By Chris Higby & Kurt Wimmer
Yesterday, the Federal Trade Commission held a forum on Mobile Security: Potential Threats and Solutions. The forum brought together academics, industry leaders, and security experts to discuss the security problems arising from the rapid adoption of mobile devices.
The first panel, consisting of security experts and researchers, gave a brief overview of mobile malware. They agreed that mobile malware infection rates are generally very low and that most malware accesses private information by using social engineering, rather than by exploiting technical flaws. Looking forward, Dan Guido, CEO of Trail of Bits, viewed the replacement of legitimate applications in app stores with malware versions as the most serious threat.
The second panel, consisting of security representatives from the major mobile operating systems (Microsoft’s Windows Phone, Google’s Android, Mozilla’s Firefox OS, Research In Motion’s BlackBerry, and Apple’s iOS), addressed how mobile platforms are designed with security in mind. Adrian Ludwig of Google advocated the use of install-time permissions, such as those found in Android, as a way to increase transparency to the user. However, both Adrian Stone of Blackberry and Geir Olsen of Microsoft expressed skepticism as to the effectiveness of permissions for the average user. Ludwig also criticized Apple’s approach of restricting users to “curated” app stores as a restriction on user choice.
The third panel contained a diverse group of industry representatives and addressed the perspectives of chipset manufacturers, mobile service providers, security consultants, and developers on mobile security. Alex Rice, the head of product security at Facebook, focused on the industry’s lack of coordination in the patching process. He said that in many cases, the lines of communication between the operating system developer, original equipment manufacturer, and the end user are broken upon the launch of the product, resulting in some users never receiving operating system patches. Additionally, he expressed concern over the current industry practice of waiting until a significant number of users are affected by a particular vulnerability before patching. Alex Gantman of Qualcomm, in contrast, expressed the view that patching was not an efficient use of resources. He argued that due to very low rates of mobile malware infection, security vulnerabilities do not degrade the user experience. Additionally, John Marinho, of the CTIA, disputed claims that the manufacturers and mobile service providers do not coordinate with operating system developers to provide timely patches.
The fourth panel focused on passwords and security products. Markus Jakobsson, CTO of Fatskunk, advocated a password system called “fastwords” that enables a user of a mobile device to quickly enter a secure and memorable password. Other panelists focused on the need for increased regulations applying to stolen phones.