Piecemeal mobile security tools inadequate

Industry players stress need for holistic mobile security regime, safeguarding everything from network and data to devices and apps installed on them.

The current level of mobile threats is yet to fall in the range of "significant crime", but with next generation of mobile handsets set to support near-field communications (NFC) and spark off more e-commerce and financial applications, it is likely that more "professional" cybercriminals will target this space.

Thus, it is no longer enough for consumers and IT departments to adopt a piecemeal approach to securing their mobile devices, say security vendors. In fact, a holistic security regime should range from protecting one's corporate network and devices to managing types of apps downloaded on to these devices, they urge.

Ken Low, director of enterprise security for Asia-Pacific at Trend Micro, said there are a number of mobile threats appearing on various app marketplaces that may be malicious and steal people's information, hijack account and send premium SMS. These, though, do not reflect what the security vendor considers as "significant crime" at this point.

Additionally, there is no "real concerted effort" to target e-commerce or banking applications, he said.

The security situation is likely to change in the near future though, Low said. With the introduction of the next generation of handsets that would support NFC, a larger percentage of the consumer market will begin to adopt more e-commerce and financial applications.

"Once cybercriminals realize that they will be able to increase their profits from such technologies, we expect a much larger, more serious targeting of the mobile landscape by 'professional' cybercriminals," the director said.

Antivirus not enough
Low therefore urged IT administrators to reconsider buying off-the-shelf solutions without considering the specific needs and profile of their corporate network, as these tools may not be able to properly manage the influx of mobile devices.

Conversely, he pointed out that some mobile device management (MDM) software do not come with a security component such as antivirus or reputation-based Web and file protection, while other security tools might not have the means to manage data remotely via features such as remote wipe. 

Ronnie Ng, senior manager of systems engineering at Symantec Singapore, agreed that many security vendors still offer only point products that do not fully mitigate today's risks, particularly with the ongoing IT consumerization and bring-your-own-device (BYOD) trends.

"What is important in the mobile world is that security providers have to be able to encrypt the device, to authenticate the user, to protect the data that may end up on that device, and be able to manage that device," Ng stated.

To this end, the security vendor had acquired Nukona in March this year to extend its mobile application management (MAM) capabilities, which is aimed at helping IT organizations to protect and isolate corporate data and applications across both corporate and personal devices, he said.

Low also said mobile security tools should not only focus on device management but pay attention to app management. This means being able to scan apps that users download onto their devices and, subsequently, to secure the app marketplace environment to ensure only known, malware-free apps are listed, he explained.

Keeping phone-based data secure
Another major issue currently in the mobile payments security landscape is the hacking of PIN codes that authorizes phone-based payments and storing of payment card data.

To secure mobile payments specifically, vendors should position the Universal Integrated Circuit Card (UICC)--which runs the SIM application on most mobile devices--as the secure element, suggested Michael Au, vice president of telecommunications at Gemalto.

He noted the UICC contains hardware and software similar to that of smart cards and is able to provide banking-grade security. As long as vendors treat the UICC as the secure element, Au believes there are already safeguards on the platform to protect financial information on mobile devices, and these are adequate to protect users' mobile transactions and their trust in mobile payments.

Frost & Sullivan's Asia-Pacific research director Jafizwaty Ishahak earlier stated that smart cards are safe because these contain elements such as triple data encryption system (DES) and are made from multi-chip unit-based (MCU) cards that are considered highly secure and intelligent.