In my previous SecurityWeek column “Where is the Android DDoS Armageddon,” I looked at the reports that showed that mobile DDoS just isn’t a thing. Malicious mobile malware (say that three times fast with a cracker in your mouth) is barely a thing, either, once annoyance adware is removed.
But why aren’t the one billion Android mobile handsets being leveraged as attack clients? I put this question to Ken Scott, a ten-year veteran of DDoS defense, and Brian McHenry, a Security Architect, both with F5. Between them, they offered three main reasons: apps, better browser sandboxing, and service provider control. Ken Scott states:
“For my own experience in DDoS, I'd say the real reason there isn't a huge number of infections is that mobile phones are used to run apps as opposed to desktops running browsers. Browsers are exposed to many, many more sites that can infect them. Even if you just go to one site, their rotating ad network can infect you.
On the other hand, most apps are direct from client to the server with a much higher monetization value on mobile users; therefore you have less shenanigans in mobile ad infections.”
This makes sense when you think about it. When I load my United Airlines application on my iPhone, it is only contacting United Airlines services. The exposure is limited. I don’t use the browsers on my phone—they’re just so inefficient and clumsy compared to the desktop browsers. I suspect many other users feel the same way about their mobile browsers.
Ken also states that “[s]ince there's no shortage of Desktop and Wordpress-style server exploits with direct fiber links, there's no need to build a bot of phones.”
McHenry says that even users who do use their mobile browsers aren’t likely to get truly malicious malware because mobile browsers have been better sandboxed from the underlying operating system than their desktop counterparts. He elaborates, “It will be interesting to see how improvements in browser security and the deprecation of Java and Flash applets improves the infection rates, even on desktops. Downloading an .exe or .dmg/.pkg on a desktop is still a problem, but more easily contained and detected than with Java and Flash.”
Lastly, data connections from mobile handsets nearly always go through the carrier providers’ mobile core network before they hit the Internet. These networks, while not bulletproof, are at least under the control of a single entity. The carriers, after all, finally have enough visibility to start enforcing usage caps on individual handsets. This means that they may have enough visibility and control to stop a DDoS on a per-handset basis, if it ever comes to that.
So while we in the security industry had been busy getting our panties in a bunch about the coming Android DDoS explosion, it never materialized. DDoS continues to wax and wane in unpredictable cycles, but the ecosystem has evolved to keep it out of the mobile space.
At least, for now.