Motivation behind this post are the news related to security issues related to software available at Android Market and Apple's App Store. Both have had similar cases, where third party software has collected and sent ahead user information from the phone.

If we take a look at Android security from third party point of view, definitely some attention has been given to it. I'm not expert in this area, but following is my knowledge. All installed applications run in a sandbox, i.e. installed packages have their own UID and in addition there's the Android Java API that has access to limited set of features. Applications don't have access to phone features by default, so developer needs to grant these privileges via configuration. If I recall, these privileges are shown to user when installing package. Basically application developers can make sure that other applications don't have access to their data and user has the visibility what these applications are granted to do. Still things like this happens.

So, no we can enter Maemo/Meego (mostly Meego, since Maemo doesn't seem to address this problem?) world, which is an open system from application developer point of view - at least compared to Android and iPhone. Multiple programming languages and API's and easy root access. Here at TMO software is open source, and malicious software can be identified by browsing source code. What about OVI and other potential sources of closed software? How is Nokia controlling security of these applications, and does the end-user have any visibility to application capabilities? If OVI store kicks off, there's no way every application can be reviewed manually, so what methods are there to guarantee user security. There could be something planned / implemented, honestly I don't know. But if there's nothing, it's pretty obvious what's going to happen. And I'm also afraid that Nokia has woken up to these too late, and that will be holding back the OVI Store for Maemo/Meego based devices.

Source code review would be the only way.

Correct.

s/grant/request/

Users ignore warnings, grant permission to an application that asks for access to everything.

This is largely true for the N900, not necessarily for other devices.

Same as on your PC. Same as the App Store. Same as the Marketplace. Do you trust the vendor?

Only Nokia knows.

Unlikely. Aside from requiring developers submit software sources or undergo a 3rd party audit, you can't validate that software has or lacks certain functionality. What you have to do is find a way for a vendor to build up a reputation people can trust.

Apparently, the Android wallpaper malware thing isn't true...

There's still some cause for concern on Android and iPhone (moreso Android), despite that particular urban legend being untrue. Still, an entirely transparent code review would be the only way to resolve this issue. Preferably one that meets a public vetting like open-source would.

It all really comes down to a simple equation:

User's power = user's responsibility

In the old days, dumb phones came preloaded with software. User had no power, and no responsibility. Devices were 100% as secure as the user could make them.

Then came companies like Rim and Apple that brought some amount of user control. A user had some access to their device, and could expose some aspects of it to malicious code.

With Android and the n900, the user is in nearly 100% control.

Now you can argue that the host OS should provide some level of "protection" against intentionally malicious code, but I submit that in the end, trying to secure a user's device while granting them control is a losing battle.

Why? Because at the end of the day, the user makes the call. If the user wants to install malware, they have the right.

All you can do is provide them with the tools to stay safe. Process and memory isolation, of course. Application-level firewalls. Logs. Warning dialogs. File and API permissions...

If they choose to use those tools, and think things through, they'll only get rooted if the system has its own exposed exploits.

If they click OK, OK, next... well...

With great power comes great responsibility, right?

*edit*

I just re-read this and it may be coming out wrong.

The only bad security is insufficient security.. where the user can't restrict access when he/she wants to.

I don't mean that application jails and warning dialogs are bad things... I just don't think they offer much security to users who are essentially intent on getting owned (through laziness or inattentiveness).

Yes, pretty much same as your PC when your PC has got a modem attached to it. In addition there's a possibility to send SMS messages to expensive numbers. Path to your wallet is much shorter with mobile phones.

Kaspersky annouces that it has found an Android trojan that sends SMS messages.

http://www.kaspersky.com/news?id=207576152

on the Amsterdam 2009 summit Elena(?) talked about the Harmattan security framework, good stuff and solid planning there.

there are some referrals and even attempts to explain it in somewhat less technical sense on this forum and in the wiki AFAIRecall, I recommend using the search.