Mobile and dangerous

Intelligent phones are coming ­ accompanied by the possibility of security breaches. Defences can be built in but, as Bill Pechey says, no network is ever fireproof

Users tend to think of mobile phones as inherently dumb devices that do what they tell them and don't answer back. But this will change in the near future, with important consequences for many aspects of business.

To a small degree, manufacturers have already built intelligent features into their handsets, but there is more to come. The most common program found on mobiles is in the Subscriber Identity Module (SIM) Toolkit, which runs on the SIM cards that sit inside phones. The SIM is a computer in its own right and the SIM Toolkit allows it to interact more closely with the handset and control its functions.

Subscribers to Virgin Mobile can see the effect of the SIM Toolkit in the Virgin Extras menus, which are based on relatively innocuous applications running on the SIM itself, and which appear when the module is inserted into the phone.

Although unobtrusive, the SIM Toolkit is powerful and can make the handset perform functions, often without the user's knowledge. It can vet data that the user enters, for instance, and decide whether to allow the action or to modify it. The behaviour of SIM Toolkit programs can also be controlled by data sent to the SIM in special SMS messages.

Handsets with integrated WAP browsers have similar intelligent features because they can execute programs in the WMLScript language. The operations that WMLScript can perform are still limited, but they will be extended significantly when the Wireless Telephony Applications Interface (WTAI) is introduced. Then, WMLScript programs will be able to make calls automatically and control other functions of the handset.

And it will not be long before handsets incorporate support for the Java language with downloaded applets and applications again control the handsets.

So what is being done to protect us from potentially malicious applications that we may unwittingly download into our handsets? SIM Toolkits are controlled by the SIM card suppliers and there is no facility to download programs. But the network operator could send out an SMS to your SIM that could inadvertently, or even deliberately, copy your entire address book to a server somewhere.v

Concern about the security of WAP and Java has resulted in the development of the Mobile Station Application Execution Environment (MExE ) platform. MExE resides in the handset and controls the download of programs and other content, defining four security classifications, or "domains", namely operator, manufacturer, third party and untrusted.

MExE uses public keys and security certificates to authenticate downloads. Public keys for operator and manufacturer would be included in the handset or SIM when purchased and would be considered as representing trusted sources. Third parties would acquire the trust of the user by reference to something already trusted, and the user can define what operations are permitted in the domains and can control the actions proposed by downloaded applications.

The excellent protection and user control that MExE affords should provide the protection from rogue handset programs that mobile users are going to need. But then, where networks are concerned, nothing is ever totally safe, so users should continue to be vigilant about their sensitive data.

Home page   Clients   Bill's ITWeek Column   Industry Organisations   Website Design   Staff