Thursday, 14 May 2009

The release of the first mobile phones that enable users to install applications from potentially unknown sources presents security challenges for organisations, says Detica, the information intelligence specialists. Businesses need to address the potential risk through their security policies or face the consequences of data leakage, data theft and disruptive malware.

Newer mobile phones such as Google’s G1, Apple iPhone and Symbian OS phones include capabilities for developers to introduce their own code and applications, significantly transforming the mobile phone security landscape. Whilst some manufactures heavily regulate these processes, avenues are emerging for rogue developers to place malicious code onto these devices.

Whereas earlier handsets like the Blackberry use software supplied by large, well-known third-party organisations, the trend towards mass application development places a much greater onus on users to trust the applications they choose to download and install. Inevitably there will be attempts to introduce malicious code into the application ecosphere.

Andy Clark, Head of Forensics at Detica, said: “Users will find it highly beneficial to be able to store large quantities of personal and sensitive information on their computer-phones and will look to take advantage of the third party software written for these new phones. But this fact will not be lost on fraudsters and criminals, and the technology will inevitably attract data thieves and virus writers. How will users know what third party software they can trust?

“Suddenly mobile phone forensics has gone mainstream – their computing facilities and third party applications mean that we must apply many of the usual practices and procedures for general IT forensics.

“The introduction of USB drives stimulated a widespread review of organisations’ security policies as it became clear that large quantities of corporate data and intellectual property could be copied and removed with ease. The ease of downloading potentially unverified third party applications presents even greater risks and requires a review of security policies.”

In its tests on this new generation of phones, Detica Forensics has discovered that access to the full data set on a phone is often difficult as it requires root access. Prompt updates to the operating systems from suppliers have removed identified vulnerabilities, but this will be an ongoing arms race.

“Enhanced computing functionality is often accompanied by increased threats. That’s simply a fact of life which organisations need to address,” concluded Clark.