The first true competitor to the iPhone is being released.  Here are the faqs and information released from the press conference:


Price: $179
Release Date:  October 22
Mail: Push and Pull.  No exchange at this time.
Keyboard: Physical Slide Out (versus virtual keyboard on iPhone)
Locked:  Sim-locked to T-Mobile.
Wifi: Present
Browser: Webkit (same base as Chrome)
Data Plans: $25 with unlimited Web and limited messaging.  $35 total unlimited.
Sync: To Google, Yahoo, and other online services
Network Speed: 3G network rolling out nationwide (especially in metro areas)
Desktop application: None
Microsoft Documents: Supports Word and Excel documents
iTunes and Skype: Does not support Apple DRM. No skype support yet.
Applications: Easy to develop.  Will have an application store.

, , ,

Today, Apple released its first public update to the iPhone OS. Although other small issues are fixed, this is primary a security patch to lock down multiple holes discovered in Safari.

By releasing its patch prior to a public exploit, Apple keeps its device as one of the theoretically most secure smartphones. Will Apple use this to position itself as a player in the smartphone enterprise market? Is security vital in the smartphone market? Will the first smartphone exploit come through the browser?

I am not suggesting that Apple is security perfect. In fact, there is an active OS X Samba exploit now. Generally, Apple has done a much better job in security that Microsoft. In fact, insecure Microsoft has been in the enterprise smartphone market for quite a while now. If there were going to be large security issues, would we not see them by now?

The Unimportance —

Like OS X, smartphones in general are receiving some security shielding from the fact that windows boxes are a huge, target-rich environment. Spyware makers and password stealers target the biggest and easiest cash crop available. Black markets exists for the following current targets:

  • credit card numbers
  • usernames/passwords
  • spyware installations
  • botnet systems
  • harvest of private information for identity theft

Most of the windows systems are exploited through the browser, downloaded software, or email. With this wealth of black-hat money to be made in razing windows boxes, it is not surprising that most computer criminals are avoiding other platforms including smartphones.

Why might smartphones be a target?

If one looks over the current markets for computer criminals, many of them are not viable on smartphones. Botnets, spyware installation, credit card numbers, and username/password harvesting — all are much less likely on smartphones. Installations of malware are likely to be noticed quickly and login/payment options are rarely stored and used from a smartphone.

Smartphones typically do contain a lot of personal information about a lot of people. If obtained in huge numbers, this information would be very valuable information for spammers and other forms of ethics-poor marketing. As a whole, however, a routine computer criminal is going to be much happier gaining control of an XP box than a smartphone.

Corporate espionage with spying and stealing of top secret company information is a very sexy idea. Realistically, this type of targeted attack is best reserved for mail servers or network penetration. Invading a random smartphone or two is unlikely to provide much juice. Plus, holding a large server hostage or blackmailing a company with a large security breech is going to yield much fatter dollars.

How will smartphones be exploited?

The first widespread successful attack on smartphones will likely be through an email and browser combination. Here is how I believe it will occur. You receive an email from a colleague that says “Look at this link.” The link opens the browser to a site that exploits a security hole in the browser itself. Your system then mails out the “Look at this link” email to everybody in your contact book. The malware sends whatever it harvests back to a server through the web or email.

The browser will always be an attackable point in any operating system. Computer users just expect IE and firefox to release security patches on a regular basis now. Apple releasing Safari patches for the iPhone reinforces this fact.

Is Smartphone Security Important?

Security is always important. Right now, however, the yields from attacking smartphones are just much lower than easier targets.

More importantly will be each smartphone’s security reputation. Who will be the first company to have their network clogged with exploited systems sending emails and data to god knows where? As competitive the smartphone market is, the first smartphone to have a major security breech maybe the first smartphone company to die. Businesses have tolerated large-scale Microsoft problems because of their market dominance. Smartphone businesses will not have that protection.