With sales of smartphone on the ascend and PC sales on the decline, the demand for smartphones will soon outstrip the PC.
What will be some of the new major foreseeable security concerns present on the smartphone?
How do we protect ourselves against such security threats?
The risks include:
You'll have spotted that none of these are new...
And the solutions to these are just the same as they have always been.
Mobile devices are not 'new' from a security perspective. And the only reasons they are interesting are that they are easily stealable, do not yet have a mature and secure code development history, are wireless, and are ubiquitous (especially with a generation who have not grown up as paranoid and privacy conscious as some of us)
To add to the existing answers. There are at a couple of areas of concern with smartphones which are not present with other computing platforms (e.g. windows/linux)
3rd party dependance. All major smartphone platforms make the user (and their employer) dependent to an extent on the OS vendor(1), the handset vendor (who may be the same company) and for locked devices sometimes the carrier. This has a couple of implications
First - These 3rd parties will likely have mechanisms to execute code on the device and read information from the device. For example if Apple want to delete an application from your iOS device they can do that at any time. On Android you'll see applications provided by handset vendors which can't be removed (without removing the OS and replacing with a 3rd party ROM) and may be auto-updated, essentially giving them a backdoor onto the device.
So as a result any company or individual using these platforms has to place trust in those companies (this may or may not be a problem depending on your threat model)
Second - OS lockdown, whilst beneficial for security in some ways, also presents security problems. If a vulnerability is discovered in the OS users are totally dependent on the vendor for updates(2). This is made more of a problem for corporate users by the fact that some vendors do not publish good information on whether a given phone model is vulnerable to a specific issue and also do not have regular security patching cycles as you see with traditional PC platforms.
With smartphones there's also some risks presented by the convergance of functionality on the device. A lot of 2-factor solutions which are intended to move people away from having one compromise seriously affect their security, run on smartphones. As a result a compromise of the phone leaves the two factor solution in doubt, as the password is likely on the device and the 2-factor app is on the device as well.
(1) It could be argued that this is the same as for Windows and Mac OSX but with either of those it's not really live access to the device you're providing but periodic ability to execute code via updates.
(2) obviously on Android you can replace with a 3rd party ROM but at the moment there aren't many/any corporate friendly 3rd party ROMs and not all home users would be comfortable with replacing their Android OS themselves.
I'd like to focus on one area of particular concern in my answer; Rory Alsop's answer covers the "big picture" of mobile security.
What I'd like to discuss is the topic of rooting. There are several things that are troubling about rooting from a security point of view:
When one voluntarily roots one's own device, they are effectively exploiting a security vulnerability in the firmware in order to obtain elevated rights and then use those elevated rights to gain access to capabilities they would not normally have. The user having more power over their device is not necessarily a bad thing; in the right hands, this can allow users to get more value out of their device, and even install custom firmware which may even be more secure than the default firmware.
Unfortunately, in almost all cases when users root their mobile devices, the vulnerability which was exploited to perform the rooting is not patched/fixed/prevented, at least not until the user takes an Over-the-Air Update (OTA) from the vendor. This means that any other software which makes its way onto the mobile will have the same ability to "root" (and effectively compromise the phone in a very fundamental way) as the willing user. This should make users very uncomfortable, but in many cases people are totally unaware of this possibility. Hence, user education about rooting is a huge problem.
When a root vulnerability is used to allow end-users to gain control over their devices, this has the unfortunate side effect of making the vulnerability itself much more visible to bad actors, whether or not the root exploit author is a bad actor. This means that, once someone publishes a root exploit for your device, even if you choose not to root, your device is essentially in danger of being compromised until that vulnerability is patched. It's worse if the vulnerability can be done remotely, but with "app stores" letting people install apps with minimal or no malware-checking, it's pretty easy for a naive user to install an app that simply exploits a vulnerability that is known to the public, thanks to the root exploit author. The malware might even use the exact same software code that the root author published!
Even once the vendor patches the vulnerability in an OTA, users will often find yet another root exploit so that they can "keep root" after installing the update. Users want the update for the new features and bug fixes, but they don't want to lose root privileges, so the community finds a new root exploit, which puts users back in the same position of being at risk.
