What now, after the Android Market scare?
No screening process is going to be foolproof, but we can all take steps to make our devices safer
Computerworld - I truly hate to say it, but it was inevitable that we'd see some maliciously inclined apps get introduced to the public through the Android Market or the Apple App Store.
The recent spate of malware-infested apps found in the Android Market illustrates the point. Mistakes are going to happen, even if our app providers undertake reasonable precautions in guarding their stores.
And I should make it clear that I'm referring here to deliberate malicious behavior in the app software, not inadvertent mistakes made by application developers. Some of those inadvertent mistakes can be found via static code review of the apps themselves, and the store provider in its screening process may well detect some as well.
The question that we should be asking, then, is this: What do we have to protect us from apps containing deliberate malicious "features" such as Trojan horses that seek to steal sensitive information from us.
Let's consider both the store processes and the underlying security architectures briefly here. And let's compare Android and iOS in these considerations.
As for the stores, Apple of course is famous for having an app screening and approval process for all the apps in its App Store. Although not much is publicly known about that process, Apple does publish a set of guidelines for application developers to conform to (Note: You must be logged into the Apple Developer site to access the linked URL). Every iOS developer should read and be deeply familiar with those guidelines, of course, but they are hardly specific to security. In fact, the term "security" does not appear even once in the guidelines.
Still, a team of reviewers reviews all apps in the Apple App Store. Presumably, they verify many or all of the guidelines described in the above document. They verify that only published APIs are used, that the app doesn't crash and so on. Yet nothing is said about verifying that no undocumented features are present. Indeed, we have seen examples of approved apps containing "Easter eggs" and other undocumented features. (These apps were quickly pulled from the store, however, and Apple does famously have the ability to hit a software "kill switch," disabling such apps when discovered.)
By contrast, the Android Market is far less rigorous in its review processes. That's being charitable. The truth is that the market's operators pride themselves on being light on reviews. On the other hand, all apps must be signed, so in theory there is at least some accountability.
More by Kenneth van Wyk
- Kenneth van Wyk: Apple's big fail
- Kenneth van Wyk: After Snowden
- Kenneth van Wyk: Target breach underscores how backward U.S. payment tech is
- Kenneth van Wyk: Enjoy your trip, but protect the data you take with you
- Kenneth van Wyk: Lingering faults with security by default
- Kenneth van Wyk: High hopes for iPhone's Touch ID
- Kenneth van Wyk: Why mobile apps beat Web apps for privacy
- Bug bounties: Bad dog! Have a treat!
- How to avoid Big Brother's gaze
- The true root causes of software security failures
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts