In security circles, the talk on mobile centers around mobile management, protecting access to and use of corporate information by smartphone users. This summer’s iOS 4 has been a game-changer for most IT organizations, giving the Apple iPhone, iPad, and iPod Touch security capabilities equivalent to those of Windows Mobile and meeting the needs of most BlackBerry users, ending the main objection at many companies for allowing iOS devices in. (When used with BlackBerry Enterprise Server, the RIM device does remain more secure for high-requirements organizations.)
What they’re not talking about are threats that reach the smartphone itself, the equivalent of the malware that ravages Windows PCs every day. There are no equivalents of Symantec’s Norton Antivirus or Kaspersky Lab AntiVrus for the popular smartphones: iPhones, Android devices, and BlackBerrys. (A small company oddly spelled SmrtGuard does offer antivirus apps for Android and BlackBerry devices, as does Lookout for the BlackBerry.) Does that put your devices at risk, or are they somehow inherently secure?
[ Learn how to say yes to (almost) any smartphone in your business in InfoWorld’s guide. | Keep up on key mobile developments and insights with the Mobile Edge blog and Mobilize newsletter. ]
A key reason that so-called endpoint mobile security is not seen as a big deal is that mobile OSes such as iOS, Android, BlackBerry, and the forthcoming Chrome OS use a couple techniques not common on desktop OSes to make infection more difficult. One is sandboxing, which confines apps and their data and requires explicit permission to exchange data among them. The other is code-signing, which makes software developers register and be vetted before their apps can be installed.
“A lot of mobile devices have a very different security model,” says Scott Crawford, a security analyst at the consultancy Enterprise Management Associates (EMA), and the OS makers have built in security from the get-go. “By contrast, the original Windows had very little security,” creating a tempting target early on and an architecture whose vulnerabilities became widely known.
There’ve long been antivirus products for Windows Mobile and Nokia Symbian devices, but they’re not that necessary. All smartphone platforms combined have seen fewer than 1,000 malware threats, versus hundreds of thousands for Windows PCs, notes Khoi Nguyen, group product manager for mobile security at Symantec. In fact, the need for antimalware apps on smartphones is so low that Symantec is focusing on delivering mobile management tools instead.