“It’s the code, stupid!” At least that’s what application security expert Andy Chou observes about go-go world of mobile devices. In this interview with Threatpost’s Paul Roberts, recorded at the RSA Security Conference in San Francisco, Chou said that mobile device software vendors face many of the same risks that PC giants like Microsoft did a decade ago. As with the Windows operating system before it, mobile OSs like Android and IOS are only as good as their underlying code. “If you look at the mobile space and the Android kernel, its probably true that the security architecture is more intentioned and is likely to be solid,” Chou tells Threatpost. “But mistakes happen in the code and when they happen you can circumvent a lot of things, potentially.” In other words: security features are great, but if the operating system itself contains a security vulnerability, then those features are worthless.
Interestingly, Chou discounts the “malicious application” scenario for propagating malware. Developers who are successful at pushing their creation onto millions of phones don’t need malware to make money, he said – there are lots of ways to monetize their foothold on mobile devices legally, he says. Still, the mobile ecosystem, which includes OS vendors, OEMs and third party development shops and countless open source projects (including Linux) complicates security greatly. Chou notes that shared and reused code is a common source of security vulnerabilities – and most mobile devices are running oodles of it.