Mobile security moves beyond smartphones

If there's one thing certain in life besides death and taxes, it's probably New Year's predictions from analysts speculating on what the big issues and trends for telecoms will be in the next 12 months. And of course, magazine editors are no different. So here's my personal contribution to the crystal-ball meme: mobile security.
 
Which may sound obvious - a number of security experts have already pegged 2011 as a boom year for mobile spyware, malware, viruses and other threats as smartphones become more and more popular. But in fact, mobile security will be far bigger than that.
 
Certainly smartphone security is going to be a problem, but not just because the threats are growing. It's also a question of how secure mobile OS platforms are to start with, and the answer is: not as much as they should be, according to the Electronic Frontier Foundation.
 
Naturally no OS platform is bug-proof or invulnerable, but PC and server OS platforms have compensated by becoming very good at reasonably open disclosure of security bugs and fast distribution of patches to fix them. Mobile OS vendors, by comparison, are way behind the times, says the EFF's Chris Palmer. 
 
Apple, for example, has been known to release patches for bugs several months old. And Google routinely releases Android patches without announcing them, and with the security fixed unmarked among the other fixes and enhancements included in the release. 
 
Complicating things for Android is fragmentation, as OEMs and cellcos tend to tweak Android to add unique features and sometimes remove standard ones, which creates more vulnerability risks, says Palmer (who briefly worked at Google on Android framework security, according to his bio). And while third-party patches may not be illegal under laws like the Digital Millennium Copyright Act they will almost certainly void your warranty. The EFF is advocating third-party patches as a market-pressure tactic to get OS vendors to up their own security game.
 
Another mobile security issue for 2011 is apps leaking private data. A December report on the Wall Street Journal web site claimed that many popular apps for iPhones and Android phones transmit personal data from the phone to third parties without the user's knowledge or consent.
 
 
The Journal tested 101 apps, and found 56 of them secretly transmitted the phone's unique device ID - described by mobile advertiser exchange Mobclix as a "supercookie" that marketers track, only it can't be deleted or blocked like regular cookies - to mobile advertising companies, while 47 apps transmitted location-based info and five sent personal details such as age and gender. 
 
To be fair, it's unclear just how big a deal this is, since the data is still anonymous from the ad network's point of view, and a device ID isn't the same as, say, a photo ID card. But it sounds scary to the average mobile user - especially the tracking part -and users may react the same way they react to each new Facebook privacy controversy. 
 
Finally, even feature phones won't be spared on the security front this year. In December, researchers demonstrated how to eavesdrop on GSM calls and text messages using various software programs, four $15 handsets and a laptop. The following month, another group of researchers demonstrated a so-called "SMS Of Death" attack on feature phones that exploits the ability of the SMS protocol to send "binaries" (small programs) to the handset, effectively enabling attackers to send malicious messages that can shut down the phones (see this issue's Wireless Horizon on the back page for details).
 
All that, and we haven't even gotten into the continuing saga of RIM being pressured by governments to enable email/data surveillance, or the India government's ban on 3G video calls and possibly even 3G data services until operators can provide a way to eavesdrop on them. One way or another, you'll be hearing a lot more about mobile security this year.