The new generation of mobile Web browsers is going to introduce for enterprise IT departments a rash of security challenges. The good news is that many of those challenges are familiar ones, from desktop browsers.
A December online survey by F-Secure found that about 30% of U.S. and Canadian mobile phone users access the Internet, broadly similar to other regions. The scary thing is that two-thirds of the North American users (and 83% of all respondents) said they lack any security software on their mobile phone -- and at a time when mobile Internet use is on the rise with the emergence of mobile browsers that can access the same Web sites as their desktop cousins. AT&T, for example, reported a big jump in data usage among iPhone subscribers, who were using the phone's Safari browser.
IT departments, according to experts, need to focus on three areas: assessing the security architecture and features in the mobile browser and the underlying operating system; working with users on smart and safe browsing practices; and creating a solid handheld device management system.
'Browser vulnerabilities are the easiest way to get remote code running on a smartphone,' says Charlie Miller, principal analyst for software security at Independent Security Evaluators (ISE), which has identified a range of mobile security problems. 'That's because browsers are pretty complex compared to most programs on a smartphone. Once exploitation occurs, the remote code can do a variety of things.'
Browsers make requests to Web sites, downloading HTML pages, images, PDF files, music and video, and applications. Depending on the how the browser is designed, and the underlying operating system, these downloads and file executions can create a range of problems -- some accidental, some intentional. The result is that mobile enterprise users could find themselves with an inoperative handset, or compromised corporate and personal data.
One growing area of concern is Web widgets, bits of downloadable code embedded in a Web page. They're growing in popularity on handsets because they offer fast, focused ways to send or retrieve data, without having to go through multiple steps with a mobile browser. Many of the programs available via online application stores, such as Apple's App Store, are widgets.
'They're great because you can certify the application [with a signed digital certificate], but the widget's data may not be controlled, or even controllable,' says Norman Woodward, senior manager for wireless at Accenture's mobile communications division. 'You can't screen the data before it's downloaded.'
A desktop example of the potential problems is the 2008 'Secret Crush' Facebook widget, which purported to reveal who on Facebook had a secret crush on you but was actually luring you to download an adware program.
Build on a secure mobile OS
For enterprise security, the starting point is the handheld's operating system. The key issue is whether the operating system makes use of a 'sandbox' architecture for the applications it runs, including the browser. In effect, each application gets to 'play' in a separate 'space' defined by memory and permissions in the operating system. Its activity, benign or malicious, can't affect other applications or access other parts of the operating system.
'Most of these operating systems do have a sandbox for their applications,' says Dave Field, device management and security architect with Enterprise Mobile, a Microsoft-backed company that specializes in enterprise Windows Mobile deployments.