Imagine this.  Take your 10 year old PC, running Windows 3.old, hook up every kind of wireless and networking technology it will still support, put all your most valuable data on it, turn it on, and then take it on a cross-country trip in your caravan.  Sound like a great idea?  Probably not.  But we this do all the time – with smartphones.  Mobile computing is the Wild West of IT security.  It is estimated that 5 percent of all Android or iOS devices will become infected at least once by viruses or trojans by 2012.  Consumers are not aware of the problem, and Industry isn’t sure what it can do about it.  I know of people laboring under fairly draconian IT policies that actually network their phone to their desktop (called “tethering”) in order to bypass their company’s networking safeguards.

Worse, everything seems to be headed in this direction.  Pundits say that tablets are going to replace our desktops.  And for some reason, people seem to love dumping all the free software they can find on the Intertubes onto the same machine they use to log into their bank.  And I’m still talking about smartphones.

It’s the sexual revolution of computing.

So what led us here?  Why did we take such a huge step backward?  One big reason is that the Mobile security model is flawed in several important ways.

First, the sandbox model is a broken model.  Virtually all smartphones use a tiered operating system, where a privileged lower layer, the real operating system, provides an upper tier sandbox environment in which apps run.  Some tinkerers (like me), “root” their phones, providing us access to the underlying operating system, so that we can customize the phone in ways not possible from the sandbox, or to provide additional security or features.  This risks turning the phone into a useless lump of plastic and glass, however, and requires a certain level of technical knowledge to achieve with some level of safety.  Manufacturers and OS vendors certainly don’t condone it, and it can void your warranty.  Some modifications are even illegal.  Sounds reasonable, right?

The problem is that this model offers malware authors a huge advantage.  Would-be security solutions are relegated to playing inside the sandbox, while malware can exploit flaws in the phone to break out of the sandbox and run where the security software can’t follow.  A few security solutions do exist that run beneath the sandbox, but companies are leery of adopting them for a wide variety of reasons.  This is a truly unsustainable security model, and it appears that it’s simply not going to be fixed.

Second, smartphones are loaded with all sorts of features that are anathema to security.  Just in terms of wireless communication, my most recent phone has probably three different cell phone bands (each with varying degrees of insecurity), Bluetooth, Wifi, and Near-Field Communication (NFC).  And I’m probably forgetting a couple (receiving GPS signals isn’t generally a security threat).  And of course there’s the browsers and web technology, probably the largest source of software vulnerabilities in use today.  So in addition to all the man-in-the-middle attacks possible (and demonstrated), there’s the same client-side attacks we seem to fear more on PCs.

Finally, smartphones are Mobile, with a capital ‘M’.  The whole point of the device is to take it everywhere you go – the commute to work, the cramped plane, the train station, conferences, hotels when you’re on vacation.  You’re probably got your cell phone with you and turned on more than your significant other.  Like I said, the sexual revolution of computing.

All of these factors – hamstringing security solutions, loading on features (aka attack vectors), and Mobility – all have a multiplicative effect on insecurity.  If we were to mitigate any one of these factors, our phones and our digital lives, would be a whole lot more secure. With mobile malware up 273 percent in the first half of 2011, it just doesn’t appear that any of these issues is getting addressed any time soon.