In 2012, a mobile security minefield

Researchers say smartphones are full of vulnerabilities that are ripe for the attack. Technology and vendor diligence will help improve things in 2012, but only to a point.

The mobile device, now the dominant technological tool in American enterprise, will become more dominant in 2012 and beyond. Industry analysts say mobile device shipments will top 1 billion in 2015, leaving PC shipments in the dust.

That will bring big benefits, but also big risks.

Its benefits for user convenience and productivity are obvious and irresistible -- a smart phone can handle everything from email to collaboration to video chat. It can serve as your GPS. It can scan product bar codes. It can find and store your favorite songs, help you take high-res photos and HD video and expand both your social and professional network.

But it is not very secure, which puts users and the enterprises that employ them at greater risk.

The combination of relative defenselessness and ubiquity means mobile devices will be an increasingly tempting target for attacks ranging from spyware to rogue applications.

--Also read about one researcher's claim that mobile malware is exaggerated by the vendors

Security experts say the industry is aware of the risks. IBM's IT security research team, X-Force, predicts 33 software exploits targeting mobile devices in 2012. That may sound small, but it is double the number released in the previous 12 months.

Many of the attacks will be coming through the browser, which Anup Ghosh, co-founder and CEO of Invincea, calls, "a terrific attack vector for any malware writer." Ghosh says while each new iteration of browsers has more security built in, "there is no slowdown in the vulnerabilities that each iteration has."

Indeed, the variations of malware -- up to as many as 75,000 per day -- means, "the whole model of detecting attacks and then responding to them is fundamentally broken," Ghosh says.

Get your morning news fix with the daily Salted Hash e-newsletter! Sign up today.

The methods of attack are varied. They can come with attachments to emails, with third-party apps that promise to do something the user wants but end up harvesting personal information, or simply through opportunistic infections from surfing.

Current estimates are that one in 60 Facebook posts and one in 100 tweets contain malware.

Gary McGraw, CTO of Cigital and a co-founder of BSIMM -- the Building Security In Maturity Model -- an organization that helps software developers build security into their products, believes that the awareness of the threats means there will be a lot of effort made to improve security for mobile devices. But, he notes, "This is a very complicated space. A lot of different people are responsible for different parts."

Those involved in the making and using of mobile devices range from carriers like Verizon and AT&T to device manufacturers like HTC to chip manufacturers and those who make operating systems like Google and Apple.

"They're all thinking very seriously about this problem," McGraw says. "But, the business model for mobile commerce hasn't really been laid out. It's hard to make risk management decisions when you're just trying to get ahead of your competitors."

He agrees that users are vulnerable, especially to things like third-party apps that have not been vetted. "You can wave your phone around and pay for gas," he says, "& or maybe pay for everybody's gas."

Zach Lanier, principal consultant at Intrepidus Group, agrees that security is sometimes left aside in the rush to gain a competitive advantage. He says developers are making the same mistakes they made in the world of PCs a decade ago.

"We're forgetting the lessons we already learned," he says.

Lanier says mobile security is, "not an issue of browsers, per se." Mobile devices are vulnerable, he agrees, but not inherently more so than desktops and laptops.

CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

It is a matter of scale, he says. "Let's say there is a bug, and the most current version of Android is fixed. But everyone runs different versions of Android. So in sheer numbers, they are more vulnerable."

Ultimately, a lot of security comes down to people -- end users. If they can be tricked into opening a malicious PDF file, technology can't block that.

McGraw and Lanier both say that in response, companies will become more active in mobile device management.

Still, "lack of savvy is not going to go away," Lanier says. To which McGraw adds, "You can't protect people from themselves."

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful cybersecurity companies