Mobile Security Firm Bluebox Responds to FBI’s Report


The ways in which users interact with the web is constantly changing, and the web is changing just as much to try and keep up. While that kind of technological symbiosis ought to be a net positive, people who would do harm through the Internet are keeping pace with those changes as well. In fact, last week the FBI and the Department of Homeland Security (DHS) released a report warning citizens of the top three threats to mobile web browsing—particularly focused on users of Android, “the world’s most widely used mobile operating system”—and recommended courses of action to try and mitigate those security threats. However, San Francisco’s Bluebox Security has a thing or two to say about the FBI’s suggestions.

Bluebox previously made headlines earlier this summer when the mobile security firm discovered a flaw in the Android operating system that made it potentially vulnerable to majorly malicious software. But while the firm’s previous discovery revolved around Android, the company’s CTO Jeff Forristal warns that the DHS and FBI’s report’s focus on Android belies a myth that Apple’s iOS is somehow more secure. That’s not quite the case, but the perception that Apple’s products are more secure than their competitors persists. The reason for that, he says, comes down to numbers:

“Apple basically has 16 devices in the ecosystem, he says. “That’s six iPhones, five iPads, five iPod Touches. So when you say ‘iOS security, you’re referring to 16 devices. On the Android side, when you go to google play developer console, when you make an app for Android and put it on Google Play, it asks you what devices you want it to run on. And it has a list of 3,627 devices. So when you talk about iOS security, you’re talking about all the problems present in 16 devices, and when you say Android security, you’re talking about all the problems present in 3,627 devices.”

Moreover, Forristal—who has over a decade of experience in the security tech field—takes issue with the report’s outdated suggestions for mobile users.

“Overall, I personally found it odd,” he says, “and I would characterize that whole write-up as taking PC-era solutions, and trying to apply them to mobile problems.”

So what problems does the report identify? The three threats are SMS Trojans, which infect devices and send text messages to “premium-rate” numbers that result in chargebacks to phone bills; Rootkits, which “[log] the user’s locations, keystrokes, and passwords without the user’s knowledge”; and Fake Google Play Domains, which are app-download links meant to fool users into believing they’re getting software that’s been vetted by Google.

The first solution the report offers to combat Trojans is pretty straightforward: install some anti-virus and security software to protect your device from malicious software. While Forristal says that strategy is reasonable, the other two are pretty far off the mark.

Take the second “threat,” for instance. The rootkits described by the report are often pre-installed addition’s to the phone’s firmware, put there by cell phone carriers, and not removable without rooting the device. The report’s solution of simply installing the Carrier IQ Test app isn’t actually helpful, says Forristal, who says that “it actually causes more problems than it solves.”

“It’s not a malware rootkit, it’s actually a commercial piece of software, doing exactly what it’s designed to do, that’s actually embedded in the device by carriers,” he explains. “It’s in the firmware. That means, essentially, you can’t just remove the app, it’s in the firmware. The recommendation to go, say, ‘remove the app, remove the malware’—which is a PC-type response—kind of missed the point that it was the device manufacturer that put it there and it’s stuck in the firmware. When you actually Google ‘remove Carrier IQ,’ all the answers are ‘root your device, and replace the firmware,’ which is not a user-accessible thing to do, nor a practical thing to do.

“From an education perspective, it actually causes more problems than it solves, because you’ve got users running around asking, ‘how do I do this?’”

He also takes a moment to point out, “Carrier IQ was also on iOS version 4—it was on the iPhone. It’s not an Android-exclusive problem.”

And Forristal notes that the solution regarding fake Google Play download links—falling back once again on antivirus software—is similarly unhelpful.

“If users are using the Google Play client, they’re going to download from the real Google Play,” he says. “The only opportunity for a fake Google Play page to come into play is if they’re grabbing their apps out of a web browser.”

And a user can’t do that anyway without first altering security settings, which the average user probably won’t do without knowing the threat in the first place. All told, these suggestions don’t do much to actually shore up mobile security, especially considering that there are more reasonable and helpful solutions out there for users with even an ounce of common Internet sense.

While Forristal and Bluebox are staying on alert for legitimate threats to mobile security, the company’s product is still in “stealth” mode. “The details of exactly our product and services are still forthcoming,” he explains. But understanding and discussing the realities of mobile security is a byproduct of Bluebox’s work, and until the company lifts the veil on its project, it’ll hopefully keep looking out for the tech-health and security of mobile Internet users.

And Forristal’s ultimate advice for mobile web surfers is pretty simple.

“It’s going to seem like déjà vu,” he explains, referring back to the age-old advice we all learned when computers first started to go online. “Don’t download arbitrary apps from the Internet and run them. Don’t click arbitrary attachments in email.”

Simple enough. Let’s hope that mobile users can follow those easy guidelines, and keep mobile malware to a minimum.