Blog article
See all stories »

Mobile Phone Operating System Insecurity

As more online retailers introduce mobile ecommerce applications, criminal hackers are taking notice. Existing mobile operating systems are under attack and, like standard PC operating systems, they sometimes fail to provide the necessary security to support a payment application.

Current research is primarily geared towards securing mobile payments, but there is a lack of coordination between mobile payment developers, device manufacturers, and mobile operating system platform developers. Hackers are taking advantage of the loophole created by this lack of coordination.

Mobile phone spyware has been a concern for years. Legitimate software companies sell mobile phone spyware that allows the user to monitor a spouse, kids, or employees. And criminals deploy mobile phone spyware, as well.

Beijing-based mobile security services firm NetQin Technology reports that an application called Xwodi, which allows third parties to eavesdrop on cell phone conversations, has infected more than 150,000 phones in China. Apparently, the malware targets mobiles running the Symbian platform, and monitors phones by silently activating the conference call feature or microphone.

One security company, Trusteer, informed The New York Times, “Mobile users are three times more likely to fall for phishing scams than PC users…because mobile devices are activated all the time, and small-screen formatting makes the fraud more difficult to spot.” In the same article, another mobile security firm, Lookout, claimed that in May 2010, 9 out of 100 phones scanned for malware and spyware were infected. That’s up from 4 out of 100 infected phones in December 2009.

Protect yourself by refraining from clicking links in text messages, emails, or unfamiliar webpages displayed on your phone’s browser. Set your mobile phone to lock automatically and unlock only when you enter a PIN. Consider investing a service that locates a lost phone, locks it, and if necessary, wipes the data, as well as restoring that data on a new phone. Keep your phone’s operating system updated with the latest patches, and invest in antivirus protection for your phone.

 

4203

Comments: (3)

Mary Freeman
Mary Freeman - Simplify IT Limited - London 27 April, 2011, 13:19Be the first to give this comment the thumbs up 0 likes Apple iPhones now come with a remote wipe facility (providing you have subscribed to their Mobile Me service). Here is how: http://www.macworld.com/article/141605/2009/07/remotewipe.html
There is also the capability for administrators to remotely wipe Company 'phones for iPhones and Blackberries. For non-corporate owners, BlackBerry Protect is now available as a downloadable application from their appworld (also has a geo-locate-as-I-left-it-in-the-office and loud-ring-from-where-it-dropped-under-sofa function as well as remote wipe if it has been stolen ... unless you have encrypted it). However Android 'phones need third party security applications, such as the one offered by F-Secure or McAffee WaveSecure.
Remember also to wipe your 'phone, e.g. by reverting to factory settings, if you hand it back in to IT or sell it on e-bay... http://www.tuaw.com/2009/08/23/dont-forget-to-wipe-your-iphones-data/
Robert Siciliano
Robert Siciliano - Safr.me - Boston 27 April, 2011, 13:24Be the first to give this comment the thumbs up 0 likes

Thanks Mary!

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 27 April, 2011, 17:50Be the first to give this comment the thumbs up 0 likes

There's another aspect to security, where I believe mobile scores well over PC, although it calls for an application design mindset that leverages the full power of mobile technology instead of treating it merely as a mobile-version of a PC-based application. 

Let me recount my last three mobile "commerce" transactions from three different apps: (1) Check bank balance (2) View stock portfolio (3) Order an additional channel from my satellite TV provider.  

On thing is clear: Each of these transactions works ONLY from a registered mobile phone # (mine), which can emnate ONLY from one handset (mine, again).

Thanks to SIM, "device authentication" is elementary to mobile technology. Judging from my experience it seems possible to incorporate it easily into any mobile app. I doubt if this is the case with PC-based applications. Besides, mobile phones are on all the time and carried almost everywhere, so configuring a mobile app to only work on a single handset is hardly a restriction. This can't be said for PC-based applications.