Secure Coding mailing list archives
Re: Mobile phone OS security changing?
From: Crispin Cowan <crispin () immunix com>
Date: Thu, 07 Apr 2005 03:12:25 +0100
Kenneth R. van Wyk wrote: Greetings, I noticed an interesting "article" about a mobile phone virus affecting Symbian-based phones out on Slashdot today. It's an interesting read: http://it.slashdot.org/it/05/04/06/0049209.shtml?tid=220&tid=100&tid=193&tid=137 What particularly caught my attention was the sentence, "Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure?" Apart from the author implying that this is an "or" situation, I think it is definitely an "or" situation: automatic updates are expensive to provision and fugly for the user. They are just a kludge used when, for some reason, the software canot be made secure. That the desktop vendor (Microsoft) has not made their software secure is manifestly obvious. Whether the "can't" or "won't" is subject to rampant debate and speculation. The "can't" view says that legacy software and fundamentally broken architecture make securing it infeasible. The "won't" view says that it was not profitable for MS to spend the effort, and they are now changing. That the alternate desktop vendors (all the UNIX and Linux vendors including Apple) have made secure desktops is also manifestly obvious (no viruses to speak of, and certainly no virus problem). Whether this is "luck" or "design" is subect to rampant debate and speculation. The "luck" view says that these minority desktops are not a big enough target to be interesting to the virus writers. The "design" view is that the virus problem is induced by: 1. running the mail client with root/administrator privilege, and 2. a mail client that eagerly trusts and executes attached code, and that until UNIX/Linux desktops have both of those properties in large numbers, there never will be a virus problem on UNIX/Linux desktops. What the phone set people will do depends on which of the above factors you think apply to phone sets. Certainly the WinCE phones with Outlook are about to be virus-enabled. I don't know enough about Symbian to answer. The Linux hand sets could be designed either way; it would not surprise me to see phone set peole architecting a phone so that the keyboard is root. It is not exactly intuitive to treat a hand set as a multi-user platform. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Current thread:
- Mobile phone OS security changing? Kenneth R. van Wyk (Apr 06)
- Re: Mobile phone OS security changing? Michael Silk (Apr 06)
- Re: Mobile phone OS security changing? Kenneth R. van Wyk (Apr 06)
- Re: Mobile phone OS security changing? Michael Silk (Apr 06)
- Re: Mobile phone OS security changing? Blue Boar (Apr 07)
- Re: Mobile phone OS security changing? Kenneth R. van Wyk (Apr 06)
- Re: Mobile phone OS security changing? Crispin Cowan (Apr 06)
- Re: Mobile phone OS security changing? Michael Silk (Apr 06)