The Virus Story: a reader writes...

[slitchfield]

So AAS forum member 'kflyer' emailed me a few days ago, "wondering whether viruses can really affect a current smartphone. I've read your view on this
question, but AAS itself has adverts for AntiVirus clients!" As it's a long, long time since my last rail against the fraudulent anti-virus industry, I thought it high time for an update. Read on.

Read on in the full article.

[mgroeber]

In my view that there is one area that could give some legitimacy to the existence of anti-virus products even for platforms where there are no credible viruses yet - Corporate IT policies.

It seems quite likely to me that many large organizations simply have a blanket policy of not allowing any device to access their corporate network/e-mail/whatever if it doesn't have state-of-the-art virus protection installed - this becomes even worse when those policies become part of an ISO/SOX/whatever audit.

In this situation it may be much easier for IT managers to simply deploy a solution from a renowned vendor, even though it only scans for hypothetical threats, rather than writing an elaborate essay for their boss and the auditors on why this particular class of devices may right now just as well work without one (and bet their job on the fact that it is and remains true).

And, of course, AV vendors are only too happy to comply. ;-)

[svdwal]

I'm not so sure that 9.1 will make malware impossible. It is a matter of cost and benefit.

With Express signing, one pays USD 200,-- per year, and USD 20,-- per signing. Most apps are not checked by a testing house, and the check is less extensive than it used to be.

Express signing gives you access to the *interesting* data on a smartphone, which isn't some set of DRM-protected mp3 files, but a users agenda, contact list and geographical position. If malware authors are willing to invest some extra money for the signing, and can think of a useful app too, they can rather easily create a piece of malware that installs normally and is thought to be safe, because it is signed. Most people won't know the difference between installing a theme and an app, anyway.


Sander van der Wal
www.mBrainSoftware.com

Platsec only does so much for you. It doesn't help when there is a programming error in an API.

Ironically, I've discovered several APIs which can crash the phone when you *don't* have the correct capabilities.
Basically, most of the testing is done with applications which have all the correct capabilities, and so when you prod a server without the capabilities it expects, you are a lot more likely to find a code path which has not been thoroughly tested (especially in a new server written by a handset manufacturer in the rush to release a device).

Smartphones due to their ubiquity and connectedness have the potential to provide the most effective vector for an infectious software.
If there is a vulnerability in the web browser/ajax engine, widget thing, then all you need is capsid to transport the exploit - lets say a hampster dance widget which can be spread by the kind of people who use facebook.

-People in general write bad code and always will. Mobile engineers are getting worse, not better.
-Security dialogs are pointless....just get rid of them.
-People are irrational- if they have decided to install something they will, flashing red box or not.
- Virus companies generate their Straussian climate of fear and overblow their own effectiveness and always will, that's what they do.
- symbian signed, SIS files and and on target debugging is so rubbish that most hackers just can't be arsed.

But luckily most people up till now don't install apps on their phones. By positioning the mobile as a flexible PC in your pocket, the masses will gradually become awoken of the potential to extend their phones with low signal to noise crap that they do on facebook and then we can revisit this topic.

[kflyer]

Totally agree with you Steve. Respect 10x! Kflyer.

[Rafe]

I don't feel so strongly about this as Steve does (and as mgrober notes there is a rationale for corporate / enterprise usage).

The overblown hype from AV companies does get to me especially when its targeted at consumers.

Connection between Nokia and F-Secure is even deeper than that. Risto Siilasmaa, Chairman of the board for F-Secure, is proposed to join Nokia's Board at next AGM.

Point of having an AV software on your PC is to have prompt updates database when a new vulnerably is found in your OS or some point application. The OS and software vendors will not do quick updates. AV vendor makes a (sort of) temporary fix between released exploit and the actual fix and the deployment of it.

The fact that there is no 3rd edition viruses shouldn't be the issue here, the discussion here should be about how likely we'll see a serious outbreak. The whole value of having AV software is dependent of this assumption. I think S60 has holes like in swiss cheese (I am Symbian programmer), but the platform hasn't been interesting enough target for the 'real' hackers yet.

I've received commwarrior 4 times and cabir once when traveling. One in Finland, one in Spain and rest in South Asia. To no effect of course since I would not install these. But I do like to receive them just to see what is circulating around. So I think the problem is real, or at least was since it's probably fading as people upgrade to 3rd phones.

