There's been some talk recently about mobile security, with companies like McAfee and others making acquisitions in the space, and companies like Lookout raising impressive VC-funded warchests. The problem is that there's just no way the mobile "security" companies will ever really make it, because the two most important mobile platforms (Android and iOS) stop them from doing anything useful. Oh sure, there're companies that provide provisioning and management dashboards to IT departments: that's a real problem that developers can solve... but they can't solve the problems that'll really matter soon.
Here's the big pitch for mobile security:
As more and more smartphones get on the market, there'll be more malware, spyware, phishing, viruses, network attacks, etc. on mobile devices, just like there is on the desktop. That sounds like a problem worth solving.
Well, yes, but... See, every app on Android and iOS needs to run within a pretty tight little sandbox. App_A can't read or write files that are in App_B's sandbox.
So, let's see, can a "security" app on iOS or Android:
- Detect or stop malware? Nope. One app can't "scan" another app or prevent it's usage.
- Detect or stop spyware? Nope. One app can't spy on another app... so it can't know if there's spyware.
- Stop phishing? Nope. Well, not unless you get the user to use *your* browser instead of the default browser... which will have phishing protection anyway.
- Detect or stop viruses? Nope.
- Prevent network attacks? Nope. An app on Android or iOS can't create/enforce firewall rules on the device, much less put packet filtering in place.
So, what CAN a mobile "security" app do on Android or iOS? Well, backup/sync/destroy contacts/calendar/eMail and locate your phone if you lose it. That's pretty useful, admittedly, but there's a lot of other people providing that capability, like Apple and Google themselves.
Is this all for naught then? No. There might be an opportunity to build a secure version of the Android OS, and sell it to OEM's / operators who want to put a "secure" or "trusted" build of the OS on certain devices. But that's a nightmare of a sales process to begin with, and would you really bet against Google and Apple just making their security policies tighter in the OS itself to prevent malware from running amok on their platforms?
Sad to say, but I think the stratospheric growth rate of iOS and Android, and the security policies they some with (unlike, say, the older Windows Mobile or Symbian platforms) means that anyone with a mobile security play is locked out of the two most important mobile platforms in any meaningful way... Who knows, maybe making Windows Phone 7 secure could be a business?
