Speaking at the RSA Conference 2011 in San Francisco this week, Ed Amoroso, security supremo at AT&T also advised IT managers to skill-up and use 2011 to prepare themselves and their networks to deal with future threats.
While fake free versions of popular games such as Monkey Jump and Angry Bird are appearing outside the iTunes App Store tempting people to download suspect code onto their phones, unchecked Android apps were also making their way onto mobile handsets which workers carry onto corporate networks.
Some like a wallpaper app detected on the phone of a Citibank employee collected much more user information, including contact database, Wi-Fi addresses and IMEI number, than was required for its operation, and sent it onto servers in China, according to John Hering, CEO of Lookout, a smartphone security company. Such information could give hackers means to impersonate a trusted device and penetrate a network.
'They are silly, they're whimsical, they cost 99c and they are fun. Guess what, your software has to be resilient. It has to work and we have to rethink the infrastructure for that portion of the mobility side,' said Ed Amoroso, security supremo at AT&T in the US.
Amoroso also warned app and operating system developers to speed up their vulnerability patching leadtimes to help curb threats. He said patching had to be reduced from seven months to seven days to counter the explosion in smartphone app popularity and increasing number of proof-of-concept malware.
'It's a big problem but we shouldn't have to do it in the first place. We shouldn't have to put duct tape on software. It's kind of a mess, right? You (IT manager) have to do it yourself or the IT guy has to through the app store at their leisure,' he said, rulling out over-the-air patching by the carriers as 'the nuke option'.
Anti-virus with automatic updates was not the answer because it used too much bandwidth and battery power, he and other speakers said.
Martha Vazquez, research analyst information & communication, Frost & Sullivan, said the mobile threat landscape today is not exactly what vendors expected five years ago.
'The introduction of smartphones entering the corporate world has become challenging for IT admins. Today, the threat is not so much, how much money will (they) lose, but more about how can (they) manage all these different devices and protect the data that is on the phone. This appears to be the biggest threat to enterprises today,' Varquez said.
Mobile industry experts stopped short of predicting this year will be the year of mobile threats as they have been doing for the last decade, but warned there will be more repurposed applications and Trojan apps.
'Over the next two years, carriers will be rolling out 4G networks which are an IP infrastructure for mobility at speeds that are going to be pretty attractive for hacking,' Amoroso added.
Lia Timson is attending RSA Conference 2011 as a guest of Microsoft. She's on Twitter @liatimson.