06. June 2010 · Comments Off on The End of Malware? Hardly. · Categories: Malware, Security-Compliance

Slate recently published an article entitled, “The End of Malware?” The sub-title is, “How Android, Chrome, and the iPad are shielding us from dastardly programs.” The premise trotted out the usual, Windows is insecure; Android, Chrome, and the iPad are more secure because they deploy sandboxing technology, i.e. restricting an application’s access to operating system resources.

While this may be a good thing, it is hardly the “end of malware.” Not even close.What the author is missing is the intent and motiviation of the bad guys. They go where the money is, i.e. where there is the opportunity to steal cash from people’s bank accounts, steal credit card information, steal intellectual property they can sell. At present, these opportunities are minimal on Android, Chrome, and iPads. Once there is critical mass for profitable hacking, you will definitely see an increase in exploits on these devices.

Now even with limited opportunities for profitable hacking we are starting to hear about vulnerabilities on these devices. Just yesterday I wrote about a Massive iPhone Security Issue where passcode protected content on the iPhone can be accessed by simply attaching the device to a computer running Ubuntu or OSX. Therefore, if you lose your iPhone, your passcode protection is useless.

If you need to hear more, check out the June 3 article in the Wall St. Journal, Dark Side Arises for Phone Apps. Here are some key quotes, first on Google:

In one incident, Google pulled dozens of unauthorized mobile-banking apps from its Android Market in December. The apps, priced at $1.50, were made by a developer named “09Droid” and claimed to offer access to accounts at many of the world’s banks. Google said it pulled the apps because they violated its trademark policy.

The apps were more useless than malicious, but could have been updated to capture customers’ banking credentials, said John Hering, chief executive of Lookout, a mobile security provider. “It is becoming easier for the bad guys to use the app stores,” Mr. Hering said.

And on Apple:

Apple vets applications before they appear in its App Store, but risks still exist. In July 2008, Apple pulled a popular game called Aurora Feint from its store after it was discovered to be uploading users’ contact lists to the game maker’s servers. More recently, it yanked hundreds of apps it said violated its policies, some out of security concerns.

In conclusion, while sandboxing is a good idea, there is no silver bullet when it comes to security.