[anon4164832]

ChrisBP, Thank you for relating some of your expertise in the area of mobile malware. I have one question you may have some insight into:
Are BlackBerry phones not attacked because they are not an interesting target (not enough in the world) or, because they are a hard target?

The company I work for is exclusively involved in IT services for small to medium size banks. We recently got a SOC Type 2 certification. Since the auditor did not evaluate the mobile devices or MDM in our firm and, he had a Android phone, I determined the audit--and indeed--the certification is nonsense. Two thirds of the engineers here use Android phones. There is no mobile device control of any kind. I could say much more about this but I don't want some future lawyer to get a hold of it.

For those concerned with BlackBerry including the Android runtime and the the negative security implications, remember, BlackBerry expects those who care about security to use BES and, to know what they are doing. No manufacturer can protect people from their own harmful actions and actually sell their products. BlackBerry at least offers a product to help enterprises control what their users are doing. No other phone maker does that. Well, it could be argued Microsoft does with ActiveSync.

Hi, just to reiterate, my lab has not yet started officially testing Android malware - we are tied up right now finalising our new certification programmes which kick off next Q - however, as I stated earlier, we are the largest supplier of malware and malicious URLs in the world and have been providing this service for several years. The reason I mention this is because, overall, the volumes of all malware has increased dramatically. We have seen a huge increase in the number of malicious Android binaries in the last year.

Cybercriminals will target the largest audience so to some degree this explains why it would make more sense to target Android, this said however, I recall a statistic from 2011 / 2012 (cant remember which) that showed that for the year in question, there had been one piece of malware on BB7 (was financial malware designed to intercept SMS messages as part of multi factor authentication used by banks) and two separate pieces od malware for IOS. The same statistic showed thousands of individual malware for Android.

Now, given the fact that in 2011/12, IOS and BB still had big market share, this suggests to me that there was a sizeable target audience for IOS and BB users that the criminals could have targeted - but there was almost no malware on these platforms. This would lead me to deduce that these OSs are more secure.

Last night, I contacted twelve BlackBerry employees via LinkedIn and they all replied. These included their marketing staff, SW engineers, security experts and malware analysts. I will begin a dialogue with them next Q with a view for us to include BB in our upcoming mobile security testing, so watch this space.

One thing I would point out is that whilst some OSs are more secure than others, it is my opinion that it is impossible to be 100% secure. If someone (technically competent / govt agency) wants to hack you, there is nothing you can do to stop this, the only metrics in these instances that are relevant are how long it takes to 1) detect the breach 2) stop the breach 3) determine what was exfiltrated.

BB has a low market share, but will be continue to be used by people who are concerned about security - Govt officials, military, financial institutions etc - and in these cases, these people are the ones who are more likely to be subject to a specific targeted attack using code specifically created to attack that OS.

With BB I believe you are less at risk than with other OSs, but BlackBerry should make a real thing about their general security against APTs but also, their resilience and response to targeted attacks.

In terms of the issue you raised about your own businesses SOC certification - and the fact you mention your company works with small to medium sized banks - check out a company "Lacoon Mobile Security" take a look at their offering, it may be of use to you. Also, the founders are the same guys behind Trusteer - so another banking tie-in there.

Cheers,

Chris

PS, thanks for the Mod for deleting the posts.

[Bbnivende]

I was in a Telus store and a customer asked the sales rep to show him a phone. She showed him a Samsung citing as the main sales feature being that the android has more free reps than the iPhone.

[anon4164832]

Just as a recent example of how malware and rogue software (PUAs) get on the app store, see this fake antivirus:

http://www.androidpolice.com/2014/04...-a-total-scam/

This is why with BlackBerry 10 now being able to run Android apps, BlackBerry must get a reputable vendor to create a native AV product.

You will notice that all BlackBerry apps in the app store are certified as having been tested by Trend Micro - Trend would seem to be the obvious choice.

Cheers,

Chris.

Posted via CB10