The fledgling smartwatch market is tiny compared to that for smartphones, or even wearable devices like Google Glass or smart bands that cater to fitness and health-monitoring needs.

Still, the smartwatch phenomenon promises to blossom in 2014 as experts expect Google to launch a model by summer followed by Applesometime in the fall. Even Microsoft is reportedly working on one.

To achieve any degree of greatness, though, these major tech innovators and their smaller competitors must overcome some significant hurdles.

For instance, most of the smartwatches unveiled to date are too expensive, at $200 to $300 each, for widespread adoption. Most of the devices also require a connection to a smartphone via Bluetooth, which implies that users face the added cost of the smartphone and a wireless service contract.

The early smartwatches also lack functionality and mostly run fewer than 20 smartwatch apps.

Several analysts say the so-called value proposition of smartwatches is unclear so far. Sure, you can check your smartwatch for a text message or email or use it to find the time or a weather forecast without having to dig into a pocket or purse to find your smartphone. But is that enough to attract users to the technology?

Some smartwatches (sometimes called smart bands) include sensors that let them double as fitness monitors, which helps expand their functionality to a degree. A few also have cameras, microphones, and speakers.

Beyond those basic price and functionality hurdles, some of the early smartwatches are just plain ugly and far too large (mostly around 2 inches by 1.5 inches) for women to wear on their wrists, say several analysts familiar with the market.

Samsung Galaxy Gear

That problem suggests the successful smartwatch innovators will—or should—pair up with fashion designers.

"Fashion will be important, whether in smartwatches or Google Glass," said J.P. Gownder, an analyst at Forrester. "Vendors need to up their game on design. They should partner with jewelry and clothing vendors. Tech firms just aren't equipped to deal with fashion by themselves."

Gartner analyst Angela McIntyre said that most of today's smartwatches are too large and dull-looking.

"When I put many of them on, they are wider than my wrist is, and I'm not that small," she said. "These are meant for males to wear, so they are missing half the market right there."

"One of the most difficult issues is the smartwatch face—it's a black box. If they'd make them look like conventional watches, that would help. Yes, I'd like more sparkle, and there are some designs for making them look like regular watches. These devices need more of a value proposition that people will understand and want," she added.

McIntyre summarized the challenges this way: "If a company could get the home run design—one that's right—with more apps and good price points, they could take off, but we haven't seen that design and that solution yet."

Newcomers to the market

The latest smartwatches to become available include Samsung's $300 Galaxy Gear. The Galaxy Gear, launched in the fall, is designed to pair with Galaxy devices like the Note 3 plus-size phone to make phone calls, take pictures, download apps, conduct Web searches, or check email.

The Sony Smartwatch, now in its second generation sells for $200, but cannot make voice calls.

Samsung and eBay recently announced that Galaxy Gear can now notify users of responses to online eBay bids, giving users the ability to make a quick counter-bid. But that kind of app isn't sufficient to justify the cost of a device that largely relies on smartphones to make calls or the smartphone's cellular or Wi-Fi connection to the Internet.

Innovation coming?

Officials at Samsung and elsewhere acknowledge that wearable technology, especially smartwatches, is barely beyond infancy and will likely see substantial innovation in the next two years.

Perhaps Apple will wow consumers globally with an "iWatch" by including technologies like the iBeacon proximity tool that was added to recent iPhone models. The innovative iPod and iPhone turned the consumer electronics market upside down, and Apple could do that again with a smartwatch.

Unfortunately, Apple doesn't exhibit at CES, and the company has yet to officially disclose that it's developing an iWatch smartwatch.

That said, an iWatch with iBeacon technology could usher in a Apple smartwatch world where users could literally open doors equipped with their own transmitters. For instance, a driver could unlock his or her car and start it with such technology. Users could also use the technology make purchases in a store after receiving a discount coupon by authorizing a credit card payment through a previously-stored account with Apple.

Future smartwatches may also include voice and gesture activation capabilities, which would go a long way toward reducing the need for a large touchscreen interface. Voice or gesture control makes it more likely that we'll see an elegant-looking smartwatch with a much smaller face that still has powerful functionality.

