It is harder for Microsoft to control the security on its smart phone products than on PDAs, Steve Crayson, a device specialist with Microsoft EMEA (Europe, Middle East and Africa) Mobile Devices Division said. "We let the mobile operator choose whether it's locked to third party developers or not, whether they demand that applications have been assigned digital signatures." For the most part they do, he said, because they want to protect their networks from trouble.
However, there is a strong push from developers wanting access to the devices to run their own applications, and several have proved that the phones can be unlocked to accept unauthorized code. On developer Web sites earlier this year, for example, users discussed how to unlock the security on Orange SA's SPV Smart Phone.
Now is the time to look at the security on phones, before the problem grows too large, said Alyn Hockey, director of Clearswift Ltd.'s Future Products Group. There are relatively few smart phones in use, so a virus wouldn't get mass distribution at the moment, he said.
And while developers may like to add their own software, anyone who unlocks the security on their phone has to recognize how vulnerable they make themselves, he said "It's like taking all the locks off your front door."
Craig Heath, strategic product manager, security, at Symbian Ltd. says that "malware is typically quite small, a few K at most," and so even the more limited operating system on a smart phone, compared to the average PDA, represents a potential danger if it has access to a company's network.
"It's a difficult risk to quantify. I wouldn't say there's no need to worry, but I wouldn't say you should throw your phone in the bin. Certainly, phones with open operating systems that allow third party development are more vulnerable, because you have to give people access to the development kit," he said.
Symbian works with antivirus companies to ensure scanning software works with its OS, and also with the device manufacturers on certification programs, Heath said. "(But) we are very much at the mercy of licensees, who choose what software to put on the phones," he said.
Users also have to recognize that they have an "obligation of care," Heath said, "and not go installing any old rubbish that people send them."