Monday, June 21, 2010

mobile model won't stop malware

thanks to lysa myers for drawing my attention to this slate article about the security advantages of modern mobile device OSes like iOS (the OS for iphones, ipads, etc), android (google's mobile phone OS), and chromeOS (google's netbook OS).

i agree with lysa that it is a fairly well balanced article, in spite of the somewhat sensationalistic headline (and to the credit of a publication whose focus is not strictly about computer security). however, i also find it a bit short sighted.

i say this because the writing is already on the wall with respect to the future of malware, and that future is not encumbered by the modern mobile OS' attempts to be locked down.

i'm surprised that i haven't written about this concept earlier, i thought i had, but when it comes to chromeOS specifically, the reason such an OS has any chance at all is because more and more applications are moving onto the web, into the cloud. an operating system that only gives you access to the web browser wouldn't be very useful with the world wide web of 10 years ago, but now there are a wide variety of web apps to allow you to be productive with nothing more than the lowly web browser.

and where legitimate applications go, malware is sure to follow. we're already seeing malicious facebook apps, and malicious javascript that changes your router's DNS settings is not unheard of either. worms that spread on social networking sites instead of the user's computer are old news by now, and web-based spyware is out there. a locked down endpoint device is a non-issue to malware that operates in the cloud or finds other ways around actually changing the endpoint device itself.

mass adoption of these more stringently locked down platforms won't be the end of malware, it won't even mark a turning point in the evolution of malware since the development is already in progress. if such adoption takes place it would probably be most appropriate to think of it as punctuation in the evolution of malware.