With the open handset alliance, the scrutiny for Linux based cell phone operating systems is once again something that security engineers need to think about.
Hacking the Linux kernel is nothing new, and bugs or out right malicious code in open source or closed source software is also nothing new. Security engineers though need to take a look at what is being brought into the enterprise, and like all systems that plug into the network, figure out what is going to be the best way to handle the inherent risks of plugging anything into the network.
The war between device hackers and Apple is going to continue, that is a reality, so every time some group or another unlocks the cell phone, apple is going to come up with a counter measure. While this is good from the device security viewpoint (nothing better than having a system compromised or unlocked to get you to start thinking about security) with the back and forth you end up with a more secure device in the longer run.
Taking a look at the open source code in the Google Phone (Gphone) alliance is also something that is going to get a lot of scrutiny, not just from the Google alliance (and Google has a very good track record of security), but from everyone who is going to be looking at and working on the code.
In a few short words, the odds that malicious code making it into the Google gphone alliance is probably going to remain the same as it is now with either closed or open source material. If anything, people will make and break code with the same wild abandon that they do now. The real risk is a system wide issue like seen with the early symbian phones.
This is something that every device has, and something that mobile security and policy will provide guidance overall for the company. Given what is currently known about the systems, the focus has been more on unlocking the systems rather than injecting evil code into the phones. From a risk viewpoint, there is little to no difference between what you are doing now against what is required for any other modern cell phone that connects to the internet, has MP3s, and all the rest of the things that cell phones seem to do now.
Without an increase in material risk that is already faced by every single mobile device out there, it is important then to make sure that folks do not start trying to sell a company snake oil that promises to somehow cure all your mobile worries. If you already have policy, NAC, AV, and all the other things that mobile devices need, then you don’t need to do anything other than what you are doing now. While it is best to upgrade those systems, if you have a solution in place, there is no need to come up with something new to work with some unspecified threat that is meant to create FUD and sell more stuff.
