My fellow MVP Chris De Herrera pointed me to that article from CNN called "Threat of mobile virus attack real" which is about viruses on mobile devices and I got additional thoughts when I read it.
Basically the risk of viruses for mobile devices is real - it's the same as for all devices running any kind of open Operating Systems. You can develop viruses for Windows, Linux or Apple Desktops as well as you can do it for Windows CE, Palm or Symbian based mobile devices - sure. It's always a question of market penetration of the OS.
Because of the feature limitation of mobile devices it might be not that risky today to surf the web or open E-Mails on that cell phones but any kind of application you install on your device might contains a harmful code which is at least a virus.
Basically that's the idea why Microsoft introduced the certification process for Smartphones that Microsoft and carriers can control which applications might be able to installed on Smartphones and knowing what it does on it.
As good as that idea is in general, the permission for the user are to restrictive, but the approach is the right one, especially for a carrier. Imagine you install a, let's say, file explorer which is also a "dialer" and dials any 0900 services numbers (like during the night when you will not see that it is dialing out). On your next monthly bill you will have calls listed you never did but how do you want to explain it your carrier?
I think that dialers are the most critical topic here since it could costs you real money and this isn't fun anymore then. But crappy code could also kill you device itself. Just imagine if a code is good enough to erase your IPSM directory of your Smartphone - all data would be lost!
Even in old propriety OS cell phone days you was able to crash a Nokia phone by sending a special SMS message which caused a buffer overflow. Okay, to resolve that problem you "simply" had to remove the battery but anyway - everybody was able to kill your phone for a limited period of time.
Sending codes is a good keyword for the second problem I see of being wireless which is - in my terms - a DoS attack. You have a mobile device which is connected via GPRS to the IP network. This mobile device (and here I'm not talking about Smartphones only but also about simple WAP enabled cell phones) got an IP address assigned because otherwise it couldn't communicate with the world outside. So far so good but have you ever thought about a "ping" to that device? I did - long time ago when I was working for O2 and we introduced GPRS. That early days of GPRS it wasn't that stable as today and sometimes I wasn't sure if the connection dropped or not and therefore I got the idea to check if the phone is still connected by pinging it - right from my Desktop PC and if you believe it or not - it worked. I was able to send 32 bytes packages to my GPRS phone. While it was useful that days to check if GPRS is still alive, imagine if someone would send KB or MB packages to your phone today! You wouldn't notice this DoS on your phone but your carrier is noticing it because your phone receives data and therefore you get billed! Without any warning!
Today it's not possible anymore on the O2 network to ping GPRS IP addresses - it's blocked right before the ping reaches your device but I've tested it with several other international carriers and my pings reached some mobile phones.
Being a Webmaster gives me access to real time statistics on my web server and I see who is online with which IP address assigned and if I use a domain lookup I get the domain name which gives me a good indication if that user access the site from a GPRS account (most carriers use GPRS in their domains - for instance O2 Germany is using "ipgprs.viaginterkom.de").
Now - if I would be a bad guy - I could develop a simple script which starts automatic pings to domains which contains the keyword "GPRS". 8O Why I should do it? Maybe for the same reason why others want to kill or hack web sites - "just for fun".
So back to the question from above: "is you wireless device really protected?" and the clear answer is no, it isn't and there is nothing you - as a user - can do today except installing a virus scanner for mobile devices which I don't believe in today. If you install a cab file with harmful code - as explained above, the virus scanner won't notify that code. If your device is accessed from outside, you wont notice it.
The solution here is the cooperation between the handset vendors and carriers as well as having a new kind of protection software. On my PCs I'm sitting behind a router which does a lot of security work for me and the PCs are also running Norton Internet Security and Norton AntiVirus and specially that kind of Internet Security is something we will need and see sooner or later for smart devices. But since not all GPRS enabled devices are smart devices also the carriers have to protect their customers by limiting the possibilities of how to access a devices from outside.
I don't want to fan a hysteria here but mobile data users as well as software developers, OEMs, ODMs and carriers have to be aware of what might hit us sooner or later and it will hit us - I'm sure, unfortunately.
Cheers ~ Arne