Over in the Twitterverse, @paulmadsen is suprised:
Should we be surprised by this? Not really unfortunately. Most of the work so far on Mobile security looks at the mobile device in isolation, this is an important but severely limited perspective. Even Android seems to only consider the Security architecture as a Dalvik VM level problem. Most of the documented thinking on Android security looks at their mobile security as something that you use Unix and Java style permissions to solve, the docs even invoke that old Chestnut - least privilege!
In this way, the Android system implements the principle of least privilege. That is, each application, by default, has access only to the components that it requires to do its work and no more. This creates a very secure environment in which an application cannot access parts of the system for which it is not given permission.
So after the ritual invocation of Least Privilege, do you know what the very next sentence in that document is? It this:
However, there are ways for an application to share data with other applications and for an application to access system services
and that is precisely the point.
Mobile apps do not exist in isolation, they communicate with Web services and a host of other content providers. Its not something that a Linux app id is going to convey (though that is part of the security architecture).
This creates a fatal disconnectedness, the Android permissions, iOs keychain and other mobile security stuff is useless by itself, there are not mobile apps, they are almost always mobile web applications. You need to factor in what matters on server and identify other integration points. Separation of Privilege are great ideas but they take you approximately 1% of the way, they're not remotely complete solutions. Security is a system property, mobile brings a new crop of vulns, but they are mobile WEB apps, and the gap between mobile and web hides a lot.
Luckily Salesforce.com has done some good work and published open source here on some ideas on how to close out the gap between where the local OS security ends and the Web begins. It would be very helpful if Mobile OS vendors made sure that developers are aware of the gaps and limitations of looking at the Mobile OS security model in isolation.
Comments