By Erik Sherman
Google’s Android mobile operating system is more than hot. Last quarter, handsets running the OS passed in units smartphone sales from Nokia—the largest handset vendor with previously the highest sales. Combine smartphones and tablets, and Android will easily blow past 150 million units this year.
 Given SMB interest in smartphones and tablets, mobile is an important growth area for channel players. Unfortunately, newly found Android security holes constantly appear. The same is true for iPhones. There is a silver lining, however: VARs can increase their consulting and build new relationships as mobile security experts.
Given SMB interest in smartphones and tablets, mobile is an important growth area for channel players. Unfortunately, newly found Android security holes constantly appear. The same is true for iPhones. There is a silver lining, however: VARs can increase their consulting and build new relationships as mobile security experts.
So what’s up with Android? Researchers showed that modified Android phones could infect Macs or PCs through USB cable connections. Another researcher showed an SMS-based botnet running on Android. And U.K.-based security software vendor Sophos also found Facebook a growing medium for smartphone attacks, with Android one of the easiest targets. In January and February 2011, new malware targeting the Android OS appeared in China.
Because Google doesn’t exercise the same control over its Android marketplace as Apple does with iTunes, it is easier for malware to pop up on the former. “Anything that’s shown up for bad applications, they seem to mostly show up on the Android platform,” says Chris Wysopal, CTO of Burlington, Mass.-based application security vendor Veracode Inc.
But Android is far from alone. Although Nokia smartphones running Symbian are not as popular in the United States, they had long been market leaders in Europe and still lead in mobile malware, according to Axelle Apvrille, senior mobile malware analyst and researcher with security vendor Fortinet Inc., based in Sunnyvale, Calif. Unfortunately, malware will only increase on all platforms as smartphones become more pervasive.
Paul Kocher, president and chief scientist of semiconductor security firm Cryptography Research Inc. in San Francisco, notes, “With both Android and the iPhone, it’s just a matter of time until you find a bug that lets you take over the operating system and get root or super-user privileges and do what you want.”
On the plus side, Java, used in Android, is so-called type safe, enforcing data types and preventing certain errors that open vulnerabilities. Apple, on the other hand, demands that apps employ Objective C code, which doesn’t have the protection. Last year, a PDF memory corruption exploit provided an opening for jailbreaking iPhones—unlocking features of the OS to remove limitations imposed by Apple.
Mistakes don’t stop with typing, however. Last year, Citigroup had to upgrade an iPhone mobile banking app that stored sensitive account data on the device. In February 2011, Chicago-based forensics and security consultancy viaForensics found that a number of popular email apps stored emails or even passwords unencrypted on iOS and Android.
Channel pros can fight back, starting with explaining to clients that patch cycles are much longer on mobile devices than on desktops and laptops, so vulnerabilities can remain for months. Yet antivirus is not enough, says Nick Arvanitis, principal security consultant at Dimension Data, a division of NTT in Tokyo.
“One of the big [needs] is … a firm policy on what devices you’ll allow to connect to the network,” Arvanitis says. There should also be minimum standards, like pass codes to use a handset. And operating systems should support encryption, which Android finally does in version 3. But even then, verify.
Offer mobile device management (MDM), making smartphones and tablets a true part of a company’s infrastructure. “Most MDM solutions have a lot of capabilities around security management,” says Shun Chen, director of product management at MDM vendor MobileIron, in Mountain View, Calif. That can even include an enterprise data boundary, so the company can wipe its own information from the device without affecting the employee’s personal data.
When a company is done with a device, the VAR can also lend a hand. “We provide recycle services where we make sure the data is wiped. [Then] we resell the old devices and give the money back to our customers,” says Marco Nielsen, vice president of services at Enterprise Mobile Inc., a mobility services outsourcer in Watertown, Mass.
For all the security issues in mobile devices, companies will use them anyway. So go ahead and turn the products’ weaknesses into a competitive business strength.













