Smartphone security risks and best practices research
ENISA is looking into smartphones and determining best practices for their use while researching the risks. Several manufacturers have been involved: RIM, Google, Microsoft, Nokia, and others, but they have not managed to get on Apple on board.
The results of the research will be published in the form of a paper by the end of the year. However, while at the ENISA NIS Summer School in Greece, I got the chance to talk with Marnix Dekker, an application security officer with ENISA working in the program, who shared some details on the research.
“When we talk about smartphones, a lot of people think immediately of the risks inherent to their use, but there are also a lot of benefits,” he muses. “A smartphone is a much more personal device that, for example, a desktop or laptop computer. You carry it around on your person, and rarely leave it unattended. In this aspect, it is a much more secure device than a PC.”
“PCs are also, generally, multi user devices and you must take into consideration the fact that another user might start using it. So you can’t, for example, set a browser to only login as you for banking sites, because your sister might use it and not be able to access her own account. But it is likely that you won’t be sharing your smartphone with anyone, and you can configure it to suit your needs.”
Dekker also mentioned that one of the currently biggest risk tied to smartphone use is the fact that a lot of employees use them to check their email, download work-related documents and carry them around. Loss and theft of the device, therefore, presents a huge risk.
Another huge problem is the lack of user awareness when it comes to security risks involved with the use of smartphones – they simply download applications and trust them implicitly.
“The security model for smartphones is different from that for PCs,” he adds. “The PC model is quite open, and then you install security software and use firewalls to detect malicious programs. If you take the iPhone as an example – you can’t have one application monitoring the actions of another, because the applications are constrained inside sandboxes. And that really restricts the playing field for security companies. We are seeing models where the manufacturer decides which applications are good or bad, and we may be moving in that direction for smartphones.”
Dekker also mentioned that recently Apple made public the guidelines for reviewing applications, and the word “security” has never been mentioned. But, he thinks that in general any application approval process could be improved by the use of a formal verification process, through which you can prove mathematically that an application is safe in the long run.