Smartphones investigate

Android security: Don't let 2012 become the year of the bad app

Beware the malware lurking on Android Market...

...the user community reporting their findings. In contrast, the vetting process on the Apple App Store before publishing an application can take up to several weeks.

While this added diligence provides some level of assurance, it is not foolproof. Various incidents have shown that applications can get through that contain malicious or undesired functionality.

When I discussed this topic with Stephen Murdoch from the Security Group at the University of Cambridge, he said Apple iOS's closed model has the added benefit of ensuring adequate patch and upgrade distribution across all users. However, old versions of the Android platforms may lose support from vendors and end up essentially abandoned with no patch release support.

The possible consequence is that orphaned Android platforms could remain exposed to known vulnerabilities with no possibility of a fix being deployed. At the same time, the App Store could be seen as more trustworthy in a corporate environment.

But stores and end users are both key to ensuring mobile security. So far, most attacks we have seen are based on using social engineering to trick users into downloading something they wouldn't normally want.

Murdoch gives some advice on steps that we can all take to avoid falling victims to the bad app:

  1. If it looks too good to be true, it probably is
    If a well-known application that is normally sold appears for free or with a much lower price, be suspicious.
  2. Check the publisher's information
    Are applications with same name being advertised by different publishers? One of them is probably a fake.
  3. Reputation is everything
    Is the app supposed to be very popular? If so, there should be plenty of user feedback and ratings.

I would add that using appropriate mobile antivirus software, as on any PC, is an increasingly important measure.

As app stores improve their QA procedures, attacks are likely to exploit existing vulnerabilities. Unless the right steps are taken by everyone involved, 2012 will see not only an increase in the number but also in the impact of attacks by the bad apps.

Malcolm Marshall is head of information protection and business resilience at services firm KPMG.


Malcolm Marshall is head of information protection and business resilience at services company KPMG in London.