Today, many IT departments are required to make business data available via wireless handheld devices like PDAs and smartphones. In the perfect world, all such devices would be trustworthy and free of malware. In reality, many are unmanaged and unsecured, ripe for mobile malware
Smartphone and PDA threats on the rise
Mobile malware infections are still rare when compared to their Win32 counterparts. Fewer than 500 unique mobile operating system viruses, worms and Trojans have been found to date. Most cause relatively modest damage: file wipes, hard resets and unintended toll charges.
Unfortunately, the barriers that have long inhibited more pernicious attacks are falling. For starters, the mobile device population is growing at a rapid pace. Business use of hot new consumer-grade devices like Apple Inc.'s iPhone and HTC Corp.'s Android G1 may finally tip the balance by creating a large and sufficiently lucrative target to lure serious malware developers.
Moreover, contemporary smartphones are no longer constrained by short wireless ranges, simplistic operating systems or meager memory. Near-ubiquitous 3G and Wi-Fi connectivity have simplified over-the-air malware propagation, while multi-gigabyte storage has increased the availability of sensitive data. Traditional malware delivery vectors like email and Web surfing have grown more viable on mobile devices as users perform those tasks more often, complemented by new conduits like short messaging services (SMS) and multimedia messaging services (MMS).
The final block to fall may be the absence of an easily compromised mobile mono-culture. In the past, malware writers were discouraged by diverse, closed environments: The most frequently attacked mobile platform was the developer-friendly Symbian Software Ltd. Series 60. Today, Android and Linux are creating open system development platforms, while iPhone and Windows Mobile harbor potential for MacOS and Win32 malware porting.
Smartphone and PDA security software
Fortunately, as mobile devices have grown more capable, mobile OS security models and third-party security programs have also evolved. Employers that manage mobile smartphones and PDAs can tap these on-board defenses to detect and inhibit the installation and execution of mobile malware.
Start by checking all mobile software executables and installers for digital signatures issued by certification programs like Symbian Signed, Microsoft Mobile2Market or Research In Motion Ltd.'s Controlled APIs for BlackBerry. Prevent users from self-installing mobile malware by managing packages with a mobile device manager like BlackBerry Enterprise Server or Sybase Inc.'s Afaria iAnywhere. Alternatively, create mobile software white lists and black lists, and educate users about how and why to avoid unsigned code.
Next, leverage mobile OS access controls to stop malware file-tampering and sensitive function invocation. For example, Symbian 9 Capability Management policies can restrict program access to system and/or user files and network interfaces, while data caging can compartmentalize data into private folders hidden from untrusted programs. Configuring such access control policies can help to deter spyware data theft and Trojan back-channels.
Finally, unlike laptops, mobile handhelds are not factory-equipped with firewalls, virus scanners or spam filters. Consider filling these holes with device-resident mobile security programs. For example, antivirus and SMS antispam programs are available for all popular mobile operating systems from sources like AirScanner, F-Secure Corp., McAfee Inc., Symantec Corp., SMobile Systems, Trend Micro Inc., and Sophos plc. These programs can excel at battling mobile-specific threats, like detecting mobile OS Trojans and filtering SMS messages that don't otherwise pass through enterprise servers.
Employers that don't manage mobile devices can still defend their networks from mobile malware by safeguarding "touch points" like enterprise mail servers, mobile application gateways, remote access concentrators and Web portals.
For example, most enterprises already filter email messages to discard spam and phishing URLs before they reach end users. Whether antispam measures are applied at an enterprise mail server or by a hosted mail provider, they can benefit mobile devices as well. However, it may be necessary to take steps to ensure that all mobile email passes through these filters; one strategy would be blocking corporate mail forwarding to personal POP mailboxes.
When mobile devices access corporate networks through an application gateway or remote access concentrator, malware propagation may be detered by device finger-printing and/or content inspection. For example, try to limit access to devices with known equipment identifiers or supported OS/browser types. Relay all tunneled traffic through a network antivirus, intrusion prevention system (IPS) or unified threat management (UTM) platform to drop suspicious messages. These measures are not fool-proof; existing network antivirus systems may detect Win32 worms, but not those geared toward Windows Mobile. However, they can help to insulate a network from threats that might otherwise use unprotected mobile devices to bypass your desktop/laptop defenses.
One sure-fire way to stop corporate data from being stolen by mobile malware is to prevent sensitive data from being stored on mobile devices in the first place. Consider enabling mobile application and data access using read-only portals. For example, present application content in image (not text) format and block file and attachment downloads. Decide which kinds of content should and should not be synchronized onto mobile devices, balancing mobile usability against business risk.
The future of PDA and smartphone security
In the long run, many employers will combine mobile endpoint and network-based defenses, treating smartphones and PDAs like notebooks and tablets. However, high-speed wireless WAN connectivity is likely to promote further security outsourcing.
For example, some carriers can already provide email and SMS filtering for all mobile devices, independent on OS type. This "in the cloud" approach could prove simpler than maintaining device-resident antimalware programs for smartphones and notebooks. Going forward, enterprises should look for new opportunities to leverage secure wireless WAN services, thereby reducing their exposure to all forms of malware.
About the author:
Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.
This was first published in November 2008