Another similarity between the mobile industry of today and the PC security outlook at the turn of the century is that OEMs and mobile carriers have no incentive to secure this vulnerability during the product development life cycle, Auerbach says. The faster smartphones are developed and pushed out to market, the more money companies like Qualcomm and Apple stand to make. With the way the smartphone market has grown lately, they likely won't be slowing down any time soon - a recent IDC report showed 42.5 percent year-over-year growth in worldwide smartphone shipments in the first quarter of 2012.
Although he says he does not know the exact cost it would entail, Auerbach believes that "it would be significant to overhaul the encryption that's used." As long as OEMs and carriers aren't feeling any pressure to make such a significant change, they will continue pushing more smartphones through the assembly line as is.
Herein lies the difference in security for smartphones and PCs. Just over a decade ago, then Microsoft CEO Bill Gates wrote a memo to the company's employees that set off the industry-changing Trustworthy Computing initiative. From 2000 to 2003, the number of Internet users across the globe nearly doubled, from 389 million to 759 million, and a large-enough security threat could affect roughly 12 percent of the world population. With numbers this staggering, Gates was compelled to ensure Microsoft "customers will always be able to rely on these systems to be available and to secure their information."
Ten years and 1.5 billion new web users later, Trustworthy Computing seems to have made a difference. Microsoft has since come up with the Security Development Lifecycle, for example, to instill security and privacy considerations before new products come to market.
Whether the mobile industry will receive a similar call to arms remains to be seen, but Auerbach, for one, is less than optimistic. Because the smartphone market is not showing any signs of becoming as monopolized as the PC market was in 2002, Auerbach says any federal legislation aimed at improving cybersecurity, such as CISPA or the SECURE IT Act, "should at least be thinking about incentivizing companies to care about security." So far, partially because lawmakers are unaware of these threats and partially because those tasked with educating them have their own agenda, solutions to that problem are "nowhere to be found," Auerbach says.
"I think, unfortunately, members of Congress are not very educated about real security issues and real problems, and instead they are taking their cues from interested parties, for example the intelligence community, as to what needs to get passed," Auerbach says. "Unfortunately, the result is that the legislation is not focused on the relevant issues, such as mobile, and instead it tends to become blanket legislation."
An increase in user education about the privacy and security issues with their smartphones could help the problem, as could improvements in sharing information about and patching newly discovered mobile software vulnerabilities, Auerbach says. However, OEMs and carriers are unlikely to respond until they have to, after a major security issue puts their customers directly at risk, he says.
"Unfortunately, it might be the case where it will require some sort of big, newsworthy event where users' privacy is compromised in a big way," Auerbach says. "I hope that's not the case. I hope that we can kind of improve security without that, but unfortunately I think it's going to take a lot of press coverage to get mobile platform vendors and manufacturers to really start caring about this issue."
Colin Neagle covers emerging technologies, privacy and enterprise mobility for Network World. Follow him on Twitter https://twitter.com/#!/ntwrkwrldneagle and keep up with the Microsoft, Cisco https://twitter.com/#!/ciscosubnet and Open Source community blogs. Colin's email address is firstname.lastname@example.org.
Read more about anti-malware in Network World's Anti-malware section.