I do agree it's sort of hot air selling this solution for consumers. But calling it fraudulent is maybe too much. And for enterprise users I would even recommend such solution to some extent. If I recall correct F-Secure released their Series 60 solution long before there was any viruses for it. So one might look these things in retrospect, was it fraudulent to have such solution before hand? Is it now?

[slitchfield]

I guess 'fraudulent' is a somewhat incendiary term to have used, but, as you can tell, I was on something of a roll with that piece and getting quite worked up!

I hate seeing users misled on ANY topic, and this is a prime candidate to confuse and mislead an awful lot of new users. If S60 phones had unlimited processing power and RAM (yeah right) then maybe a precautionary a-v tool might make sense, as a temporary guard against any trojans in the wild. But the current tools do have real world resource impact AND they're not free. As and when Nokia at least buy out F-Secure and make it a freebie for anyone that's desperately worried, then I'll cut the topic a bit more slack.

[tonyn]

Quote:

Originally Posted by Serious 60

Platsec only does so much for you. It doesn't help when there is a programming error in an API.

Ironically, I've discovered several APIs which can crash the phone when you *don't* have the correct capabilities.

Private Message me with details and I will ensure they are followed up. Selecting fixes for a firmware update is beyond my control, but making fixes available for later devices is much easier.

-

[tonyn]

Quote:

Originally Posted by slitchfield

I wish Symbian would speak up more on this.

Any official statement along those lines would be tempting fate.

Platform Security makes it harder for viruses and worms to run on the platform, because it puts barriers in the way of propagation, but it does not make Symbian OS or the platforms built upon it "impregnable". If you want an OS that is sold heavily on its intrinsic security try OpenBSD: http://www.openbsd.org/

Quote:

They go to extreme lengths to break application compatibility in the cause of a new OS that's impregnable and then sit back and watch licensees actively promote unnecessary utility software that claims to defend against a threat that doesn't exist and merely damages performance..

Really two big changes coincided; Platform Security introduced Capabilities, Data Caging, etc... and the tools for ARM /Thumb target builds moved to using techniques devised and published by ARM for C++ code on ARM cpus. Other changes rode on the back of these, including cleaning up some APIs, SIS file format, etc...

I have several Symbian devices from different licensees, none of them have anti-virus products installed.

Other people sleep easier at night with an anti-virus product installed, possibly many of these are managers in corporate IT departments. Though having recently cleaned up a friend's PC that was infested with viruses & spyware I can understand how these people may fear that viruses could at some point attack their high powered phones.

ttfn,
Tony

I wouldn't go writing a self replicating app. I'd look for security exploits, eg, buffer overflows in image processing, so opening an mms from someone might run the code using the image viewer process or whatnot. The 'install' type virus isn't really going to work on symbian, but to suggest it is somehow immune is a bit of a stretch. Agreed, much lower risk. But there are some smart smart cookies out there, and the smartphone explosion is making it a bigger target. Having said that, any hacker who was using an unknown exploit would probably already have a way around the poor existing virus scanners, so while I think it's entirely possible that smartphones can catch a cold, even inevitable, I also think virus products for symbian are just a waste of cpu cycles.

[rbrunner]

For me, the story has two sides with about equal importance: One the one side, the considerable robustness and in-built security mechanisms of Symbian that make virus outbreaks unlikely. (I am a Symbian programmer myself, even a Swiss one, but I see much more holes in my cheese than in Symbian, thank you very much. Bugs, yes, holes, no.)

On the other side I think about incentives and motives. Compare the Symbian situation with the iPhone: Whole hordes of very skilled hackers descended on that device and cracked it, and cracked it again after each firmware update, at least until now. Why? Because of very strong incentives. If you crack the barriers of the iPhone and let people use the phone on other networks and let people install their own software, you are an instant hacker hero.

Compare this with Symbian: Why on earth should a hacker waste his or her time with a Symbian device? What's in it for the hacker? If I were a hacker, I could hardly be bothered.

I am quite sure that if the same hordes of iPhone hackers would descend on Symbian, with the same elan and endurance, it would take a little longer than with the iPhone, but finally Symbian would crack. But this won't happen.

There are other factors at play. If you as a hacker can plant a trojan at a PC, it is very easy and not dangerous for you at all to start making money from that PC, by renting it out as part of a botnet to spammers.

If you can take over a phone, of course you can also start to make money, but that will hardly be possible in an anonymous way and thus much more dangerous for you.

Again, why I as a hacker should target those well-protected and dangerous Symbian phones when PCs without patches are waiting for me literally in the millions?

Symbian is at least as safe as any other OS which claims to be safe.