Sep 2, 2008

Becoming scare of being mobile

For a while I've been meaning to post something about mobile computing and some of the security implications that can result from that. As the mobile platforms have advanced a lot in the past 2-3 years (yay, we can run the Apache Web server on the Nokia N95!), it is becoming inevitable that soon people will begin to do day to day activities, such as shopping, banking, e-mail, from their phones... oops, they already have. The scary part in all of this is that phones are beginning to act like normal computers on the network. For instance, the new phone that I got already has a MAC address and a Netbios name... I'm assuming that when I start using it's Wi-Fi functionality, it will also have a real IP address. However, unlike computers, the interfaces on mobile phones limit the user in knowing what data leaves the phone encrypted and what plaintext (e.g. is mail accessed using TLS/SSL or plain IMAP/POP + SMTP?). Let alone know what data is cached locally and what not.

To resolve these worries I've adopted the following simple strategy: abuse the browser. At least the browser (in the sence of IE, Firefox, Safari, and Opera) will let you know whether SSL is used or not. Additionally, some phones have the functionality to clear the browser's cache, cookies, and history.

P.S. - Let's not discuss non-SSL content embedded into pages that are viewed over HTTPS. :)

No comments: