As twilight approaches for 2011, security vendors have set their gaze on the rise of Android malware during the year and what is ahead. Last week, Juniper Networks entered the fray, declaring the number of malware samples it observed targeting devices running Google Android had shot up nearly 500 percent since July. Today, McAfee released its threats report for the third quarter of the year, which found that the amount of malware targeting Android devices jumped 37 percent since the second quarter. While there is no doubt the amount of malicious programs with Windows in their bull’s eye dwarfs the amount of threats to mobile devices, the focus on Android malware have left some wondering how to separate fact from hype.”
Sometimes I read an article about open source that drives me nuts. A recent one stated, without irony, that ‘critics have been pounding the table for years about open source being inherently insecure’ and that android is festooned with viruses because of that and because we do not exert apple like controls over the app market.
Let me speak to the first one: Open source, which as you know is present in a major way in all three major mobile phone operating systems (android, ios, rim) is software, and software can be insecure. I would posit that popular open source software only gets to become that popular if they pay close attention to security and respond to users concerns about the same, otherwise other projects come to the fore.
For example, in the dusty spans of time, both sendmail and apache went through a year or multiyear period when after they hit 95% and 70% marketshare where the security flaws started becoming a problem on the growing internet.
Sendmail saw multiple oss and proprietary competitors (qmail comes to mind) and over a period of years educated enough sysadmins on how to wrestle sendmail.cf appropriately and fixed problems with the system to stem the loss of marketshare to other vendors and projects.
Similarly, Apache saw people rejecting many of the modules that were perceived to be (And often were) problematic. Some modules didn’t come back, some came back stronger or with stronger default options.
So in the spirit of making a positive post here are some facts for future writers of articles about open source, mobile os’ and security. A Cheat sheet, if you will:
IOS and Android both use webkit derived browsers, Webkit is coded by android, chromuim and apple developers, and (edited: to fix a sentence here) both use code from the original khtml projects out of KDE.
Both use , at their core, open source kernels (ios uses a bsd derivative, android, a linux one).
Every single CE device uses tons of libraries from open source, especially openssl.
Every single CE device owes a huge technical thank you to GCC. most are built using gcc.
All the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets.
No major cell phone has a ‘virus’ problem in the traditional sense that windows and some mac machines have seen. There have been some little things, but they haven’t gotten very far due to the user sandboxing models and the nature of the underlying kernels.
No Linux desktop has a real virus problem.
Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself.
Yes, a virus of the traditional kind is possible, but not probable. The barriers to spreading such a program from phone to phone are large and difficult enough to traverse when you have legitimate access to the phone, but this isn’t independence day, a virus that might work on one device won’t magically spread to the other. (and yes, I saw the deleted scene http://www.cracked.com/article_18720_7-famous-movie-flaws-that-were-explained-in-deleted-scenes.html )
If you read an analyst report about ‘viruses’ infecting ios, android or rim, you now know that analyst firm is not honest and is staffed with charlatans. There is probably an exception, but extraordinary claims need extraordinary evidence.
If you read a report from a vendor that trys to sell you something based on protecting android, rim or ios from viruses they are also likely as not to be scammers and charlatans.
Please note: Policy engines, and those tools that manage devices from an corporate IT department are not the same thing at all, but sometimes marketers in companies that sell such things sometimes tack on ‘virus’ protection. That part is a lie, tell your vendor to cut it out.
So there you go. I’m sure people will now chime in about some worm or malware they downloaded from some app market or something, which will be moderately fun, then it will devolve into a discussion about something unrelated, then I’ll cancel comments. 🙂