RSS Alerts

Share

More services

Related Links

  • Veracode
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Apple unlikely to recall iPhone 4, say analysts
    Apple's announcement of a news conference in New York today has sparked speculation as to how the company plans to deal with a design flaw that is causing reception problems with the iPhone 4.
  • A more secure BlackBerry? There's an app for that
    Users of the BlackBerry smartphone will no longer have to stare enviously at the security apps for Android handsets and Apple iPhones, as RIM has developed a native security app for its popular business smartphone.
  • Ransomware takes a new turn as victims asked to pay a cellular phone bill
    Whilst most 'ransomware' tries to extract money from the victim's account into the users' bank account, often using a payment card or bank-to-bank transfer mechanism, a new type of scamware appears to try to get users to top up the criminal's mobile phone accounts.
  • Security in the Post-PC era: smartphones and tablets require more security
    The smartphone, and increasingly the tablet, are fast becoming the primary device of choice for both personal and enterprise use. Infosecurity spoke with Omri Sigelman, VP of marketing and products for AVG Mobile Solutions, at last week’s Black Hat conference in Las Vegas to discuss the state of security in the rapidly changing ‘post-PC era’.
  • The State of Smartphone Security
    An awful lot of lip service has been paid to smartphone security. Whereas most industry experts agree that, to date at least, smartphone security threats are mainly hype, that doesn’t mean this won’t change. Davey Winder investigates…

Top 5 Stories

News

Smartphone app security issues being overlooked by companies

21 July 2010

Reports in the press recently, citing facts that smartphones can be plundered by cybercrminals for their data, have been confirmed by the chief technology officer of Veracode, who claims that application software (apps) are often being overlooked when it comes to testing the security of smartphones in the business environment.

In an interview with Infosecurity, Chris Wysopal, who spoke late last week at a security event, said that it is the apps that run on a smartphone that company IT departments are overlooking.

"Our researchers say that can extract a lot of data from an app on a smartphone. There's a lot of talk about security, but there isn't that much which protects companies from smartphone malware", he said.

"We have already seen malicious proof of concept malware on smartphones," he added, noting that it is only a matter of time before real smartphone malware in the wild starts appearing.

Rather than look at all the smartphone platforms for insecure apps, Wysopal recommends that company IT departments should focus on the main platforms – BlackBerry, iPhone and Android – before moving on to secure Symbian and Windows Mobiles apps where appropriate.

There may, he says, be an argument for creating a pool of approved apps from which staff can download for use on company mobiles, so helping to prevent any untested software from causing problems.

"The problem is that smartphone platform developers are trying to get as many apps as they can into the marketplace at the moment, and since each smartphone vendor has different approval systems, it's difficult to tell which apps are the most secure", he explained.

IT managers need to take special care with the Android platform, he says, as this has no formal approval mechanism for apps, and it is the much the same with the BlackBerry, which only has an app revocation system in place, as does Apple, in the event that rogue applications start circulating.

The situation surrounding smartphone security, he went on to say, is similar to where we were in the late 1980s with PC software, when the first viruses for the PC platform started to appear.

It was, he says, at that point that AV vendors started protecting PCs against malware and users were a lot more secure.

The problem facing smartphone users, he adds, is that few smartphone vendors have the facilities to check an update – once an app is installed in the Android platform, for example, he says it can then pull down new code from the internet.

"There is a definite need for corporates to approve the apps that they run on their company smartphones. It's no longer simply a case of relying on the vendors to carry out the required checks," he said, adding that a simple privilege exploit arrives in the marketplace, it can end up compromising a company IT system.

This article is featured in:
Wireless and Mobile Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012