More
    spot_img
    HomeInsightsCertification the best protection

    Certification the best protection

    -

    Malicious code targeting mobile devices is expected to increase both in number and severity over the next six months, according to Symantec’s latest Internet Security Threat Report, but anti-virus software may not be the answer.

    Between July and December 2004 there were 21 known samples of malicious code for mobile applications — compared to just one in the previous six months.
    This rise in damaging malicious code is predicted to increase even further as more and more people use mobile devices like smart phones and PDAs to connect to their corporate networks and to the Internet. According to Symantec, the release of the Cabir worm source code in December — a ‘proof of concept’ virus designed to spread from device to device via Bluetooth — is an indication of things to come, but with more widespread and damaging consequences.
    Graeme Pinkney, Symantec’s Head of Threat Intelligence, EMEA, said, “Just this month we saw the Commwarrior worm, which uses a mobile phone’s telephony technology [the phonebook or contact list via MMS] rather than Bluetooth to spread internationally in the same way that a mass mailing worm does via email on a PC.
    “We’re predicting that these types of telephony-based threats will become more common and sophisticated.  It’s not a question of ‘if’ anymore, but ‘when’.”
    The report also predicts a rise in the amount of malicious code embedded in audio and video images, following Microsoft’s announcement of a vulnerability in its implementation of the JFIF image file format that could potentially allow images files displayed on a host system to execute malicious code.
    “We could also start to see malicious code that works in different and smarter ways, targeting devices like iPods for example,” Pinkney said.
    Industry consultant Northstream played down the threat, however. It conceded that mobile viruses infecting phones through Bluetooth and MMS create a growing need for the wireless industry to act.
    “The appearance of mobile viruses shows that many of today’s mobile phone models are vulnerable to attacks.
    “Still, the threat is by no means comparable to what PC users are exposed to through the Internet. Also, the fact that users have to confirm multiple times before a virus can infect their device creates further hurdles for mobile viruses to propagate”, Arndt Mitwer, senior advisor at Northstream, said.
    Nevertheless, mobile viruses could do significant damage to mobile phone users, for example generate unauthorised chargeable events, modify or erase user data, draining the battery or even making services inaccessible. Such incidents could also mean that service providers and handset manufacturers risk losing revenues, brand image and eventually customers.
    “There is a threat to smartphone users, but it’s not necessarily so imminent that it would justify carrier-grade investments into mobile anti-virus solutions. However, service providers with smartphone users should consider how to protect them, for example by offering handset-based anti-virus software, and ensure that mobile applications are tested and certified for quality and security”, Mitwer added.
    Mitwer said that in addition to protecting users, application certification can improve user experience and open up new possibilities for developers — it’s therefore a means to protect existing revenues and grow the business in the future.
    “Service providers, handset vendors and application providers should define strategies on how to secure and grow the mobile content business. Application certification, and targeted anti-virus measures should be part of such a strategy”, concludes Arndt Mitwer.
    Certification initiatives such as Java Verified go into the right direction, but need to be amended to cover security testing and — at least in the short term — anti-virus software to smartphones, Mitwer said.