Ensuring Security in the Mobile Revolution
We’re in the midst of the mobile revolution. Many of us use mobile devices for much of what we do. In fact, it’s highly likely that you’re reading this article on a smartphone or tablet right now. Moreover, what we now call “phones” are really powerful computers that are always on the network.
The security of our mobile devices is both important and hard to understand. We’re bombarded by messages about how bad mobile security is, when in fact the opposite is true: mobile devices are at least as secure as our desktop devices.
The most widely used mobile operating systems: Android, iOS and Windows Phone are descended from their desktop and server parents, Linux, Mac OS X and Windows. They strengthen the barriers that apps have between them. They use digital signatures to prevent modified apps from running, making it much harder to write malware. A recent Android exploit required 12 chained bugs to make the exploit work, which is a huge improvement over the way things used to be.
What we called “viruses” on desktop systems essentially don’t exist on mobile. Malware on mobile devices almost always comes in the form of an app you shouldn’t have installed. This changes the nature of malware dramatically.
The companies running the app stores are responding to this through better management. Apple started this trend, requiring all apps to go through a review process. Microsoft followed that lead, and Google is adding this to their store as well. Of course, this isn’t perfect. There have been high-profile failures of these review systems, but they are a valuable way to screen out problems and make malware harder to build and distribute.
Most importantly, mobile operating systems are built to be updated on the fly. By default, apps update in the background. This means that when a bug is fixed, the vast majority of people get the update within a few days. App developers can also expect that people are using recent versions of their apps in days or weeks. Today, legacy code is less than a year old. Contrast this with the continuing state of desktop security, where 10-year-old operating systems aren’t being replaced.
While the mobile security situation is still not ideal, there has been real progress. New versions of mobile operating systems arrive every year, with each version being an improvement over the last. The situation with Apple’s iOS is best, as the uptake of new versions is swift and strong.
In the Android world, there are difficulties to overcome. The traditional problem is fragmentation — many versions of the OS — as well as a lack of commitment from carriers and manufacturers to update the OS in a timely manner. At Silent Circle, solving this is one of the primary benefits of our Blackphone.
Blackphone is unlocked, and we update the operating system quickly. Our goal is to have serious bugs fixed and delivered within 72 hours of release. In a number of cases, our relationship with security researchers, through outreach and our bug bounty program, has let us release updated versions of Silent OS, our Android-based OS before the announcement of the problem.
A hardened OS and fast updates ensure that mobile devices are secure. In the future, where internet of things devices will be everywhere, fast response from the manufacturer is not just important; it’s essential.
– Jon Callas, Chief Technical Officer
See more of our ongoing discussion about the value of privacy on The Guardian.