A parade of security researchers spent the better part of Wednesday at the CanSecWest conference putting the lie to the notion that iPhones, Windows Mobile devices and other smartphones are not really targets for attackers.
“Smartphones are a very nice thing to go after from an attacker’s point of view,” said Sergio Alvarez, a researcher who showed several methods for using application-level attacks to compromise the Apple iPhone and other devices. “With the iPhone, if you own the device, you can modify anything you want. Everything runs under one user. Any application can be used as an entry point to the phone.”
As Paul Roberts wrote today, smartphones have become nearly ubiquitous, especially in the enterprise, and little attention has been paid to the security of these devices, despite the fact that they can carry large amounts of corporate data and run a wide variety of third-party applications. The researchers who spoke on Wednesday gave Apple and Google credit for doing some things correctly, notably Apple’s decision to make the stack on the iPhone non-executable and Google’s use of sandboxing in the Android operating system.
But there are plenty of things the companies could do better, the researchers said. Jon Oberheide, a PhD candidate at the University of Michigan, who is working with Google on the Android security model, said the company would do well to add greater granularity for the permissions in Android and should follow Apple’s lead in including support for NX.
“They did a lot of things well, but there’s a lot of room for improvement,” he said.
Later in the day, Alfredo Ortega and Nico Economou, two researchers from Core Security Technologies, showed off a variety of attack methods–including shellcode–for both the iPhone and Android.
While there doesn’t seem to be any shortage of clever technical attacks, both Alvarez and Oberheide said that smartphone users also are at risk from less sophisticated attacks, including malicious applications that look legitimate. In other words, the mobile world is starting to look a lot like the desktop and the Web.