It’s the phone industry’s dirty little secret: As humble “handys” (as German’s quaintly persist in calling mobile handsets) morph themselves into miniature editions of full-fledged computers, the danger of its being attacked by hackers or compromised by malware is growing, cancer-like and unseen. And while many people were discussing security issues this at this year’s GSMA Mobile World Expo in Barcelona, they did so mostly in a whisper.This was in contrast to the brazen self-promotion on display everywhere else on the Montjuïc fairgrounds where the operators, designers, manufacturers and integrators regularly meet to dance around the golden calf of mobile communication. In many ways, it brings back to mind the heydays of the CeBIT expo in Hannover, which still clings doggedly to its reputation as the World's Largest IT Show despite bleeding exhibitors and visitors for years now. Back then, nobody bothered to talk about security, either - there were so many much more exciting topics to discuss.
Well, now that mobile phones are as smart, or smarter, than PCs a couple of years ago and voice communication seems almost like an afterthought, security should already be a major issue. But at least in Barcelona, the young, eager developers who congregated at the "Apps Planet" in hall 7 sponsored by Vodafone were only interested in showing off their hot new snippets of software and dreaming collectively about the golden future that awaits them.
For those of us, who like the author have been there and done, this kind of bubbly exuberance that leaves small room for critical questions seems like pure "déjà-vu all over again". The mobile industry is in danger of having to repeat history because they refuse to learn from it.
Anyone brave (or foolhardy) enough to ask pointed questions about app security in Barcelona was himself in danger of being laughed off the stage. "How d‘ya mean, security? Isn't that what the SIM card is for?", a developer hardly old enough to shave asked with unconcealed scorn. What he worry? His brand-new iPhone app had just been downloaded 10,000 times!
Yes, the apps market is experiencing exponential growth, with more than 100,000 of them available from Apple's AppStore alone; not that anyone could verify that number, since Apple chose to stay away from Mobile World just like they will remain absent at CeBIT again this year. Other vendors were more than glad to fill in. „18.000 Android apps - and counting", a Google spokesman claimed. Blackberrys "App World" is said to be booming. Pieter Knook, head of Internet Services at Vodafone, talked of „more than 7,000 apps" since introduction of their developer platform, "Vodafone 360". People responsible for Nokia's „Ovi Store" say it boasts over 6,000 apps. And at the Microsoft stand in Barcelona, where they were busy demonstrating the brand-new Mobil-OS, „Windows Mobile 7", similar numbers were bandied about.
The list just goes to show why the mobile industry can still afford to continue to neglect security concerns. With at least six major operating systems competing out there (seven, if you count Palm's "Pre" which was barely visible in Barcelona), diversity is probably the best protection you can get against hackers and viruses. But how long will it last? Late last year, reports began to sicker in about malware attacks against Apple iPhones. And the German government's Agency for IT Security, BIS, seem to be gradually changing their mind about mobile security. Until now, their line has been that "smartphones appear to be safe". Now, they're hedging by admitting that "it does not seem impossible that, in the near term, malware programs will be distributed through mobile phone applications."
Someday soon, the starry-eyed kids with heads full of dreams about instant prosperity will have to wake up to the bitter fact that apps are nothing but tiny computer programs, and as such vulnerable to attack. Besides, mobile apps are increasingly transmitting sensitive personal data. It doesn't require any great leaps of imagination to predict that the apps market will soon be suffer from the whole Pandora 's Box of headaches that "normal" software programmers experience every day. They, too, will have to deal with gaping holes caused by sloppily-written code, with compliance issues (in case you forgot: under European data protection law, personal data may not be physically moved outside the borders of the EU! Mobile networks, on the other hand, are global by nature...) as well as mobile identity theft.
Mobile app developers need to learn from past experience in computer software, and they need to learn fast. In the "old" world of IT, developers are at least starting to realize that the only way to achieve strong security as well as adhering to external and internal GRC (Governance, Risk Management und Compliance) policies leads through Identity & Acces Management. Only if you know who is doing what in your system and whether they are authorized to do so can rest assured that everything is running on track - and within the legal fences.
The much-hyped "apps economy" is in danger of becoming a victim of its own hubris. Even now, critical voices are being raised such as that of Mark Suster, a partner at GRP, a venture capitalist, who recently quipped in his blog that "app is crap!" He thinks the fledgling apps industry will soon collapse like a punctured balloon.
Not only would that be a crying shame; it would be a catastrophe, and a self-inflicted one at that. Apps security has to move quickly from something people talk about behind their hands to one that will guide the mobile industry into a bright - and secure - future. If not, "crap" might actually turn out to be an apt way of describing the resulting mess.