Smartphones are great tools, but at what risk?

Manufacturers are cramming new features into these devices, and almost inevitably security is the last thing on their minds. As the devices become more complex, the "surface area" for attack increases and as popularity grows they also become a more attractive target.

The result was predicable, possibly even inevitable: a worm attacking Symbian smartphones has been spotted in the wild, and while not particularly successful, it is surely the first of many to come. Then we have the Bluetooth vulnerabilities which can allow limited (for the time being) access to data on your mobile device.

Simply put: mobile device manufacturers have not paid enough attention to security. Until they demonstrate serious commitment to do so, users may have to make a tough decision whether to use these devices at all.

Look at Windows for an object lesson these vendors have failed to learn. Microsoft packed new features into its products to please every whim of its target market and thereby created a dream platform for hackers. As a result, the company has had to spend enormous resources to fix the problem it created, and is still (even after all that effort) working on it. Can you justify purchasing products from a handset vendor who may be going down the same road, making the same mistakes and leaving you with the same mess to fix?

Certainly the latest gadgets are fantastic business tools. Email, access to corporate applications, internet browsing. They can even make phone calls. But can you risk it? What use is your shiny new VPN client software for your smartphone if I can exploit the underlying Symbian OS and leapfrog from there into your organisation? The possibility of blended threats is particular disturbing.

It will also be interesting to see what emerges as the target of choice for attackers. I keep hearing the argument that viruses target Windows because it has wider deployment than other operating systems. If this is true, surely there should be more worms targeting the Apache web server than Microsoft's IIS. Apache, after all, has more than three times the market share, if you believe Netcraft's monthly surveys. Yet there have been a very small number of worms targeting Apache compared to many on IIS. Either Apache is a more secure product, or the argument is bogus.

Will we see similar patterns emerging in mobile phones? Unless some real effort is made, and made soon, yes, I believe so.