Which of the following statements do you believe?
- "Given that there are around 1.5 billion smartphones and tablets in the world, that means probably fewer than 15,000 of them are harbouring mischievous software." - The Economist - November 2013
- "32.8 Million Android Phones Infected with Malware" - Techlicious.com - April 2013 based on information from NQ Mobile
Does it matter?
If you are trying to make informed decisions around mobile phone security for yourself or your organisation, then it does matter. Go with statement number 1, then you will be trying to implement controls to ensure around the risk that the device will be lost or stolen (encryption, backups etc.)
Favour statment number 2, and you will be thinking more about security controls like anti-virus applications etc.
The Economist article goes on to say:
"Gartner, an information-technology consultancy based in Stamford, Connecticut, advises clients not to worry too much about malware penetrating their networks through the devices employees bring to work. It is the users themselves who are the problem. How, for instance, do companies prevent employees from innocently responding to “spear-phishing attacks” in the form of individually targeted, and very official-looking, e-mail or text messages, apparently from trusted colleagues, that request sensitive information? Security measures need to focus more on educating users, says Gartner, rather than on the relatively minor problem of mobile malware. "
Mobile Application Security
What about mobile application security? The OWASP Top 10 Mobile 2014 risk "M2 - Insecure Data Storage" says about the threat agent:
"Threats agents include lost/stolen phones and the possibility of in-the-wild exploit/malware gaining access to the device."If you believe The Economist, you will give less weight to the malware risk in your application design and more prominence to the lost/stolen phone risk.
If the device itself is properly encrypted, then you will be less concerned about storing sensitive data on the device. Since the risk of malware is low, then it is unlikely that malware will steal the sensitive data.
(Ok - you should still be careful about what data your application stores on the device.)