Smartphone security needs to shape up pretty fast if it is to avoid the mistakes that turned the PC into a global crime platform, a new report from EU security agency ENISA (European Network and Information Security Agency) has said.
According to the report, based on detailed interviews with 30 top European developers, security experts and police professionals, smartphones and tablets face a number of attack risks, some pretty obvious, some less so.
Better documented threats outlined include the risk of rogue software being sold through online app stores, including ones which carry out subtle surveillance to capture data such as a user’s location or usage habits.
The report also worries about ‘diallerware’ attacks, which work either by installing a rogue app that dials premium rate numbers to defraud users, or a simple SMS social engineering con which tricks users into replying to a similarly expensive service number. This type of attack is already becoming a problem in the UK even as the networks look on, apparently unconcerned.
One of the simplest security problems is the problem of decommissioning and recycling smartphones, vast numbers of which are passed on to third parties without data having been properly wiped.
The authors note that smartphones come with unusual features such as the ability to remotely de-activate a rogue app, as well as the ability to remotely delete data in some situations. The problem is that there is no standard way of implementing any of this.
Recommendations include that developers include encryption and device access security as standard – many don’t at present. Patching and privacy management should also be improved and standardised, and the industry should develop a way to make remote security possible without users feeling controlled.
The oddity of the report – indeed all reports on smartphone security – is putting the threat into some context without examples to call upon. Real attacks on smartphones are still rare in an age when PCs remain the number one target.
What is clear is that the potential for attack on consumers and especially business smartphone users is very real. Unlike the PC industry, which sleepwalked into a bad situation without properly assessing the potential for harm, the smartphone industry has at least been amply warned.