Go mobile, and everything changes. Especially security.

Mobile security is not plainly security on a smaller device with a more restricted user interface. What may at first seem like minor differences in computing platforms turn out to matter a lot, and affects what basic paradigms are even meaningful.

For example, the traditional anti-virus paradigm is poorly suited to mobile devices due to the battery power constraints these have. It is based on constant screening of events. This screening gets increasingly expensive (between logarithmically and linearly) with an increasing number of threats. By cost, I mean computational effort — and therefore, use of battery power. That is one thing that makes handsets very different from regular computers. You do not want to drain your battery just an hour away from home? Thought so. So we need an alternative mobile malware defense. And we need it before the onslaught of mobile malware hits us — early 2013 is my estimate of when that will happen.

How about entering passwords on your phone? Not so fun, right? While text in emails and SMSes will autocorrect and autocomplete, you are not so lucky with passwords. Unless you use a password manager, but that has security drawbacks. But there are ways in which we can use these nice features and still maintain security. (Read more about my proposal of how to do that.)

The ways in which handsets are different from PCs are not only technical. Mobile devices are used in a different way than traditional computers are. For example, they are “more social” — which does not bode well for security. So the new form factor also affects the threat model.

But not everything about is a potential drawback on handsets. Sometimes, the ways in which handsets are different may help us design better security. For example, the rich input that handsets have access to (including accelerometer input and GPS coordinates) can improve authentication decisions. Your phone knows that it is where it normally is at this time of the day, that you just completed normal-length phone calls with a set of people you normally talk to on the phone — and sent an SMS to your mom. Of course it is you. No password needed.

With different constraints, new solutions are needed. By recognizing that a mobile device is not just a smaller computer, it is possible to design suitable protection techniques.

Comments are closed.