The news about a significant number of malicious apps for the Android platform on mobile phones hit the news yesterday. Many comments still sounded a little surprised. However there is no reason for being surprised. Today's mobile phones are insecure by design. The vendors haven't understood that security is mandatory for long term success and they are still selling devices which are as secure as a PC in the mid '80s of last century. Unfortunately these devices are connected and have far more capabilities than the PCs of the early days.

The vendors (and developers of OSes) are just ignoring the need for built-in security. A PIN code is a ridiculous mechanism to protect a device which can hold that much sensitive data and which can be used to access sensitive corporate information. How about biometrics or other types of strong authentication? There are many potential solutions out there for mobile devices which are secure by design and still user-friendly.

In addition to the insecure devices and OSes, the concept of apps itself is insecure. How to manage apps for your corporate users? How to do DLP (Data Leakage Prevention) for apps? The concept of apps is as well insecure by design. Unfortunately, it is a good example for the wrong design principle "function follows form" - it should be "form follows function". But the concept of apps is about markets and money, about a "cool" concept and not well-thought, because it isn't secure (enough).

For organizations, the only consequence can be to review the policies for using mobile devices and massively restrict the professional use of devices which are insecure and have too many capabilities. That requires an analysis of which platforms are allowed for which use cases. You might argue that this won't work because even the managers want to use their gadgets. Correct, it isn't a simple task to do. However, in virtually every country there are laws which require that the board enforces an adequate risk management. Using insecure gadgets with access to sensitive corporate information (starting with eMail) is a risk which has to be mitigated by restricting the use of gadgets or more secure ways to use them. By not doing so (or even using insecure devices as a board member), legal requirements are ignored. I'd bet that the next hot topic for auditors will become mobile security...

For vendors, these new attacks hopefully are an alert which helps them to understand that security is a key requirement for long term success in the market. That might lead to invest more in security which is easy to use.

In the meantime we will see masses of point solutions and services to better protect mobile communication. Be careful with that - some might deliver a real value, others will turn out to be sort of placebos. But in any case, you first should have a strategy and policies for the secure use of mobile devices, before you invest in such point solutions and services.

It will be interesting to observe what happens in the next months. Will vendors wake up? Or will it need more and even more severe incidents for that?