The Android browser's design isolates some types of vulnerability. For example, earlier this year, ISE's Miller approached the Android team with a suspected browser vulnerability: a malicious MP3 file that potentially could execute code. According to Cannings, this is not actually a browser vulnerability, because the Android browser hands off such files to a separate, sandboxed program -- in this case to the media player that's part of the Android multimedia subsystem developed by PacketVideo. The malicious MP3 file "can only affect what the media server can do -- read and write certain types of files," he says.
An emerging security standard, called extended validation certificates for SSL, is making its way into desktop and more slowly into mobile browsers, as an antiphishing mechanism. These extended certificates provide users with color-coded alerts to confirm that an SSL-protected Web site is a valid site or a known or possible phishing site. Microsoft's mobile Internet Explorer is one of the few mobile browsers that currently support this, according to Miguel Myhrer, wireless network lead with Accenture's mobile communications division.
Phishing is an example of how even mobile browsers with well-designed security can be subverted, as are their desktop cousins, by users who are ignorant or careless regarding safe browsing. Enterprises can tackle this by combining effective mobile device and application management with appropriate mobile security and user policies, and with user education and training.
Make it manageable
Increasingly, the browser may become one of the most important mobile applications to be monitored, configured and managed.
"Device management gives you the means to diagnose, interrogate, and modify settings on a handset," Accenture's Myhrer says.
Effective device management means being able to control file downloads, to clear device caches, sandbox data, deploy antivirus packages, enforce mobile VPN usage and so on. Tools range from Microsoft's System Center Mobile Device Manager 2008, to Research in Motion's expanded management features in the upcoming BlackBerry Enterprise Server 5.0, to third-party applications from Sybase iAnywhere's Afaria as well as from F-Secure, McAfee, Symantec, Tangoe, and Trend Micro.
With effective device management in place, "you have the ability to apply remotely [software] patches and updates as vulnerabilities are identified," says Chris Saint-Amanat, mobile application architect with Enterprise Mobile. "And you have the ability for Internet access to be proxied via VPN to the enterprise Web proxy servers." An advantage with Window Mobile 6.1, he says, is that this VPN connection is active all the time.
One key issue about mobile software patching is who is creating the patch and the process for doing so. With mobile devices, there can be multiple players: the operating system vendor, the device maker, the carrier. An operating system patch may not come directly to the enterprise, but go through a handset maker, and then have to be tested by the carrier.
Network World is an InfoWorld affiliate