The Community for Technology Leaders

Mobile Device Security

John Viega, Perimeter eSecurity
Bret Michael, Naval Postgraduate School

Pages: pp. 11-12

Today's handheld devices are powerful enough to be considered personal computers because you can use them to do most things people want to do on a desktop, including processor-intensive tasks such as watching movies. All that computing power is good—unless it's harnessed for evil.

With devices such as the iPhone and the wealth of new Google phones, the number of mobile devices powerful enough to be interesting to the bad guys is swelling rapidly.

Security Challenges in Mobile Devices

Society is becoming dependent on a wide array of mobile devices, not just cellular phones. In Europe, most credit-card swipes at restaurants are performed with mobile devices. RFID is becoming widespread in inventory management. And the military uses wireless devices for a wide variety of applications, including on the battlefield.

So far, mobile devices haven't been anywhere near as big a target as have desktop machines. However, they haven't been spared, either—for instance, attacks have occurred on the Symbian OS (used in many smart phones) that let a malicious actor pay for goods and services in Europe via SMS, from the phone of some rube in another city, maybe even another country.

Anything that an attacker might want to do on a desktop might be something interesting for them to do on a mobile phone, such as selling spam or capturing account information for online banking. Additionally, many mobile devices are always on and able to receive, meaning the bad guys have ample opportunity to try to connect to and exploit the devices.

Attackers experience some drawbacks in targeting mobile devices, but the biggest one has been computing power. They want to do their nefarious deeds, but they don't want users to notice. So, mobile devices need computing power to spare before they're considered interesting to bad guys. That day has arrived.

Certainly, it's possible to build a reasonably secure mobile device, just as it's possible to build a reasonably secure desktop. The iPhone is a good example—it has a fairly good security model in which applications are totally separated, and it's basically impossible to run applications without the user noticing. But, this security comes at the expense of functionality—the iPhone currently doesn't really allow multiple applications to run at the same time.

The small-form factor and slower processors in mobile devices can also make them hard to secure:

  • It can be tough to get good diagnostic information from users without affecting the device's performance.
  • Traditional host security technologies, such as antivirus sweeps, can slow down the device enough to make it unusuable.
  • Key management is a huge problem that hasn't been well addressed in this environment.
  • It's more expensive to conduct security assessments on special-purpose devices, which is made worse considering mobile devices' typically short lifespan.

The infrastructure supporting mobile devices can also be a problem. For instance, eavesdropping on phone calls over a GSM network can be accomplished with about US$10,000 worth of equipment because calls aren't encrypted end-to-end—when the signal goes through the air, attackers can intercept it.

In this Issue

Clearly, mobile devices are becoming critical to our lives, so it would be nice if we knew how to make them robust and secure. In this special issue, several leading experts report on the state-of-the-art in mobile security and reliability.

In the article "A Mobile Biometric System-on-Token System for Signing Digital Transactions," by Ricardo Ribalda, Guillermo González de Rivera, Ángel de Castro, and Javier Garrido, we learn about a biometric on-token authentication system that ties in to existing public-key infrastructure.

Bluetooth is a widespread mobile communications technology, popular because it requires less power than 802.11 wireless. In the article "Taming the Blue Beast: A Survey of Bluetooth Based Threats," John Dunning gives a detailed overview of the security model, as well as practical threats and attacks on Bluetooth technology.

In their article "Making Smart Cards Truly Portable," Karen Lu and Asad Ali describe how we can solve smart-card portability problems that can help provide secure online access.

The final article in this issue is "Google Android: A Comprehensive Security Assessment," by Asaf Shabtai, Yuval Fledel, Uri Kanonov, Yuval Elovici, Shlomi Dolev, and Chanan Glezer. The importance of being able to place trust in the Android operating system is that Android not only serves as the foundation for a wave of phones such as the HTC Droid and the Google Nexus One, but is also expected to be widely adopted in all sorts of different mobile devices.

In all, these papers give great insight into the direction that the industry is going. We have a long way to go, but it's good to see we're on the right path.

About the Authors

John Viega is executive vice president of products and engineering at Perimeter eSecurity. His most recently published books are The Myths of Security: What the Computer Security Industry Doesn't Want You to Know and Beautiful Security: Leading Security Experts Explain How They Think (O'Reilly Media, 2009). Contact him at
Bret Michael is a professor of computer science and electrical engineering at the Naval Postgraduate School. His research interests include dependable trustworthy distributed computing, computer-assisted formal verification and validation, and cyber warfare. Michael has a PhD in information technology from George Mason University. Contact him at
56 ms
(Ver 3.x)