Unauthorised access, stolen handsets, data theft, malware, phishing... Threats to the security of mobile devices are growing almost as fast as the choice and sophistication of the devices themselves. But who is most at risk from this growing number of threats? What is being done to combat them? And how serious are they in reality?

The problem of securing mobile devices like smartphones and PDAs is one that
challenges enterprises, operators and, increasingly, consumers. For enterprises, device security is essential, not only to protect the data stored on devices
and the corporate resources that devices are able to access remotely, but also to comply with a growing number of corporate governance regulations like the Sarbanes-Oxley and Gramm-Leach-Bliley acts which, although originating in one country or industry, have widespread impact.

For operators, whose primary security concern until recently was airtime theft, several additional factors now drive the need for security on mobile devices. They include avoiding revenue loss from—as well as the high cost of fixing—compromised
devices, protecting their brands, and providing confidence to customers in order
to encourage the use of advanced data services. Additionally, many operators are now
focusing on the revenue opportunities offered by security services in both enterprise
and consumer markets.

So what exactly are the threats that need to be faced? Several tasks can be considered to be within the scope of mobile device security. They include: 

  - Preventing unauthorised access to a device
  - Protecting data stored on a device, including its memory cards
  - Protecting systems and networks from being harmed through a lost, stolen or compromised device
  - Preventing malware and other unauthorised software from being installed or executed on a device
  - Preventing inappropriate use of a device.

But why is device security such a problem now? Jari Salomaa, security technology manager at Nokia, offers this perspective. “As mobile devices get more computing power become increasingly feature-rich, the likelihood of attacks against potential vulnerabilities exists. Increasingly, the most common attacks are not for fun but against users or systems to obtain critical data that can be exploited for monetary gain.” He suggests also that the way we use the devices plays a part. “They are always with us, they are usually on and they are more likely to carry information that is personal or private,” he points out.

Jesper Svegby, director of business development at Pointsec, a provider of encryption software for mobile data protection, agrees. “Five years ago, the information on a device was not much use to anyone apart from the user of the device,” he says. “Today we have the same information on the handheld device as on the laptop and, in most cases, the data is in clear text and not protected.”

Which leads, inevitably, to the next question: just how secure are our devices? Open operating systems, for example, are desirable from many perspectives, but arguably not from a security viewpoint. “One of the key challenges with mobile device security over the next few years is the propensity of open operating systems to be attacked by hackers,” says Paul Jacobs, CEO of CDMA pioneer Qualcomm.

Nokia’s Salomaa believes that operating system security issues are being addressed, however. “Platform security is the biggest breakthrough in security in recent years and it will significantly reduce the threat of security breaches on mobile devices,” he says. The company’s E-series phones are based on the Symbian 9.1 operating system, which incorporates platform security, and provides a range of advanced security mechanisms including VPNs and application signing. The company also offers a file encryption solution from PointSec.

Microsoft, whose Windows Mobile operating system is used by a number of smartphone and PDA vendors including Motorola, Samsung, HP and HTC, also defends its operating system. “The combination of Windows Mobile and Exchange Server includes the security features most requested by our customers such as data protection, password protection and remote and local wipe, and helps them to keep control of their vital information,” says Alex Reeve, director, mobile devices, Microsoft UK. He adds that the Windows platform provides support for third party solutions for even greater protection and that the company works closely with partners like F-Secure and Symantec, both of which are major names in data protection.

As for how seriously we should be taking security threats, at a conference last October, Paolo Simoes, messaging architect at MTN Portugal, suggested that concerns over mobile security might be overstated. “Our feedback suggests that the opex of many security solutions are higher than the real risk,” he said. After conducting extensive trials the company decided to select the best-of-breed solution for each type of threat.

Jan Volzke, mobile director of anti-virus software and intrusion prevention specialist McAfee, offers a different perspective. “One of our customers estimates that the cost to disinfect 400 devices was €150,000 (about US$197,000) and another estimates that the cost of disinfecting a phone is equivalent to the average annual subscriber revenue,” he says. The company’s security solutions are embedded in over 30 million devices at NTT DoCoMo and the company is in discussion with a number of handset vendors about embedding its security solutions into device operating systems.

Regarding the current scale of threats, Volkze says: “There are over 200,000 known [forms of] PC malware but only 350 on mobile phones. Of those the majority affect the Symbian operating system. Less than ten affect Windows and only three affect J2ME.” However, he admits that the concerns over viruses on mobile phones could be overstated. “Viruses are not the greatest concerns at present”, he says. “Operators are finding dealing with phishing and spamming increasingly problematic and costly.”

Currently the best mobile device security solutions will contain many of the items shown in Figure Two. Of these, application management—the ability to determine whether an application is permitted to run on a particular device and, if so, when and by whom—is of particular interest to enterprises, since employees are often responsible for security breaches. Mossec, a provider of centrally managed device security solutions whose system is used by BBVA and the Spanish Royal Household, takes an interesting approach to application management: the company operates a ‘white list’ system that enables enterprises to ensure that only applications that have been granted explicit permission are able to run on the device. “With mobile anti-virus, a third party decides what is wrong, and the system might need daily updates,” says José Luis Maté, the company’s CTO. “Furthermore,” he adds, “for some enterprises, the playing of games or the use of IM might be a bigger problem than viruses.”

Carsten Brinkschulte, CEO of Synchronica, a UK-based developer of device management and synchronisation systems, believes that security management requirements for mobile devices are different from those for PCs. “It is important to choose a solution that was designed for the mobile environment instead of one that is retrofitted,” he says. “In the mobile environment, connections break and the features that you want to manage are different.” The company developed the famous ‘scream’ feature for mobile phones. In addition to locking and wiping a lost or stolen device, network administrators can force the device to issue a loud alarm that continues even after the battery has been removed and replaced.

