Simon Says – Musings of a Technology CTO

For the last couple of weeks I’ve been presenting around the U.S. at events such as Secure360 in St. Paul, and the McAfee Executive Summits in Boston and New York.

One question I was asked at every event, was “What is a mobile device?”

The flippant answer of course which after two weeks of middle seats and hours of flight delays comes easily to my lips, is “A device which moves from place to place” – but is that strictly true any more?

Companies such as McAfee target different feature sets to “mobile” devices and non-mobile ones, our laptop (traditionally considered a non-mobile device) malware solutions are for obvious reasons, very different to our smartphone ones.

There’s a lot more attack surface on a laptop than an iPhone, no one really thought about network intrusion protection for GSM networks etc. But, the problem seems to be that the line between the two is blurring. I’ll give you an example – what about the iconic iPad typically considered a “mobile” device?

• you can’t make a call on it (unless you have skype),
• you can’t roam around the world and stay connected (unless you have the 3G version)
• it does not have a keyboard (unless you have a bluetooth keyboard case)
• you can install your own thick apps on it, and you can create presentations and documents on it

As you can see – the iPad has many of the attributes of a laptop it seems when you dig deeper, and also many of its smaller brethren, the iPhone.

What about the ChromeBook, which Google sought fit to send me a free one of recently?

• it has a screen, mouse and keyboard like a normal laptop, but I can’t install any “real” apps on it
• it has no local storage (that users can access yet), needs permanent connectivity to the cloud
• it has an OS which can only be patched by the manufacturer

All in all, aside from its size, it’s more like a smartphone than an iPad, yet physically it IS a laptop.

What about an Android device?

• the OS is on everything from tiny phones to iPad/notebook equivalents
• it’s a full OS which can be changed by the user if they root it
• thick apps are numerous as are settings
• It may have a keyboard, a touch screen, or maybe neither?

An Android device is usually connected, and powerful – is it a mobile? How divorced is it say from a Ubuntu slate PC? So the lines are blurred – the way these devices are used, the expectations of the users themselves, and the range of threats attacking them is so diverse that it can be very confusing indeed to work out what the “strategy” is in any particular case.

The way I’ve been framing it to my teams is regarding to the “malleability of the OS” – for example on a traditional Windows / OSX / Linux laptop, the OS is very changeable by the user – you can go in, delete things, adjust things, basically mess the thing up to the point it does not work any more – with this malleability comes additional threat surfaces – malware can exploit any number of things to gain access to your system.

Taking a ChromeBook or iPad though, the OS is completely hidden from the user – there’s nowhere near the attack surface that OSX, Windows or Linux (or their associated apps) exposes, and thus the threats come from a different direction – browser exploits, plug-ins, phishing , and the occasional bad app distributed by the various stores.

The user (and malware) has a much lower ability to interact badly with the device OS, BUT the device is mostly unprotected if it happens, and the manufacturer may be the only one who can patch it if needed.

What happens if your company has an APT attack on your smartphones? How long do you think it would take you to notice, and how long for the device vendor to release a patch that perhaps only you need?

To me, framing the question in terms of malleability is a really effective way of segmenting out our understanding and vision for the plethora of devices that need protection – “mobile computing” platforms are split between the malleable and non-malleable OSs, so perhaps that’s where we should be focusing our attention rather than this confusing “mobile or not” categorization, when everything is pretty much mobile after all.

Of course I am concerned that malleability is such a sucky word, does anyone have a better suggestion?