Comments on: Botnets on cell phones in 2009?

A new report on emerging threats cites a unique opportunity to design mobile device security properly.

[Vegaman_Dan]

Totally believable and very likely to happen. None of the smartphones on the market have any sort of security on them. The iPhone even runs all applications as root with zero protection. Windows Mobile, Palm, even the G1 are going to have the same issues.

[n3td3v]

i'll believe it when i see it.

[Cube Over]

Mostly a threat to Windows-powered devices.
iPhone just has more control over what you install, via AppStore.
Symbian has the certification security.
Android and the rest of them are just not enough of a target...

[Vegaman_Dan]

Cube Over wrote:

"iPhone just has more control over what you install, via AppStore."

I'd like to believe that, but as Apple has already demonstrated they do not test/verify/vet the applications that are submitted for actual content / usability, then I don't really have much hope that they would spot a trojan application in a game. They mostly check only to see if the application might compete with their own current or future products.

[Stefaninafla]

Hmm, yet another reason to only use a cell phone as a phone.

[ferretboy88]

I give up with phones.

[wawadave]

Since cell phones do use an o/s it is possible to do this.

[chash360]

Missed the security opportunity with the PC?, no they simply ignored it! When I started on the internet (before HTML or WWW) There was one solid rule of security, you NEVER EVER execute arbitrary code from a remote source. To do so is just asking for trouble. Now they have made such things standard. ActiveX, Java, etc. this is code, being streamed to the client for immediate execution. Media players, that follow embedded weblinks, etc. in media being streamed to them remotely is the same thing. If it can touch your file system, or operate in your memory/process space, without the end user's intervention, it is a security hole! The only code that should be executed on any computer, anywhere, is code intentionally installed, configured and executed by the user. No software should ever recieve remote 'data', interpret it as actual executable code and operate upon it, plain and simple. Markup languages like staright HTML were secure from this originally. The code that executed was your browser, it inteprets the remote data, to display things on your screen in a somewhat predictable way. It allowed for atomic benign data to be sent in independant isolated transactions to go back and forth between client and server, and thats it! If it did not understand the data sent to it, sent in the wrong format etc, it was discarded! If it needed to retain data from page to page you had to carry it over from transaction to transaction. No storage in objects created at runtime, no possibility for buffer over/underruns, in fact no objects created by anything from the remote site. Your browser should be able to create everything it needs before even touching the network. Few exceptions exist, like saving or sending a file to/from a remote source, required user response to give it a path.

Please, none of you 'professionals' seem to know a damn thing about computer security, I doubt cell phone security will be any different. You seem to like the flaws and holes, so you can sell more junk!