As many of our readers know, I am a major proponent of mobile-friendly web design and browsing. Very few browsers in the mobile world are powerful enough to support modern w3c technologies (IE, NetFront, Opera & OpenWave) however they are good enough to do some basic browsing and even have SSL support. But especially in the case of IE (which is used a lot with PocketPCs & WinCE), Microsoft is still bundling a variant of IE 4.0.1 with WinCE. And we all know how insecure 4.0.1 is…The fault is not Microsoft’s though. The fault is solely the company’s that sells the devices. You see, the same rules do not apply in the embedded world as they do in the desktop world. The company that wrote the OS does not have to release updates to faulty software to end users. Its responsibility is solely towards the integrator companies, not end users. If the integrator company (e.g. PalmOne, HP, Dell, SONY, Sharp etc) do not ask for updates, the OS company does not have to provide any. That’s how the embedded eco-system works.
More over, an update would have to target many different PDAs and their revisions, which is not practical, as these integrators usually tweak the OS defaults creating small incompatibilities very often. So, if a security update was to take place, it would have to target a gazillion different models. This is very common on PocketPCs and Palm devices (the differences between Clies and Palms are quite big under the hood). And no, the Zaurus is not any better in this respect either: the Familliar Linux distribution still uses Dillo & Konqueror 2.x, versions that haven’t been updated for quite some time while the official Sharp ROM uses Opera and Netfront which are also not updated regularly and in fact, they never had security updates specific to their PDA model.
And even if there is a way to update PDA browsers, it’s almost out of the question for phone browsers. Their ROM would have to be flashed and that costs money as it must be done by a carrier’s outlet as these devices are even more customized than PDAs are. Very rarely we see phones that can be flashed via USB at home.
The only browsers that are on the advantage here are Opera for smaprtphones (not for Zaurus) and NetFront for PocketPCs (not for Clie or Zaurus) and other third party browsers (e.g. AvantGo, Xiino, Minimo, Blazer) that do not get installed by the integrator, but they were installed manually by the user. These versions don’t have the integrator’s specific changes in them, they are more generic, and so the danger of breaking default settings when upgrading them is much smaller.
Problem is, neither of these third party browsers actually release security updates. NetFront releases barely one version per year and Opera is not much better in this respect either. And when they release updates, it’s mostly about bug fixes or new features. There are almost no security updates to be seen in their changelogs. And I refuse to believe that these browsers don’t have security gotchas. They all do.
The whole mobile browsing reality has not been taken seriously by companies yet. This is a huge problem. They think “oh, who’s gonna view a bank account with Pocket IE?” and yet there are many people who do and they might already be victims of URL spoofing.
I have said it many times and I will have to say it again: if you think that your desktop might be insecure, you have seen nothing yet. Mobile devices and especially mobile browsing is many times more insecure than your desktop. At least on the desktop you get regular updates or you can change your browser or operating system. In the mobile world you can’t do jack about it.