A desktop example of the potential problems is the 2008 "Secret Crush" Facebook widget, which purported to reveal who on Facebook had a secret crush on you but was actually luring you to download an adware program.
Build on a secure mobile OS
For enterprise security, the starting point is the handheld's operating system. The key issue is whether the operating system makes use of a "sandbox" architecture for the applications it runs, including the browser. In effect, each application gets to "play" in a separate "space" defined by memory and permissions in the operating system. Its activity, benign or malicious, can't affect other applications or access other parts of the operating system.
"Most of these operating systems do have a sandbox for their applications," says Dave Field, device management and security architect with Enterprise Mobile, a Microsoft-backed company that specializes in enterprise Windows Mobile deployments. "With a sandbox, you can lock down the execution environment based on things like the application characteristics and limit its access to certain configuration settings, APIs, data and so on. You put a cage around the application."
Taking that a step further, ISE's Miller says, some mobile operating systems have a non-executable heap, which he describes as a mechanism to hinder or block the execution of malicious code.
The sandbox coupled with execution blocking are features exploited by Windows Mobile, according to Field. "We can prevent untrusted code from installing at all, unless it's blessed' by IT," he says. "It's like inoculating the device."
The Android operating system for mobile devices is built on the Linux kernel, which was developed originally for mainframe-class computers. That kernel was designed to separate multiple simultaneous users, and protect them from stepping on each other's applications and resources, says Rich Cannings, Android security engineer at Google. What Android did, in effect, was to substitute multiple applications for multiple users, each in its own separate user process.
"On the desktop, a browser vulnerability gives [malware] access to the full desktop machine," Cannings says. "But in Android, it will only affect the browser, not the dialer or any other application."
Securing the browser
On top of the operating system, browsers can add a battery of built-in protections and alerts. The existing Mobile Internet Explorer has a range of security zones, and alerts users when they're leaving an encrypted SSL session, for example. But there's a key drawback to such browser-based features, Field notes: "It relies on the user's decision."
For enterprise customers, Field focuses on identifying what security elements can be controlled on the mobile device, and then automating their configuration, taking those decisions away from fallible or careless users.