The Electronic Frontier Foundation (EFF) notes in their report "mobile phones were not designed for privacy and security". While the report is mostly focused on the wide varieties of mobile phone tracking (from GPS to wireless access), it illuminates perhaps the root of the issue noted in many mobile security articles: Mobile phones now mimic personal computers, and it begs the question: Why?
For such a ubiquitous device that holds so much personal data and is portable in ways laptops will never be, one wonders why we are designing mobiles to be just like tiny laptops with all the same protocols, applications and OS APIs. First, sure, it's easy, but who ever heard of an old-school phone dying from a DDoS attack (which now is the current major mobile threat)? Or, being taken over by malware and every contact, password and account login sent to the Maldives for quick smash-and-grab sessions against bank accounts and so forth?
Maybe the intrinsic issue is really that we are still doing the "make it smaller" thing with tech and calling that innovation instead of "make it different" which out of the box often comes with intrinsic security of its own for actually being different.
Maybe Android is kind of like small laptop. But Windows phones and iPhones definitely aren't.
I can use my laptop without having any cloud identity tied to it - I don't need to give anyone my email address or card number just to log in. I don't have to upload my contact list or communication history to the cloud. I can install software on it that Microsoft or Apple haven't approved, and if I pay for software Microsoft or Apple don't take a cut. I can install different operating system, if I want. I can develop software on my laptop without special license and without paying Apple or Microsoft. When I develop software, I can share it with other people with laptops and they can run it. I can access filesystem in any way I want and directly modify, share or create files without them being transferred to the cloud.
Modern smartphones are very not like laptops.
Android is perhaps more like actual computer, but I'd guess that's mostly legacy - if Google made Android now, I'm sure they would make it more closed, and they are making it more closed with every release.
Ah, but I'm referring to stacks and protocols. From the perspective of having an OS, TCP/IP stack, wireless connectivity and access to the Internet via a web browser, you'd be hard-pressed to identify the PC from the phone in a functional diagram from which the label for the device was removed. Here is where the "mimic" of PC architecture comes in, not so much in how easy it is to access the file system, so forth. Sure, I realize even if there is an argument here, it's loose at first. I do believe there needs to be more separation, however, between how "we do" PC and how we do phone.
First, citation needed on DDoS being a major mobile threat to actual phones. If you mean the iOS wifi bug, that's not major or a DDoS.
Second, OK, we ditch IP and flip to OSI protocols. Now apart from decreased security due to all this new software that'd have to be made, how would that make things more secure, at all? Everyone will still want to use the Internet, so it's not airgapping.
1) Haha, well the "current major mobile threat" jab was more tongue in cheek, and you're right - it's the "No iOS Zone" vulnerability. The citation is the following: RSA conference presenter SkyCure discussed the possible vulnerability [0] in iOS 8 that _could_ allow iPhone users with iOS 8 to be victimized by the equivalent of a DoS attack. And, the org has worked with Apple and iOS 8.3 likely fixes the issue.
2) However, while I wasn't making an argument per se, more just thinking out loud about architecture choices, especially when they "mimic" systems that are not for the same purpose, I do believe that is a small part of the problem when it comes to mobile security as pertains to phones. And, maybe I'm also thinking that with that in mind, there might be room for a whole separate set of protocols and methods for interacting with the Internet (or a reasonable facsimile of it) from your phone, which is not a PC :-)
I understand your motives, but the problem with your argument is that youre telling us what a mobile phine shouldn't be (no internet, no TCPIP even, and reading a bit between the lines perhaps no GPS or Wifi even). But to usefully describe a thing you need to say what it is and what it does, not what it doesn't do.
Yes, I suppose I left out the important part where I should turn around and state what I think the actual alternatives are, and if they don't exist, propose them :-)
I'm still getting my feet wet with this critical thinking exercise, especially where an exchange of ideas is required to hone my own! I'll have to come back to this one...
I've made my peace, somewhat, with my phone activity being tracked and everything. But this point about smartphones trying to mimic PCs is where I draw the line. I don't like the push for everything mobile to replace everything desktop/PC because I frankly don't trust smartphones to be powerful enough and secure enough to handle much more than to-do lists, social media or the occasional bank transfer (never done on a public wi-fi network of course). Of course I'm stubborn in preferring a full-sized keyboard, mouse and I dunno...computer for tasks like programming, photo editing (no, putting filters on photos is not what I consider photo editing) and gaming but that's how I think smartphones should be used vs. full-fledged computers.
For such a ubiquitous device that holds so much personal data and is portable in ways laptops will never be, one wonders why we are designing mobiles to be just like tiny laptops with all the same protocols, applications and OS APIs. First, sure, it's easy, but who ever heard of an old-school phone dying from a DDoS attack (which now is the current major mobile threat)? Or, being taken over by malware and every contact, password and account login sent to the Maldives for quick smash-and-grab sessions against bank accounts and so forth?
Maybe the intrinsic issue is really that we are still doing the "make it smaller" thing with tech and calling that innovation instead of "make it different" which out of the box often comes with intrinsic security of its own for actually being different.