An InStat survey shows that despite the downturn in the economy, the smartphone segment of the mobile phone market is growing rapidly. According to the survey, total smartphone sales are expected to reach 412 million units in 2014. As a percentage of overall handset market, smartphones are expected to account for more than 25 percent, according to ABI Research.
Smartphones use a number of different mobile operating systems, known collectively as “open operating systems.” Initially dominated by Symbian and Windows Mobile, the latest figures give a significant share of the market to Apple’s iPhone and Android-based devices. Research In Motion (RIM) is, of course, very strong, particularly in North America. New open mobile operating systems such as LiMo and Moblin – based on the Linux kernel, expected to hit the markets in 2010 – are also expected to gain significant traction.
These operating systems differ in their user experience and feature set, yet they all enable the phone’s owner to install applications on the device. While the ability to download applications allows the end-user to use the device in ways he never believed possible, it comes with huge security risks. These risks are not limited to the individual subscribers, but extend to service providers and enterprises as well.
SIM “UN”LOCK – NO EXCLUSIVITY, 100% GUARANTEED
Since its launch in June 2007, Apple’s iPhone has redefined the smartphone category, generating unprecedented interest from enterprises, service providers and consumers. Apple planned to launch the phone exclusively with AT&T in the United States and then gradually roll out the devices to other territories. Apple’s preferred policy is, and always has been, an end-to-end offering with a tightly controlled ecosystem. Over the years, this strategy has known good times as well as bad, but it is an inseparable part of the Apple’s overall approach. The iPhone is no exception.
Yet as we have learned over the years, nothing incentivizes hackers more than an exclusivity agreement and a tightly controlled ecosystem. Less than two months after the device’s release, hackers managed to bypass Apple’s unique and very sophisticated SIM Lock mechanism, offering SIM-free applications and services. Today it is estimated that about 25 percent of the iPhones sold in the United States are operated on other networks. For AT&T – which subsidizes the cost of the device – this represents a significant loss in revenue.
ONLY APPROVED APPLICATIONS – WELL, NOT REALLY
Bypassing the SIM Lock was only the first step in the hacker’s affair with the iPhone. During July 2008, Apple released the iPhone SDK, which allowed developers to create new applications for the iPhone. Adhering to its traditional strategy, Apple allowed these applications to be sold exclusively through Apple’s App Store. The distribution model entitles Apple to 30 percent of the revenues from downloaded applications, leaving 70 percent for the developers. RIM followed suit and opened its application store on April 1, 2009, charging developers $200 for every 10 applications they upload. During 2009, Android, Nokia and Microsoft launched similar offerings for their application developers, all with various revenue sharing models.
As noted above, nothing incentivizes the hacker community more than an exclusivity agreement. The first “iPhone Jailbreak” application was released on July 10, 2007, less than two weeks following the iPhone’s launch. Jailbreaking applications allow the user to install content or applications that were not downloaded from the Apple store. Today, the iPhone Dev Team is the most active group of hackers, constantly updating their applications as Apple tries to protect its revenues.
Google suffered the same fate as Apple on Aug. 16, 2009. A hacker codenamed Rye Brye exposed the ability to obtain super-user or root privileges on Android devices in a single click. Having root privileges effectively bypasses almost any service restrictions and content protection mechanisms.
AND WHAT OF OUR PERSONAL DATA
While the end-user may benefit from various hacks, the vulnerabilities of the operating system pose other threats, placing the end-user at risk. Viruses and the trojan horse can reveal and/or modify personal information. The first mobile virus dates back to July 2004, targeting the Symbian OS.
As the prevalence of smartphones increases, mobile viruses are expected to become a real threat. These viruses can grab personal payment information such as credit card numbers, illegally obtain contact information from our private phone book stored on the mobile phone, and access our home network using a mobile device’s Wi-Fi capabilities.
MAKING SMARTPHONES ROBUST TO ATTACKS
Securing smartphones, and the applications that run on top of them, is a two-phase process. The first phase requires the mobile device manufacturer to protect the kernel – the part of the operating system most vulnerable to attack. This layer of protection can be achieved using a secure boot mechanism. Secure boot is a security mechanism that is based on cryptographically approved operating system components, ensuring that the device will not boot once it detects that one of these components has been tampered with.
Secure boot by itself, however, does not provide sufficient security. A second security phase is needed to combat a common though sophisticated attack known as “Buffer Overrun.” This approach uses vulnerabilities within validated OS components to create security breaches. To resist such incursions, more sophisticated mechanisms are needed. These mechanisms employ hardware-based components as their root of trust, reducing the risk of a hacker creating an attack that can be easily distributed to other devices.
SECURITY IS STRATEGIC TO DEVELOPMENT
As smartphones become more prevalent and entrenched in our work and home lives, their security requirements increase as well. Robust protection is essential – not only for the proper functioning of these devices, but also the data, transactions and licensed content stored and enjoyed on them. Without such safeguards in place, people will never feel safe using smartphones, thereby preventing these powerful innovations from ever reaching their full potential.
Motty Alon is software products line manager at Discretix.