Thursday, January 05, 2012

Why do people expect so much more from mobile platforms?

Reading Veracode's recent post: Mobile Security – Android vs. iOS, which is an infographic comparing Android and iOS security, I'm left with a few questions, some of which I posted as a comment on their site.

While the graphic does a good job of summarizing the notable differences between these two mobile platforms, I think it approaches the problem with a set of underlying assumptions:

  1. They assume that mobile platforms are fundamentally different that desktop platforms, in terms of what services/facilities/etc.  they should provide.
  2. The assume a different/new/enhanced level of responsibility by the mobile platform vendor for security and privacy than we've typically expected from platform providers.
For example, in the section on basic security capabilities they say - "Security and privacy aren't thoroughly tested and unauthorized access to sensitive data has already occurred in both the App store and Android Marketplace."

While this is undoubtedly true, the same can be said about the PC, the Mac, Linux, and any other software/OS platform that is "open" and doesn't try to control and lock down all third-party software distribution.   

Perhaps the underlying argument is that new platforms should come with more security controls and the ecosystem should be more secure and guaranteed to be so by the platform provider.  I haven't seen those promises made explicitly by mobile platform vendors though they do make it implicitly a lot of times.  

Mostly what I see are people expecting much more from their mobile phone platform than they do from their desktop/laptop platform, and I'm not entirely sure why.  Are there a few new threats?  Sure.   Location privacy, and the ability to perform actions that cost money.  The latter not really being new though as malware that used people's modems to call premium phone numbers is a pretty old-school attack.

I'm all for platforms themselves becoming more secure over time.  Most/all of the mobile platforms have made huge strides in this area over legacy desktop platforms.  

What I don't quite understand is why folks are trying to hold mobile platforms to a higher standard for third-party software that it isn't clear they should be in the business of policing in the first place.


Jeremiah Grossman said...

Because that's what they've promised. For Android at least..

"A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. This includes reading or writing the user's private data (such as contacts or e-mails), reading or writing another application's files, performing network access, keeping the device awake, etc."

Andy Steingruebl said...

They haven't promised that no apps have security bugs though. They have promised a certain security architecture, but not to ensure that no applications have security flaws. They just limit the scope/damage of a security flaw to that application and the data it can access per its permissions, not everything else.

Jeremiah Grossman said...

Agreed, which in my mind is a huge difference between mobile and desktop security expectations.

Allen said...
This comment has been removed by the author.
Allen said...

Because the platforms are fundamentally different. My laptop is not always with me, nor does it have a GPS that can broadcast my position or other information.

I believe the mobile platforms, both devices and apps, need to be responsible towards their users and quickly move to a higher standard.

Gunnar said...

At least two reasons is more personal, its in your pocket not on your desk

2. AppMarkets/stores - the implied promise of a curated environment

Not saying either is logical but agree people seem to think about their pocket sized BSD/Linux boxen differently from desktop ones