SAN FRANCISCO - Mobile security is a top concern for many in the modern era of smartphone pervasiveness. Yet according to a panel of mobile security experts at the RSA conference this week, a lot of the concern has been misplaced.
Charlie Miller is one of the most well known and respected mobile hackers in the world. Miller was the first to hack an iPhone back in 2007 and has won multiple Pwn2own events as well. For his efforts, both Apple and Google have kicked Miller out of their respective developer programs.
Even though Miller has found more than his fair share of mobile vulnerabilities over the years, his concerns are not the same as the mainstream media hype over mobile security. At the top level, Miller said that when it comes to Android, the biggest risk is outdated and un-patched versions of the software.
Miller added that the latest versions of Android have security patches and improved exploit mitigations. The risk of a drive-by attack, one where a user does nothing and then is exploited simply by visiting a site, is not a big concern to Miller.
"People think that drive-by is a big threat, but in real life they just don't happen," Miller said. "If you take away the stuff that the people on this panel have done, the reality is that drive-by is something that people are scared about, but is not going to happen."
Mobile security researcher Dino Dai Zovi echoed Miller's sentiment on drive-by downloads. In his view, the real risk is malicious apps. Tiago Assumpcao of IOactive stressed that consumers really can't control security on their phones all that much from an exploit mitigation perspective.
"I can't make my phone better for ASLR," Assumpcao said. "We just have to hope that Apple or whoever the mobile vendor is, is doing a good job."
Anti-Virus Or Not?
In the desktop world, anti-virus is a must have for many platforms. The same is not as true when it comes to mobile.
"If you want to talk about anti-virus for phones it doesn't make sense," Miller said. "The way that phones are made, apps are downloaded with privileges on purpose."
Miller explained that both Google and Apple already do anti-virus scanning on everything that goes through their respective app stores. They both, in varying degrees, can also remove apps from a user's device if at some point malware is detected.
Yet vendor app store anti-virus scanning is not perfect.
Miller cited some research into Google's Bouncer anti-virus App Store scanning technology. Bouncer works by emulating a phone. Miller argues that malware code is able to detect the emulation and simply not execute its payload when running under emulation.
"So inside of Bouncer, the app will be well behaved and then on the real phone it will do something nasty," Miller said. "On the real phone it could download stuff and run it, cause that's something that Android apps can do."
Dai Zovi stressed that Apple takes a different approach. Specifically, Apple disallows the dynamic loading of code, so an app could not automatically download executable content.
"When Apple scans an apps code, that's the only code that can run," Miller said. "On Google, that's the code that will start when the app is loaded but you don't know what could be loaded after it starts."
Miller's research into Google's Bouncer is the reason why he earned a lifetime ban from Google's developer program.