Market potential for smartwatches

Analysts at Canalys back in July projected that 5 million smartwatches will ship worldwide in 2014, while Gartner recently said it projects that the global number could reach 7 million next year.

Both the Canalys and Gartner projections are tiny compared to the forecasts that 1 billion or more smartphones will ship in 2014. However, the 2014 smartphone projections are both substantially higher than Canalys' report showing that 500,000 would be shipped this year.

What will work?

Canalys analyst Daniel Matte singled out the $150 smartwatch made by the startup Pebble. That company was started with funding from 85,000 investors found through Kickstarter.

Matta termed the Pebble smartwatch as reasonably successful with more than 200,000 reportedly shipped since its unveiling in early 2013. By comparison, reports have Samsung selling 800,000 Galaxy Gear devices to date, though the number has not been confirmed by the vendor.

"The Pebble is the best smartwatch so far, even though it's fairly basic," Matte said. "The one or two things it does do, it does well, which means it connects well to smartphones and runs apps on the display fairly reliably. It's really early, but it's still not a great device."

The ARM Cortex M3-based smartwatch runs the Pebble OS. The processor runs at up to 80 MHz.

The size of the smartwatch's battery is not disclosed, though Pebble says the device can run for up to seven days between charges.

Pebble says that "thousands" of developers are working on Pebble apps. Some of the apps coming soon include iControl, which can control home alarms, the FourSquare social app and GoPro for taking photos.

Currently, Pebble supports notifications from email or other inputs and alarms, music from the phone and some basic fitness apps. The watch face is customizable.

Matte said the Pebble falls at the upper end of the $100 to $150 sweet spot for what he believes smartwatches should cost to catch on with users.

Like other analysts, Matte said most smartwatches today "aren't very aesthetic or fashionable." He did note that Jawbone and Nike are making fashionable wearable smart band devices for fitness and sports activities, and those could provide design tips for the major smartwatch makers.

Neither the Jawbone or Nike device has a watch-like face in the conventional sense.

The Nike+ Fuel Band SE works with iOS and comes in three sizes and four colors for $149, with a rose gold version for $169. (Nike also has a Nike+ SportWatch GPS for $139.99 that has a conventional watch face.) The Jawbone Up24 has a wrap-around design that works with iOS and comes in two colors for $149.99.

With better designs and many more apps, Matte believes that smartwatches (which he terms smart bands) shipments will reach 40 million globally within several years.

"Smart bands are the next big thing in consumer electronics," he said.

In addition to Samsung, Sony, Nike, and possibly Pebble, other companies expected to show off smartwatches at CES include Basis Science, Burg, Connected Device, Dennco, Ezio, Filip, Kreyos, Kronoz, MetaWatch, Mio, Neptune, Polar, Qualcomm, and TomTom.

The president of the United States says he's not "allowed" to own an iPhone, which is why he's sticking with his BlackBerry, according to The Wall Street Journal.

It's a politically sensitive subject because the iPhone is the big American brand, and the president is a self-proclaimed fan of the late Applefounder and CEO Steve Jobs. He'd love to pander to buy-America voters. (Obama is also probably not "allowed" to have an Android phone.)

Of course, neither the president nor the Secret Service is willing to say exactlyhow security could be compromisedwith an iPhone. But onesecurity risk is the unpredictable nature of both iPhone and Android apps.

Sure, there's a lot of flat-out malware flying around online, most of which looks like regular, legitimate apps but in fact are either malware or they compromise privacy or security in some way.

Is that app selling you out?

There are certain types of apps that users are wary about and may take precautions about downloading. But others don't seem to have anything to do with user data, so they seem safe.

The Federal Trade Commissionannounced this week that it reached a settlement with Goldenshores Technologies, which makes a free Android app called "Brightest Flashlight." The FTC said the app harvested data on users' locations and device IDs and sold it to advertisers without telling the users, and even when users rejected the app's terms of service. The settlement forced the company to improve its privacy policy, user communication and data handling.

