Security Concerns

By Andrew Garcia  |  Posted 2009-07-01

A New Wave of Smartphone Platforms Attracts New Corporate Users--and IT Concerns

The release of the Palm WebOS mobile operating system on the new Pre, along with recent upgrades to both Apple's iPhone OS and Google's Android operating system, has drawn another sizable wave of new consumers to intelligent smartphones.

Given the obvious computing potential of these platforms, the rich application development environments attached to each and their enterprise-ready features, companies may be ready not only to let users attach these devices to corporate resources, but to invest in the platforms internally.

But these enterprises must at the same time take a hard look at each of these platforms to ensure that they not only meet today's mobile computing needs, but also have the capability (or a clear road map) to interoperate with other technology initiatives in progress to fulfill the needs of tomorrow, as well.

The enterprise argument for viability of each of these mobile operating systems ironically revolves around their adoption of a Microsoft technology, EAS (Exchange ActiveSync). Baked directly into Palm's WebOS and Apple's iPhone OS-and added to Android via third-party implementations such as Emtrace's Moxier Mail-EAS for each of the platforms effectively fills first-generation mobile device gaps for corporate users-the secure and timely delivery of mail and the two-way synchronization of calendar and contacts. 

Depending on the EAS implementation within these mobile operating systems, EAS may also help alleviate next-generation corporate needs by delivering certain management functions, such as remote wipe or policy delivery and enforcement.

With the newly available iPhone 3.0 software upgrade, Apple at this time is ahead of both Android and WebOS with its integration into Microsoft's data center solutions, as the iPhone now can enforce password usage and settings like password complexity, expirations and history.

But this reliance on EAS won't solve all the enterprise management needs for these devices, as issues such as firmware management and encryption enforcement lay outside EAS' scope.

Despite the iPhone's recent gains in enterprise usability with iPhone 3.0, future firmware updates are still delivered by hooking a device up to a computer running iTunes. On the other hand, WebOS and Android devices both receive their updates over the air directly from the operator or hardware manufacturer-taking upgrades out of the hands of IT administrators completely. Companies that wish to standardize their mobile fleet on a specific version to ease ongoing support may find the upgrade process hard to control. Certainly, these updates could come fast and furious, as Palm has not been shy about new releases, unleashing three point upgrades in the first month the platform was shipping on the Pre.

Security Concerns


Security Concerns

According to Patrik Runald, chief security adviser for anti-malware vendor F-Secure, the threat landscape for mobile devices is not particularly active, and whatever action there is concentrates on Symbian and Windows Mobile rather than upstart mobile operating systems such as WebOS.

Indeed, Runald said his company has found that, at this time, corporate customers are much more interested in pursuing on-device encryption and policy enforcement than in implementing anti-malware protections.

If that's the case, the current lack of available on-device anti-malware solutions for iPhone OS, Android and WebOS may not be an issue. Even the PCI DSS (Payment Card Industry Data Security Standard) 1.2 doesn't address these platforms, as the specification calls for anti-malware protections only on systems known to be commonly attacked.

However, if the need for such security does arise down the road, the iPhone could present a problem. Given that the iPhone SDK does not allow third-party developers to create background applications, an on-device anti-malware platform is not currently possible.

To hammer home this point, Runald demonstrated a spying application for the iPhone called FlexiSpy that monitors and intercepts call logs, text messages and GPS location logs. FlexiSpy requires the iPhone be jailbroken to start installation, but the software comes with complete instructions on how to perform the jailbreak, along with tips to hide evidence of both the application and the jailbreak. Since security vendors aren't going to develop for a jailbroken operating system, the potential exists for threats without resolution that could be used to steal communications or other data.

As a full-fledged operating system, the iPhone has time and again proved to be full of security vulnerabilities-many of which take Apple months or more to fix-so the potential exists for badware to find its way onto the device without any recourse for centralized detection or cleaning.

The iPhone is not alone in this weakness: WebOS has already been patched (Version 1.0.4) to cover up a flaw that allowed users to install unsigned (and therefore unauthorized) applications, and users quickly found upon Android's release last fall that root access could be gained easily due to an erroneous boot instruction.

The point isn't that these bugs exist (as they have and will occur in every platform); the point is that there is no second line of defense available for enterprises to ensure mobile device security-nor will there likely be one any time soon. 

Another area where the lack of background applications will hurt the iPhone will be in the integration of mobile UC (unified communications) services, particularly applications that leverage presence or real-time communications such as VOIP (voice over IP). While Apple's new background notification system may prove adequate for dealing with text-based services like instant messaging, such notifications will likely not be satisfactory to provide soon-enough notification to VOIP users getting an inbound voice (or someday video) call.

A third-party networking solution may be able to extend the iPhone a four-digit extension on a corporate PBX by forwarding the device's cell phone number, but connecting to an iPhone via VOIP is currently out of the question.

Because they do support applications running in the background, WebOS- and Android-based devices would be much better alternatives as corporate UC handsets, but with these devices, the question instead becomes one of market penetration. Third-party UC application vendors aren't going to consider developing for upcoming platforms until a critical mass of devices is out in the market, preferably in the hands of corporate users. The iPhone likely already has hit the necessary level of penetration, but other devices are undoubtedly not close enough yet.

In the meantime, these types of services-as exemplified by cellular-to-voice-over-Wi-Fi fixed mobile convergence solutions like those from Agito and DiVitas-will remain the providence of platforms with much wider worldwide adoption and support for background applications, such as Windows Mobile and Nokia running Symbian. Even Research In Motion's extremely enterprise-friendly BlackBerry platform has been somewhat late to this level of convergence, as Agito just recently announced FMC support for RIM devices.

Senior Analyst Andrew Garcia can be reached at

Rocket Fuel