Mobile operating systems consume resources from unknown sources on the Internet all the time, and yet they are not infected in the same manner as desktop operating systems. Certainly, sideloaded malicious Android apps are able to access parts of a mobile device that the user has authorized (e.g., pictures, contacts, SMS). We have also seen flaws in mobile browsers that have led to malicious code accessing the same resources that a mobile browser has access to (e.g., pictures, contacts). But for a malicious app to interfere beyond the boundary of itself, and into the memory space of another mobile app, this is an entirely different matter.
I have been part of conversations where IT security professionals state that they trust their desktop PC more than a mobile device because of the range of security technologies that they can layer onto their PC compared to smartphones or tablets. Desktop endpoint security has not been as successful as mobile security layers, such as application code-signing and app sandboxing.
Sandboxing of mobile device apps is very strong compared to sandboxing of applications on desktop operating systems. Mobile operating systems have barriers between apps that extend much deeper. Apps have no user rights into the memory space of other apps, and this is engineered without compromise due to backward compatibility that often plagues desktop operating systems. Out of the box, mobile operating systems provide a good deal of security. This truth is muddied by the hype surrounding mobile malware.
Leveraging mobile devices for authentication and other means of protecting digital identities is a great idea. The security that you get out of the box from a mobile operating system already exceeds what you can buy with traditional desktop PC endpoint security. In a world where most of us mix our usage of PCs, smartphones and tablets, it’s a great opportunity to take advantage of the strength of the computers we carry in our pockets.