In 2012, a mobile security minefield

Researchers say smartphones are full of vulnerabilities that are ripe for the attack. Technology and vendor diligence will help improve things in 2012, but only to a point.

By

November 27, 2011CSO

The mobile device, now the dominant technological tool in American enterprise, will become more dominant in 2012 and beyond. Industry analysts say mobile device shipments will top 1 billion in 2015, leaving PC shipments in the dust.

That will bring big benefits, but also big risks.

Its benefits for user convenience and productivity are obvious and irresistible -- a smart phone can handle everything from email to collaboration to video chat. It can serve as your GPS. It can scan product bar codes. It can find and store your favorite songs, help you take high-res photos and HD video and expand both your social and professional network.

But it is not very secure, which puts users and the enterprises that employ them at greater risk.

The combination of relative defenselessness and ubiquity means mobile devices will be an increasingly tempting target for attacks ranging from spyware to rogue applications.

--Also read about one researcher's claim that mobile malware is exaggerated by the vendors

Security experts say the industry is aware of the risks. IBM's IT security research team, X-Force, predicts 33 software exploits targeting mobile devices in 2012. That may sound small, but it is double the number released in the previous 12 months.

Many of the attacks will be coming through the browser, which Anup Ghosh, co-founder and CEO of Invincea, calls, "a terrific attack vector for any malware writer." Ghosh says while each new iteration of browsers has more security built in, "there is no slowdown in the vulnerabilities that each iteration has."

Indeed, the variations of malware -- up to as many as 75,000 per day -- means, "the whole model of detecting attacks and then responding to them is fundamentally broken," Ghosh says.


Get your morning news fix with the daily Salted Hash e-newsletter! Sign up today.


The methods of attack are varied. They can come with attachments to emails, with third-party apps that promise to do something the user wants but end up harvesting personal information, or simply through opportunistic infections from surfing.

Current estimates are that one in 60 Facebook posts and one in 100 tweets contain malware.

Gary McGraw, CTO of Cigital and a co-founder of BSIMM -- the Building Security In Maturity Model -- an organization that helps software developers build security into their products, believes that the awareness of the threats means there will be a lot of effort made to improve security for mobile devices. But, he notes, "This is a very complicated space. A lot of different people are responsible for different parts."

RESOURCE CENTER