The FTC said the app had been installed on "tens of millions" of phones.

The whole "Brightest Flashlight" fiasco shines light on an uncomfortable set of facts about smartphone apps. For starters, some apps that have no apparent need to harvest personal data or compromise privacy or security go ahead and do so anyway.

But even those that don't move user data can leave users vulnerable through sheer incompetence.

Scrutinizing 'innocuous' apps

Silicon Valley computing giant Hewlett-Packard recently conducted a study about the security of business apps for the iPhone and concluded that many of them give themselves permission to access phone features and user data that make no sense, given the stated purposes of the apps.

HP found that more than 90 percent of the business apps it studied hadprivacy or security flaws.

Many of the flaws involved unencrypted data or insecure protocols. Some 20 percent of the apps send user data via unprotected HTTP. A similar percentage sent via HTTPS, but didn't do it right. And HP found other problems where an app could compromise user security and privacy not through malice, but through incompetence.

HP isn't the only organization looking at app security and finding a gigantic problem.

A new report from Trend Micro found that there are now 1 million "malware and high-risk apps" in the wild.

"High-risk apps" are defined in the report as those that "aggressively serve ads that lead to dubious sites," and represent one quarter of the total.

An information security company called Trustwave said this month that file-sharing apps for iPhones andiPads can compromise user security—even simple picture-sharing apps or apps that enable users to exchange documents.

The problem is that some of these apps open up an insecure file server on the device, which theoretically makes the file vulnerable to copying or could enable malicious crackers to upload files of their own. Some apps don't even require user authentication. The problems tend to be worse when apps run on older versions of iOS.

Some of these reports come from companies that sell solutions to the smartphone apps' security and privacy problems, so their conclusions should be taken in that context. However, it's clear that the problem is real and widespread.

Security solutions (sort of)

So what can users do about it? Do you have to become a security expert just to keep your personal data private?

The unfortunate answer is: Yes, kind of.

Education is the best defense. Certain types of smartphone security products, such as iPhone fingerprint readers or Android anti-malware apps, protect against some risk but not most of the problems associated with apps.

In general, we all need to be more selective about the apps we download and not assume that just because it's highly rated or popular that it's OK.

We also need to think about which data we want to keep private, and which data we don't. For example, if you're concerned about protecting your location data, there are a set of steps you can take to reduce the risk of that information getting out.

If, on the other hand, you carry financial data around on your phone, well, there's an entirely different set of actions you need to take.

The take-away here for all users is that the Apple App Store and the GooglePlay Store and the other Android stores are jam-packed with apps that can compromise your security and privacy without you ever knowing anything bad happened.

So be careful about what you download, don't be lulled by security features that can't protect you against bad apps, and take deliberate action to protect the private information you most want to safeguard.

About two-thirds of the respondents said the mobile endpoints used in their organizations had been hit by malware and 40 percent also said these endpoints were the entry point for an APT-style attack aimed at specific individuals to gain access to corporate information. The Ponemon Institute's survey, titled "2014 State of Endpoint Risk", states that on average 63 percent of an organization's employees are now using mobile devices, with IT managers anticipating the number of devices that have to be actively managed will rise from 5000 on average to 7000 in the next three years.

"Just when many IT security practitioners were hoping to get their endpoint security risks under control, the exploding growth of mobility platforms and public cloud resources has turned these dreams into a security nightmare," the survey report asserts. The respondents perceive "mobile devices such as smartphones" to be the greatest potential security risk in the IT environment, more than PC desktops and laptops.

The survey, sponsored by Lumension, indicates that more than half of the IT security experts learned of APT attacks against endpoints when they found anomalous exfiltration traffic on the network. About a quarter said the endpoint security technology they use alerted them to a possible breach and 21 percent were notified by law enforcement directly. APT attacks often commence with phishing emails to employees, Web-based click-jacking, fraudulently signed code, or digital certificates, they said.

As far as the applications considered to have the highest IT risk, the top three choices were: Adobe, Google Docs, and Microsoft's operating systems and applications.

