Mobile device adoption is poised to overtake conventional computers (laptops, desktops, etc.). Mobile devices may include smart phones, cell phones, personal digital assistants, netbooks, tablet devices, and the like. With the proliferation of mobile devices and their associated operating systems and applications, mobile security poses significant threat to enterprises, service providers, and the like. That is, enterprises are struggling with the consumerization of Information Technology (IT). With the proliferation of mobile devices within the enterprise, IT administrators can no longer ignore these devices as outside their scope of responsibility. Further, computing power on these devices is now as powerful as laptops. Users may access corporate data and the Internet through wireless networks such as Wi-Fi hotspots or cellular 3G/4G that are not controlled by IT. With many corporate applications being hosted in the cloud, the risk is even higher. Ensuring the security of corporate data is no longer a matter of deploying adequate measures within the organization. It is imperative that security and policy travel with users wherever they are, on whatever type of device they use. Unlike the personal computer (PC) world that is dominated by a few main operating systems, the number of platforms and device form-factors for mobile devices is much higher, as is their churn rate. IT needs a solution that is easy to deploy, supports multiple mobile platforms and provides consistent user policy enforcement across PCs and mobile devices.
There are two primary challenges that affect IT organizations as the proliferation and adoption of mobile devices increases with enterprises. The first challenge is that the line between enterprise and personal usage is getting blurred on mobile devices. These devices run the gamut of applications, from Facebook, YouTube, Pandora, to enterprise apps like email and sales force automation. Since the enterprise typically does not own the device, enforcing policies for acceptable usage or installing application controls like a traditional IT administrator would on a corporate PC is often not viable. There is an increased risk of exposing corporate data on mobile devices since they roam and connect to multiple Wi-Fi and cellular 3G/4G networks. Traditionally, web security protections have been enforced either by way of a gateway web proxy at an enterprise's egress to the Internet or via signature-based anti-virus protections installed on the user PC. With mobile devices, there is no obvious point of enforcement like an enterprise proxy. To complicate matters further, enterprise data is rapidly migrating to the cloud. As a result, an employee's mobile web transactions may never hit the enterprise network while accessing critical cloud-hosted data.
The second challenge is that security apps for mobile devices are expensive to develop and often ineffective. Unlike the PC world, which is dominated by Microsoft, there are several different mobile operating systems—Apple iOS, Android, Windows Mobile, Blackberry, Symbian, etc. Each platform has its own software development environment and a security vendor developing mobile security applications will have to replicate the effort across various platforms. Further, some platforms such as Apple iOS do not allow traditional anti-virus applications on their platform. Loading third party applications, not approved by the platform vendor may lead to violation of contract and often requires “jailbreaking” the device—definitely not an enterprise option. Even if security applications are allowed, they are a headache to deploy, require constant updates, and are easy to circumvent—the user can simply uninstall them if they dislike it. Worst of all, they impact device performance and degrade user experience by stretching the already limited processor and memory resources on the mobile device.
With the advent of mobile devices, there has been an explosion of custom built applications that users can download from various mobile markets such as the Apple App Store and the Android Market. The Apple App Store has over 250,000 apps and recently crossed the 10 Billion download mark. The Android Market is close behind. Needless to say, mobile application stores' download revenue is experiencing exponential growth. While some platforms force developers to get their apps approved by the platform owner (e.g. Apple), others do not. Regardless, with the explosion of apps, several security and privacy concerns have emerged. Exemplary security concerns include Google removing banking applications from the Android market for a while last year because a hacker posted fake banking apps to harvest username and passwords. In December 2010, the Wall Street Journal provided a detailed analysis of popular apps that were leaking private user information (location, contact information, subscriber IDs, user credentials, etc.) to third party sources, often without the knowledge of the user. Furthermore, sophisticated botnet type Trojans are beginning to emerge for mobile platforms. This, coupled with the fact that browsers running on mobile devices are as capable as PC based browsers running Javascript and HTML5. Mobile platforms are even more desirable targets for web based exploits given that the devices are always accessible and online and thus more likely to be impacted by a short lived attack.