Smartphone security software is still a niche market, but its time may be coming as smartphones grow more capable, more popular and more dangerous. Smartphone security opportunities for the channel include antimalware and mobile data encryption product sales, as well as the potential for managed services.
In the last few years, antimalware vendors have spread a fair amount of fear, uncertainty and doubt, suggesting that cybercriminals will exploit smartphones on a large scale. Some experts agree that smartphones will become major attack targets in the next year or two. Campbell, Calif.-based Infonetics Research Inc. forecasts that the market for mobile security client software, pegged at $113 million in 2008, will soar to $1.56 billion by 2013.
"It's imminent; it could be any time in the next year or two," said Jeff Wilson, Infonetics principal analyst. "It's really the confluence of operating systems, standard browsers, computing power on the devices, and users actually using [smartphones] to send and store sensitive information."
With that kind of potential on the horizon, experts believe it's worthwhile for VARs and system integrators to consider creating a business around smartphone security and management.
Why smartphones will be a target
As with PCs, smartphones have operating systems, browsers, applications and trusting users that can be exploited.
While there have been a handful of examples of smartphone malware in the wild, attackers have largely ignored this vector for the rich profits in exploiting PCs and their users.
Experts cite several reasons why this will change, not the least of which being the sheer number of smartphone users. There are about 600 million smartphones in use now, compared to about a billion PCs, but this ratio is rapidly changing. Smartphone purchases are now outstripping PCs 2 to 1, said Khoi Nguyen, group manager for mobile security for Cupertino, Calif.-based security giant Symantec Corp.
As more smartphone business applications emerge, workers may be more likely use them as their primary devices.
"We need to realize that these are not just phones we are dealing with, but small computers with great connectivity," said Jesper Svegby, director of development for the mobile group at Check Point Software Technologies Ltd., a vendor based in Redwood, Calif. and Tel Aviv, Israel.
Further, smartphone operating systems are moving to open source platforms. Although Windows, Symbian, BlackBerry and iPhone operating systems (OS) have been tightly controlled, Google's open source Linux-based Android platform is changing the equation, allowing developers to build apps without any central review or signing procedures. Additionally, Nokia is working on a non-Linux open source Symbian OS.
Most platform vendors have followed Apple's lead and opened app stores, which has led to a proliferation of applications, some of which may be vulnerable to exploit.
"The trend is to more openness, and that will fundamentally change things, as people use phones more like PCs," Svegby said. "Any teen or hacker can publish malware that anyone in the world can download."
At the same time, the iPhone, and now Android, have further fragmented the mobile OS market. Unlike PCs, which are overwhelmingly dominated by Windows, attackers have to choose which smartphone OS to exploit. Still, Wilson noted, the phones run a handful of standard browsers that can be exploited.
Enterprises rely on smartphone operating systems, primarily BlackBerry in the U.S. and Symbian in Europe, to protect data at rest on the smartphones, he said, but when criminals start generating malware to exploit data in motion, "everyone will need AV."
Smartphone security business challenge and channel opportunity
Sales and support opportunities for encryption are likely to grow as smartphones use more business applications, such as SAP, and store more corporate data. As discussed earlier, the potential for antimalware sales and support is enormous when smartphones finally become subject to widespread attack.
While encryption vendors offer mobile-specific products on their own, they are also included as part of their overall corporate endpoint encryption suites. Check Point's Svegby said PC encryption orders for, say 5,000 seats, often come with an additional 150 to 200 licenses for smartphone encryption.
Some vendors, such as Credant Technologies Inc. and Check Point offer only encryption products, others such as F-Secure Corp. and Kaspersky Lab Inc. offer only antimalware, and still others, such as Symantec and McAfee Inc., offer both encryption and antimalware. In terms of operating systems, most vendors support Windows Mobile and Symbian, and some support Palm OS and Blackberry as well. There have been reports that several vendors are working on iPhone antimalware, as well.
Another key area of smartphone focus for the channel is in management. Mobile security is difficult for enterprises to manage, particularly since employees often use their personal smartphones to perform common work tasks.
Wilson cited the example of a large hospital that used a network access control (NAC) product to get a profile of the devices connecting to its network. It expected to find about 8,000, but discovered there were actually 12,000. Most of those unexpected 4,000 devices were smartphones.
"They don't procure, own, control or even see a lot of devices," he said.
Even with their own devices, enterprises struggle with smartphone management, from troubleshooting and provisioning phones over the airwaves to simple asset inventory.
There is an opportunity for system integrators and VARs to help enterprises and even smaller businesses implement smartphone management, which includes detecting and supporting user-owned devices, depending on corporate policy. There are also opportunities to provide ongoing managed services to handle chores such as user provisioning and de-provisioning, remote software updates, help desk support and secure disposal.
"There's definitely a huge potential for those system integrators that are knowledgeable enough and able to launch services in this area, said Check Point's Svegby. "Enterprises do not have this knowledge and need specialists to either set up their mobile workforce and define it for them, or even host or manage the solution."
Symantec's Nguyen says traditional VARs, as well as system integrators, can assist in provisioning devices by setting up email, installing the appropriate security software, and retiring the device safely to ensure that user credentials and sensitive data is thoroughly erased.
"I can see mainstream IT resellers getting involved," he said. "Most of the key issues are less telecomm issues, but rather, are very similar to lifecycle issues around laptops.