Since on many mobile platforms (e.g. Android) it is possible to run arbitrary native code from an application downloaded onto the device, a malicious "app" could break out of its sandbox by trying numerous root exploits that are publicly known, and obtain root access and compromise a great many popular devices on the market. They can use this root privilege to install spyware, perform identity theft, or use the phone as part of a botnet (since it is likely to always be connected to the internet via its mobile baseband).
The community of users demanding root, coupled with "root bounties" offering monetary rewards to those who develop root exploits, provides significant incentive for people to not only find root exploits, but also to publish software that is easy to install and use and which exploits vulnerabilities to provide root to the user.
Even if users do not download malicious "apps", the root vulnerability author is in a unique position of having the user place a great amount of trust in them. Most root exploit software is not open source, and comes in the form of an opaque .exe, which is often encouraged to be run with administrative privilege. This is a disaster waiting to happen: not only can the user's desktop or laptop be compromised by the .exe, but it can also compromise the user's phone in a similar way. Users do not typically suspect a root vulnerability author of being malicious, and in many cases they are well-meaning people who do vulnerability research as part of their professional work, but nothing is preventing a bad actor from basically getting a "2-for-1" -- compromising both a Windows desktop as well as a mobile phone in one fell swoop.
However, not all aspects of rooting are bad. One possible benefit is that, as vulnerabilities are found and exposed to the public, the total number of vulnerabilities, both in the Linux kernel overall and in the wider Android ecosystem, will decrease. Carriers and manufacturers are very motivated to get rid of root exploit vulnerabilities because, primarily, they allow users to do things that go against their terms of service (for instance, free WiFi tethering on a carrier that would normally charge for this service).
Over time, the difficulty of root exploits will increase as the "low-hanging fruit" is patched, which means that it will take longer for root exploits to be found, and they will only be found by the most advanced security researchers around. The most advanced researchers tend to have a moral conscience which goes along with their incredible intelligence, so at least, they are likely to silently report the vulnerability to the manufacturer and not disclose it to the public; or if they do, they won't include malware in the exploit software.
This also helps to raise awareness about application security among app developers. For instance, some root exploits in the past have come out of bundled "bloatware" that carriers include baked into the firmware of locked down devices. When the manufacturers and carriers find out that their third-party software partners are releasing software full of holes, they are apt to demand that the third party become more security conscious in their development practices, to prevent this happening again.
What should happen, in an ideal world, is that the user should simply be given ultimate access over the system, in a controlled, legitimate way, similar to how it is given out on a Windows or GNU/Linux system for which one is the administrator. A device on which the user has full control is not necessarily insecure, unless that full control was obtained by exploiting a security vulnerability, or if the access control mechanisms that dole out root privileges are flawed.
If users were given root access "out of the box", there would be no need for vulnerabilities to be exploited for this purpose. Security research would very likely continue apace, both by black hats and white hats, to attempt to find vulnerabilities and either exploit or close them, but regular users would not be voluntarily putting themselves at risk to obtain extra features or permissions. The onus is really on carriers to open up to users and thereby reduce users' risk, as well as reduced risk to the carrier network, by eliminating this huge potential for exploitation with users downloading root exploits that they have no reason to trust.
The main security concerns for you will depend on your threat model.
To illustrate, if the radio chip (typically based on an ARM core) contains buffer overflows in the GSM protocol handling code (tip: it almost certainly does), then the radio chip may be able to be attacked from the air, and made to run arbitrary code, including potentially overwriting its own firmware.
Once compromised, if it shares a DMA interface with the main processor, this means it can also overwrite any physical memory on the device, which means full control of the device can be obtained from kilometres away, by a sufficiently sophisticated adversary.
This is a total and complete vulnerability, which likely exists in every smart and dumb phone deployed today. However whether it is a major security concern to you depends on whether you think your adversaries have the ability and will to pull it off.
All systems have vulnerabilities. All systems have total vulnerabilities. There is no such thing as total security.
A key design goal for modern smartphones and software has been protection against malware. Service providers retain root privileges in order to protect users from themselves.
However, while devices may be better secured against malware, users must trust providers unreservedly. Firms that allow employees to use their personal smartphones must also trust those providers unreservedly, because they typically don't have root privileges.
I'm familiar with third-party Android ROMs for putting users in control, and protecting them against surveillance. There could be (and perhaps are) ROMs that put employers in control. Employees would have two smartphones, or maybe one with dual boot.