Kushwaha, CTO of mFormation, a developer of device management solutions, whose system is used by Vodafone, Telefonica and T-Mobile, adds another perspective. “It is important to understand that this is not the traditional IP world,” he says. “Management takes place over licensed wireless spectrum and this means that there is invariably a relationship between the enterprise and the service provider and various cost factors come into play.” He goes on to say that as carrier and enterprise worlds converge, it will be better to take the operator approach and modify it to suit the enterprise than to take the enterprise approach to the operator.

Qualcomm’s Jacobs agrees. “I think the culture of managed services and managed devices will overtake the open platform culture of IT because people will not tolerate the crashes and general levels of inconvenience with their mobile phones that they do with their PCs,” he says.

This argument is supported by the experience of US carrier Sprint. After a six-month trial, the company launched its managed security service last September and reports considerable interest from large corporations as well as SMEs. “Device management is nice to have but security hits a very identifiable ‘pain point’ in organisations,” says Stephanie Burnham, group manager, product marketing. “For our customers, information security is vital and applications cannot be rolled out without first addressing the security requirements.”

Mark Whiteman, CEO of RemoteXT, a UK provider of device management and security services, believes that end users are also very concerned about device security. “Information theft is also a major concern, with users’ biggest worry being their data falling into the wrong hands,” he says. The company provides managed network and security services to enterprises that includes backup and restore.

There has, however, to be a trade-off between security and usability. ”When left to users alone, mobile security is certain to fail,” says Yad Jaura, VP of global marketing at Appear networks, a provider of context-aware enterprise mobility solutions. “A better way is to understand the situation of the user and have the platform (rather than the user) ensure data security. This is security in context, and means that security can be utilised when and where it’s needed, leaving users to concentrate on the job in hand.” The company is partnering with Cisco in a number of enterprise deployments.

As with other aspects of mobile communications, standards have an important part to play in mobile security. The many organisations involved in standardising device security include the Trusted Computing Group, the Open Mobile Alliance (OMA), the Liberty Alliance, the Jericho Forum and the Mobi Forum. The OMA leads mobile terminal standardisation and its security working group is currently working on application layer security specifications that will describe how identification and authentication, confidentiality, integrity and accountability will be provided in the application layer protocols.

Device security cannot work in isolation. It needs to interact with other device and system functions such as digital rights management and content management. It also needs to fit within (and be deployed and supported by) an overall device and systems management solution. “It is crucial to manage our client just as any other application on the device,” says Pointsec’s Svegby. “Therefore, OMA device management is one of the most important standards today.”

John Rhoton, mobility lead, Advanced Technology Group, HP Services, agrees. “The challenge of securing the access and content [of lost and stolen devices] is compounded in an enterprise environment by the need to enforce security mechanisms comprehensively across the entire employee population,” he says. “This necessarily involves a limited degree of mobile device management, at least to ensure compliance.”

The e-commerce world offers slightly different challenges, however. In fact, Liisa Kanniainen, VP at Nordea Bank and workgroup executive at Mobey Forum, a global financial industry-driven forum, whose mission is to encourage the use of mobile technology in financial services, cautions that when it comes to the use of mobile devices for e-commerce transactions, operators and technology vendors are not the final authority on the desigh of security solutions. ”It is important to distinguish between informational security and transactional security,” she says. “With transactional security, the risks can be much higher because an individual’s or organisation’s entire asset portfolio could be at risk. This means that the issuing institution, the entity that is carrying the financial risk, is the one that ultimately needs to decide on the most appropriate security mechanisms.” The announcement in December of the strategic alliance between mFormation and Visa to develop mobile payments solutions shows the compelling logic of this argument.

Despite some of the concerns about their security, mobile devices can still be a critical component of a security process. Tyntec, an enterprise-grade SMS routing vendor that guarantees delivery of SMSs within 15 seconds, reports that its infrastructure is being used by a number of banks to deliver one-time passwords using mobile phones.

Although a great deal of attention is focused on smartphones and PDAs, an increasing array of devices like iPods pose equivalent or even greater risks. “The storage capacity of inexpensive USB devices has created a data management and security nightmare that is now recognised worldwide,” says Paul Huntingdon, EMEA sales director at mobile data security specialist Credant Technologies. “Organisations can no longer ignore the threat of portable devices and need automated solutions that centrally detect, protect, audit and enforce security. Without this, the ability to cost-effectively and quickly close these security gaps is impossible.“

Protecting the mobile user entails a lot more than protecting the device. A sophisticated phishing attack can easily be disguised as a friendly SMS. There is general agreement in the mobile industry that user education has a critical role to play. Ultimately the mobile industry faces an interesting challenge: until enterprises and consumers are convinced about the security of devices the uptake of some products and services will suffer. But interestingly, the adoption of strong security at the expense of usability is also likely to yield similar results.

It is in operators’ and device vendors’ interest to solve device security problems because otherwise they risk endangering their brands and missing out on revenue opportunities. Luckily, they are grasping the nettle and the good news for both groups is that managed services seem to be of interest to both enterprises and consumers.

This article first appeared in 3GSM World Focus 2007 published by Informa Telecoms & Media

Abraham Joseph is Founder of  the Device Management Forum and Managing Partner of Inteligentis, a UK based research and consulting company. You can contact him at This e-mail address is being protected from spam bots, you need JavaScript enabled to view it  or This e-mail address is being protected from spam bots, you need JavaScript enabled to view it .