What vulnerabilities in Android phones tells us
A couple of days ago, Jon Oberheide and Zach Lanier gave a presentation at SchmooCon about hacking android phones. Since then there's been lots of talk about what the vulnerabilities in mobile phones means.
It looks to me like the mobile phone market is now much like the market for enterprise software was back in the early dot-com era. Back then, there weren't many application-level vulnerabilities known. We knew about buffer overflows, of course, but SQL injection wasn't even described until December 1998. Over the next few years, people found all sorts of clever ways to exploit carelessly-written software.
Vendors, however, weren't keen on following secure coding practices until their customers made passing source code security audits a requirement for buying their software. Once customers started requiring careful reviews, the quality of enterprise software increased dramatically.
That's where we seem to be today in the mobile world – much like we were for enterprise software back in the dot-com era. We're just starting to learn how clever hackers can exploit mobile devices, and I'd guess that the people who create mobile applications have an outlook that's similar to the one that we had back then - they're probably more interested in getting their products to market quickly than they are in getting them to be secure.
And just like enterprise software vendors didn't take application security until their customers forced them to, I'd guess that the developers of mobile applications won't take security seriously until they're required to by their customers. That's what the discovery of vulnerabilities in Android phones tells me.