Security Concerns According to Patrik Runald, chief security adviser for anti-malware vendor F-Secure, the threat landscape for mobile devices is not particularly active, and whatever action there is concentrates on Symbian and Windows Mobile rather than upstart mobile operating systems such as WebOS.If that's the case, the current lack of available on-device anti-malware solutions for iPhone OS, Android and WebOS may not be an issue. Even the PCI DSS (Payment Card Industry Data Security Standard) 1.2 doesn't address these platforms, as the specification calls for anti-malware protections only on systems known to be commonly attacked. However, if the need for such security does arise down the road, the iPhone could present a problem. Given that the iPhone SDK does not allow third-party developers to create background applications, an on-device anti-malware platform is not currently possible. To hammer home this point, Runald demonstrated a spying application for the iPhone called FlexiSpy that monitors and intercepts call logs, text messages and GPS location logs. FlexiSpy requires the iPhone be jailbroken to start installation, but the software comes with complete instructions on how to perform the jailbreak, along with tips to hide evidence of both the application and the jailbreak. Since security vendors aren't going to develop for a jailbroken operating system, the potential exists for threats without resolution that could be used to steal communications or other data. As a full-fledged operating system, the iPhone has time and again proved to be full of security vulnerabilities-many of which take Apple months or more to fix-so the potential exists for badware to find its way onto the device without any recourse for centralized detection or cleaning. The iPhone is not alone in this weakness: WebOS has already been patched (Version 1.0.4) to cover up a flaw that allowed users to install unsigned (and therefore unauthorized) applications, and users quickly found upon Android's release last fall that root access could be gained easily due to an erroneous boot instruction. The point isn't that these bugs exist (as they have and will occur in every platform); the point is that there is no second line of defense available for enterprises to ensure mobile device security-nor will there likely be one any time soon. Another area where the lack of background applications will hurt the iPhone will be in the integration of mobile UC (unified communications) services, particularly applications that leverage presence or real-time communications such as VOIP (voice over IP). While Apple's new background notification system may prove adequate for dealing with text-based services like instant messaging, such notifications will likely not be satisfactory to provide soon-enough notification to VOIP users getting an inbound voice (or someday video) call. A third-party networking solution may be able to extend the iPhone a four-digit extension on a corporate PBX by forwarding the device's cell phone number, but connecting to an iPhone via VOIP is currently out of the question. Because they do support applications running in the background, WebOS- and Android-based devices would be much better alternatives as corporate UC handsets, but with these devices, the question instead becomes one of market penetration. Third-party UC application vendors aren't going to consider developing for upcoming platforms until a critical mass of devices is out in the market, preferably in the hands of corporate users. The iPhone likely already has hit the necessary level of penetration, but other devices are undoubtedly not close enough yet. In the meantime, these types of services-as exemplified by cellular-to-voice-over-Wi-Fi fixed mobile convergence solutions like those from Agito and DiVitas-will remain the providence of platforms with much wider worldwide adoption and support for background applications, such as Windows Mobile and Nokia running Symbian. Even Research In Motion's extremely enterprise-friendly BlackBerry platform has been somewhat late to this level of convergence, as Agito just recently announced FMC support for RIM devices. Senior Analyst Andrew Garcia can be reached at firstname.lastname@example.org.
Indeed, Runald said his company has found that, at this time, corporate customers are much more interested in pursuing on-device encryption and policy enforcement than in implementing anti-malware protections.