It's coming.

For the past five years warnings of a coming assault bycybercriminals on mobile banking have kept getting louder. Yet theplain fact is that successful attacks on the mobile channel in theUnited States have been scarce.

“Mobile threats remain nascent,” said Vince Arneja, a vicepresident at security firm Arxan.

But just maybe that's about to change, mainly because more cybercrooks are putting more energy into mobile and, lately, there aresigns that the bad guys are starting to cash in on a vulnerabilitythat is found on just about every smartphone.

The weak link is the mobile browser.

This is potentially a huge issue in mobile banking. “Webelieve about half the consumers who do mobile banking are usingthe browser and that's scary. What's a browser designed to do? Runcode, and that sets it up for exploitation by criminals,” said AlPascual, a risk expert with Javelin Strategy andResearch.

Architecturally, a purpose-built mobile banking app simply has alot less vulnerability than do banking sessions conducted insideSafari or Chrome, said multiple experts. The browser, by itsnature, delivers all the Web has to offer and that means it's alsoa trapdoor into high risk.

An app, by design, is a dramatically more confinedexperience. It has only the capabilities built in by itsdevelopers. And so it potentially is very safe.

Of course there are lingering concerns about counterfeit bankingapps – generally a legitimate app that has been doctored by a crookand then uploaded to apps sites to trick the unwary into installingthem. Such apps continue to show up.

“It is not hard to decompile an app, insert code, and upload it.We are seeing this happen frequently,” said Jack Walsh, a mobilesecurity expert at ICSA Labs, an independent division ofVerizon.

That said, there still are no known widespread distributions ofcounterfeit banking apps in the U.S.

Issues with mobile browsers are different because they are muchmore widespread. Browsers can be tricked into running maliciousActiveX, Java, JavaScript, and other code. They also can bevictimized by so-called drive-by infections where simply visitingan infected website is enough to taint the browser. There is noneed to click on anything.

“With mobile browsers, users may be duped into accessing roguewebsites and involuntarily revealing sensitive information,” wroteBill Conner, CEO of Entrust, in an email.

“We will start to see mobile malware designed to capture data ina mobile banking sessions, involving a mobile browser,” predictedPascual.

That's an echo of Zeus, which is the bane of Windows basedonline banking – but, suggested Pascual, similar could be steamingtowards browser based mobile banking.

That's why a big trend in financial institutions is doublingdown on native apps: “More security is getting built into the apps,as we see a shift from mobile 1.0 to 2.0,” said Arneja.

Many apps in the mobile 1.0 era, including mobile banking apps,were frankly rushed out the door with little attention tosecurity. At ICSA, Walsh said a primary focus of his work isprobing apps in search of vulnerabilities and, he said, he findsplenty. In many apps, including financial services apps,security often has been an afterthought. “Third-party appsdevelopers often are not security experts,” said Walsh.

That now is changing, however, particularly in financialservices as institutions recognize they have no real control overthe mobile devices but they do have controls over their own appsand it up to them to maximize those benefits. “Native mobile appsare getting much more secure,” said Arneja.

Will financial institutions start to ban access to mobilebanking via mobile browsers? Security experts talk about howthey would like to see that happen but they also admit an outrightban is highly unlikely.

For one thing, browser access is a low-cost way to getBlackBerry, Windows mobile, and other platforms into mobile bankingand, increasingly, more institutions are issuing only Android andiPhone apps.

For another thing, most financial institutions don't want toseem to be denying choice to their customers – and many of us stilljust prefer to use the browser instead of the app.

But watch financial institutions aggressively push app use totheir iPhone and Android users – particularly as the institutionsroll out 2.0 apps with more potent security built in.

That is one way to help keep mobile banking safe and, said theexperts, exactly that is now beginning to happen with the biggestfinancial institutions and, quite likely, this trend will percolatedown to credit unions and community banks as every financialinstitution comes to see better apps as a key to better mobilebanking security.