Personal gadgets in place at work

Just over half of the survey's respondents say they have a "Bring Your Own Device" (BYOD) plan that lets employees use their own mobile devices for work purposes, and slightly over half of them are relying on "voluntarily installing the endpoint protection agent" for BYOD.

The survey also asked about perceived risks associated with third-party cloud services, and 54 percent of the respondents said their organization has a "centralized cloud security policy," up from 40 percent that did the year before.

Having to focus more on endpoint security is putting pressure on IT security budgets, according to the report, with only 44 percent expecting their overall IT security budgets to increase in 2014.

The types of technologies the survey's respondent expect to invest in over the next year include application control, data-loss prevention, mobile device management (MDM), device control and "big data analytics." The most important capabilities considered for MDM by the respondents are malware detection and prevention, provisioning, and access management.

Security blogger Brian Krebs, who first reported the Target data breach news earlier this month, said that compromised cards are being marketed online with information on the state, city, and ZIP code of the Target store where they were used.

Fraud experts say the location information will likely allow buyers of the stolen data to use spoofed versions of cards issued to people in their immediate vicinity, Krebs wrote. "This lets crooks who want to use the cards for in-store fraud avoid any knee-jerk fraud defenses in which a financial institution might block transactions that occur outside the legitimate cardholder's immediate geographic region," he said.

This is believed to be the first time that security experts have observed hyper-localized selling of stolen credit and debit card information following a retail breach.

Target last week disclosed that hackers had accessed data stored on some 40 million credit and debit cards belonging to shoppers who bought merchandise in its stores between November 27 and December 15.

The information exposed in the incident includes the cardholder's name, the credit or debit card number, the card's expiration date, and the CVV security code used to activate the card in a store, Target said.

The breach is believed to have exposed data from cards distributed by most major U.S. credit card issuing banks and credit unions. JP Morgan Chase announced that it had put restrictions on the amount that customers affected by the Target breach could spend or withdraw daily.

Detection may be difficult

James Huguelet, an independent consultant who specializes in retail security, said Krebs' report concurs sporadic reports after the breach that that stolen Target cards were used fraudulently in areas close to where the owners of the cards lived.

Local use of a card makes it more likely that the crooks can use it for a relatively long period of time before a block is put on it, he said. "That makes such cards much more valuable to a criminal. This is a very clever tactic to increase the monetary value of each stolen card. It's one I've not seen used before," Huguelet said.

Card thieves typically sell stolen data to buyers around he world, making it likely that fraud detection tools used by banks will detect the crimes.

Fraud detection tools used by banks and other card issuers look closely at the location where a card is used and the frequency of its use to determine potential criminal use. Banks often decline transactions or require additional authentication for card transactions that originate from new or unexpected locations.

Such detection is harder when a stolen card is used within the area where the card is typically used.

"Whoever is behind this breach appears to have a tremendous amount of not only technical, but also retail operations and payment industry knowledge. This could indicate someone who has previously worked in the retail payments industry." Huguelet said.

Gartner analyst Avivah Litan said that card issuers and others have to significantly ramp up fraud detection capabilities to deal with the new threat.

"It's very significant because it shows how sophisticated the criminals are," Litan said. "They are trying to avoid being spotted by fraud detection systems that check the location of a transaction against the individual's home zip code and the location of that individual's most recent transactions."

This level of sophistication, combined with the sheer large volume of active cards that were compromised, makes fraud detection far more difficult, Litan said. "Companies will need to beef up their fraud detection capabilities and strategies to overcome the criminals' tactics, which is not a simple task and which does not happen overnight," she said.

Major data breaches often have provided a window into the systemic weaknesses exploited by cyber criminals to infiltrate networks and to profit from data theft.

The 2007 breach at TJX Companies, in which hackers accessed data on 45 million credit and debit cards, showed how easily a poorly protected wireless network can be exploited to gain access to a payment network. Massive data compromises at Heartland Payment Systems and Hannaford Brothers in 2009 hammered home the dangers of SQL injection flaws in Web application software.