It's clear that if any mobile OS is likely to be the easy target for hackers, it's Android, whose architecture is most like that of the desktop PC due to its openness, says Schouwenberg. "Android is forcing other OSes to be more open, which increases risk," adds Symantec's Nguyen.
It's also harder to protect Android devices than other devices, notes Julian. The reason: There are so many Android variants in use -- four versions of the OS itself, just as many UI overlays from device makers, and a variety of other customizations from both carriers and device makers -- that Google or the carriers couldn't quickly patch all the devices as, say, Apple can with its iOS devices.
The false security of app stores
Apple pioneered the concept of a vetted app store, and every other mobile platform maker has followed suit. It's well known that Apple reviews apps to ensure they conform to Apple's programming and even "decency" standards, and such review gives users the sense that Apple has filtered out malicious apps, says Julian.
That's a risky assumption for any app store, not just Apple's, Julian says. Reviewing all the apps line by line by security experts simply isn't possible given the thousands of apps that are submitted each month, and automated code analysis tools aren't yet up to snuff, he notes. Julian says that Apple, Google, Microsoft, RIM, and the rest will eventually be able to find the "obvious stuff," reducing the risk to everyone's benefit. But some malware will still get through.
Android users can make any vetting meaningless by disabling the OS's block on unsigned apps, a setting easily changed in the OS's Settings app. Some users disable the block so that they can install apps not available in the Android Market, such as apps not authorized for their specific device/carrier combination. Likewise, iOS devices jailbroken to allow unapproved apps undercut any security vetting by Apple in the App Store.
Theoretically, sandboxing would limit the damage of mobile malware. And it will, everyone interviewed for this article agreed. "It's good that people are building in isolation" via sandboxes, Juliuan says. But it's not a perfect defense. "You can Swiss-cheese a sandbox," notes EMA's Crawford, as you add mechanisms to allow apps to communicate with each other or share data.
The app most likely to have such holes punched in it is the browser, for which plug-ins add both capabilities and entry points for hackers, as Apple discovered in the PDF-jailbreak vulnerability, says Kaspersky's Schouwenberg. "That showed the limits of sandboxes."
Crawford notes the issue "wasn't the design of the browser itself, but how it's stretched -- through the extensions, helper objects, and plug-ins that open the doors where control is slight." He notes that users want such extensions, which are often developed by smaller companies and individual developers not necessarily well versed in application security, so mobile OS makers who wall off the browser are likely to get strong user pushback.
And the push to using HTML5 as a pan-mobile application development platform could increase the risk of the browser as a malware vector, he says, if the HTML5 apps were to rely on local helper apps. Web apps concern Crawford the most of all the potential mobile threats because "Web security is getting too little action today," despite the constant stream of reported exploits on the desktop.
This article, "Mobile security: Your smartphone is safer than your PC, for now," was originally published at InfoWorld.com. Read more of Gruman et al.'s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com.