Mobile Security: Where Risk Meets Opportunity: Part 1

Yesterday’s road warriors lugged laptops, but a growing number of mobile professionals now carry internet-capable PDAs and smartphones. These increasingly usable and well-connected mobile devices are finally seeing significant business action. But most lack the basic security measures widely used to protect laptops. Many companies have started to recognize the risks posed by unsecured mobile devices used for business. ISPs can tap this new revenue opportunity by offering mobile security solutions.

A growth market
Until recently, PDA and smartphone adoption moved slowly, hampered by limited device capabilities and slow wireless links. But last year, device and network innovations finally put a kink in that curve. According to Canalys, global PDA and smartphone shipments jumped 75 percent between 3Q04 and 3Q05.

By mid-2005, Gartner estimates that PDA adoption had reached 47 million—about half the installed base of laptops.

Many mobile devices are purchased by individuals, without employer funding or blessing. But business use is quite common, especially among executives, sales, and other on-the-go workers. In a Pepperdine University survey, 38 percent of US professionals said that they had used their PDA to access their company’s network. By 2007, IDC predicts that 90 percent of enterprise mailboxes will be accessed from mobile devices.

This surge in mobile device use is creating many new revenue opportunities, from mobile network services and business applications, to mobile device management and security. Gartner reports that mobile data protection sales were greater in 2004 alone than for the previous three years combined, and IDC projects that $1 billion will be spent on mobile device security in 2008. A diverse crop of security software vendors, old and new, are jockeying for position in this growth market.

ISPs are in a great position to re-sell and deploy mobile security products to individual subscribers, SMBs, and enterprise customers. Doing so can expand an ISP’s portfolio, make existing internet service packages more attractive, and avoid customer erosion by 3G wireless carriers. For example:

• Any ISP that already sells secure remote access services or software for laptop users can complement that offering by adding similar measures for PDAs and smartphones, helping to retain customers as workforces shift to using mobile devices.
• ISPs can capitalize on today’s unmanaged mobile device fleet to fix a growing problem not yet addressed by corporate IT. Customers who appreciate the risk but lack mobile security know-how may be happy to offload that job to a service provider with whom they have an existing relationship.

To help you determine whether mobile device security represents an opportunity for your business, this article explores today’s mobile devices, their built-in security features, and after-market products that can be used to augment those capabilities.

Mobile devices and operating systems
Personal Digital Assistants (PDAs) and cellular phones are rapidly converging into what many generically refer to as “smartphones.” Gartner defines a PDA as a data-centric handheld that may include a cellular radio. IDC considers any device that offers cellular voice to be a mobile phone or a converged device (aka smartphone). No matter how you slice the pie, many mobile devices shipping today offer more than one wireless interface:

• Bluetooth for peripheral (e.g., earbud or PC) connection,
• Wi-Fi for internet hotspot and corporate WLAN access, and/or
• 2G/3G wireless for voice, messaging, and mobile packet-switched data.

Older devices relied on “graffiti” pen-strokes or telephone keypads, but newer devices use thumb-wheel menu navigation and tiny QWERTY keyboards to better support e-mail and other text-based business applications. Personal Information Manager (PIM) applications (e.g., contacts, calendars, tasks) are still common, but are now frequently accompanied by internet clients (e.g., web browser, POP/SMTP e-mail, instant messaging (IM)), multimedia applications (e.g., media player, photo capture), and document viewers or editors (e.g., Acrobat, Office Mobile). Of course, the data associated with these applications also requires space: 64 to 128 MB of RAM and 2 GB removable storage are now typical.

Mobile devices are not limited to these factory-installed applications. A healthy crop of after-market consumer and business applications have emerged for mobile devices that offer APIs and SDKs for third-party development.

However, porting applications to mobile devices is no simple task—capabilities vary across devices and models, and processors and operating systems are very different. Most of today’s mobile devices run one of the following operating systems:

Most of today’s mobile devices run one of the following operating systems:

Windows Mobile: The latest member of the Microsoft Windows CE operating system family used to power PDAs and smartphones. According to Gartner, Windows Mobile topped the 2005 PDA OS market at 46 percent. However, Windows represents but a small fraction of smartphone sales. Earlier generations of this OS were called Handheld PC (HPC) and Pocket PC (PPC), as illustrated by this timeline. This article focuses on Windows Mobile 5, which has two variants: one for full-function PDAs and another for limited application smartphones. For example, consider the Verizon Wireless XV6700: a Windows Mobile 5 PDA with Microsoft Office Mobile applications, slide-out QWERTY keyboard, Bluetooth, Wi-Fi, GRPS, and EV-DO wireless.

Symbian OS: Runs on smartphones sold by Nokia, Sony-Ericsson, and many other cell phone vendors. According to Canalys, Nokia’s Symbian OS sales represented nearly 55 percent of the smartphone market in 2005. Although Symbian started as a phone OS, it has grown increasingly powerful. The current version, Symbian OS 9, includes several built-in application services, as well as APIs for third-party application development. For example, consider the Nokia N80: a Symbian S60 smartphone designed to enable internet, e-mail, web, and multimedia access over USB, Bluetooth, Wi-Fi, GSM, and UMTS 3G wireless.

Palm OS: Several generations have powered Palm PDAs and Treo smartphones. Palm OS ranked third in the 2005 PDA market and a distant second (8 percent) in 2005 smartphone sales. Most devices manufactured by Palm run the Palm OS, but Palm now also sells a Windows Mobile smartphone. At this time, the most recent Palm OS is version 6, also known as Cobalt. For example, consider the Treo 700p: a Palm OS 5.4.9 smartphone with Microsoft Office Mobile applications, integrated QWERTY keyboard, Bluetooth, cmdaOne, 1xRTT, and EV-DO 3G wireless. Note: Sibling Treo 700w has similar hardware/features, but runs Windows Mobile instead of Palm OS.

BlackBerry OS: Runs on handheld devices sold by Research In Motion (RIM). In fact, BlackBerry is really the trademarked name for devices that run RIM’s OS. RIM placed second in the 2005 PDA market and ranked third (7.5 percent) in 2005 smartphone sales. Third parties can now develop BlackBerry software using APIs offered by this proprietary OS, currently at version 4. For example, consider the BlackBerry 8700c: a Bluetooth-enabled handheld that uses GSM, GPRS, or EDGE wireless for voice, internet, or corporate data access via BlackBerry Enterprise Server (BES) for Microsoft Exchange, IBM Lotus Domino, or Novell Groupwise.

There are, of course, other mobile operating systems—including dozens
of mobile devices run unique incarnations of embedded
Linux. (Efforts are now underway to create a uniform
Linux environment for mobile devices.)

In Parts 2 and 3 of this article, we will explore security capabilities
and solutions for these dominant mobile operating systems.

This article was first published on ISPPlanet.com.