- Forrester Councils
- Councils Overview
- log in
Posted by Andrew Jaquith on April 7, 2010
Earlier this week SC Magazine published my comments on mobile malware: why I believe there will not be mobile malware pandemic any time soon, and probably not ever. My reply exceeded their length limit, so some of the context was lost. Here are my comments in their entirety.
Security software vendors like to bleat about how mobile phones will be the next big target for malware writers. There’s a sense of inevitability about this, and the story goes like this: Mobile operating systems are becoming a lot like PCs. PCs have lots of malware. Therefore smartphones will have lots of malware — any day now. Security vendors are hoping this will become true so they can sell mobile security software. This idea has at least three problems:
None of these inconvenient facts seem to trouble the vendors much, and every few years someone new makes a fuss. A few years ago, F-Secure and Sophos were banging the drum; then, it was Symantec, then McAfee, and now Kaspersky. Not one of these vendors’ predictions have come remotely true, and none of the vendors are making any money (or even selling much product) in this space.
Now, I don’t mean to dismiss some of the valid concerns about privacy. We’ve seen some articles about how easy it is to write code that will riffle through your BlackBerry’s phone address book looking for e-mail addresses to steal. Veracode demo’ed some proof-of-concept code that did that. And we’ve seen some iPhone apps pulled from the App Store because they sent personally identifying information for “instrumentation” purposes that compromised users’ privacy. But these aren’t security problems. They may be potential privacy problems, but at this point we’re talking about authorization battles that are being fought inside the operating system, and on the vendors’ terms. That is a far better situation than what we have today in PC Land. [Ed: I’d include all of the traditional untrusted OSes in this camp: Windows, OS X, and Linux; none of these were built with a “root of trust” bootstrapping model that ensures system integrity, unlike modern smartphone OSes. That is what I meant by mobile OSes being more like toasters.]
To date, enterprises regard mobile security suites (such as they are) as providing marginal benefit. There just haven’t been enough malware incidents to justify purchase of mobile AV or anti-spyware. For the most part the feature that enterprises want most is remote wipe/remote kill — you can do this easily with the BlackBerry today, and for iPhone and Windows Mobile devices, you can do with existing Windows client management tools. So there’s not much of an aftermarket.
Rob Smith, CEO of Mobile Application Development Partners, published the counterpoint to my position. He states fairly unequivocally that the mobile security threat is real. I suspect we were actually answering different questions: I was commenting about mobile malware, whereas his comments seemed to be about mobile threats generally. I agree with him that plenty of unscrupulous characters will try to take advantage of innocent people. I also agree that the increasingly sophisticated mobile technology those innocents carry with them will undoubtedly be the conduit for some of those attempts.
Lead BT Transformation
Develop customer-obsessed strategies to drive growth »
Forrester's CX Index
Predict how actions to improve CX will affect revenue performance.
Measure the customer experiences that matter most »