just ripe, but actively being used for remote vulnerabilities. Then we are again stuck with the notion of the black box we use being secured.
The only protection I see at that point is a fully virtualized environment at the terminal server end, where your session is built on-demand from a template and injected with the software you have selected or, in the case of enterprise environments, has been provided to you. You can play all you want, and if you become infected your session is destroyed and subsequently rebuilt from the original template. There is still the concern of your data being affected, such as with CryptoLocker, but good versioning should help with that factor.
Of course, this scenario relies upon the security of the underlying virtualization platform which is going to be a black box to us as, let's face reality here, how many of us perform a full source audit of every open software we deploy?
The entire smart phone market, design, software and hardware is still a huge mess.
I don't know why Google felt compelled to allowed mfgs to fork Android, but that should be fixed ASAP. (oh I can make some educated guesses why they did)
Mfg should also trim their product line. A cheap entry model, a mid price and a premium. What more do you really need? (and stop introducing new models every week)
AV should be MANDATORY from the factory.
Not so much.
As recently as last week-end, I had a friend bring me his Win7 PC that was white-paged by some French version of the Homeland Security virus. I spent the day trying to get rid of it.
The virus was good. It entirely blocked the launching of anything, it masked the icons, the Start button didn't work, and even the USB ports were inactive. In short, nothing but booting from a CD could have a chance of doing anything.
I used my Knoppix LiveCD to snoop around and try to find the exe that launched itself before everything else, but no go. So I went to the major AV sites to find an ISO that might help. I went to Norton, BitDefender, Avast, Avira,Defender32, and a few others I don't remember the name of just this instant.
They all had LiveCD ISOs for free download. I downloaded them all, using a rewritable CD so as not to waste opticals. I spent the entire day downloading, burning, starting up the infected PC, and booting on the CD.
I also spent the entire day watching every single vendor solution fail miserably to even boot properly, not to mention actually take care of business. And this on a three-year old PC, not some old 286 dug out of a pit.
All of these LiveCD solutions are based on some flavor of Linux or another, and not one of them managed to even get me to a proper selection screen, or useable UI of any kind.
In the end, I slotted in my Win7 install disk and formatted the partition before launching the install. Problem solved.
So, yeah, snake oil.
The informed user must be able to switch the operating system just like switching an SD-card. Hardware platforms should be similar enough and discoverable so operating systems don't have to be ported to every little phone. Only then we will get the quality benefits we got in the PC world since the late 1990s.
Google needs to do a better job of keeping the Android market free of malware. There is no excuse for Google to allow malware in the Android market. Now supposedly Android is secure according to Adrian Ludwig Google's security chief. Android has a layered defense model, but most of the malware is coming from apps that are installed via text message and or from phoes that have older phones (http://qz.com/131436/contrary-to-what-youve-heard-android-is-almost-impenetrable-to-malware/ ). There is another govt report that indicates that 44% of phones are still on Gingerbread, which is more vulnerable to attacks. The other attack vector is via fake Google play domains. Much of this makes sense if you think about it.
So therefore Google needs to require phone makers to keep their users phones up to date and or make it easier to do so. Most users want to be on the newer versions of Android anyways. Companies can secure Android BYOD devices by requiring users to be up to date on the latest version of Android or helping them to buy a newer one or supplying them one. Educating users safe use practices and having regular scans of the devices for vulnerabilities would help as well.
Ultimately more must be done on Google's part to educate and enhance security in the Android community.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
