Smartphones are impressive, but it’s the aftermarket applications that make them a disruptive technology. Guess who also knows that? So, buyers beware.
TechCrunch estimates the smartphone-application market could reach 15 billion US dollars by 2013. Here’s another statistic. Apple’s App Store has over 250,000 applications with a cumulative-download total exceeding five billion. Starting to see why the bad guys are interested in leveraging such an efficient software-delivery system?
How the app stores work
When it comes to smartphone applications, Apple led the way with their App Store. Not to be denied, RIM, Google, and Microsoft jumped into the fray. In the turf battle, Apple and Google have garnered the lion’s share of the market. So, I’d like to focus on them. Besides, they are polar opposites in how they implement their stores.
From the user’s stand point, all the app stores work much the same. Find an application you want, pay for it if required, and download it to your smart phone. Where Apple and Google diverge is how the applications are written, vetted, and allowed into the respective stores.
There is debate aplenty about open source versus proprietary software and what’s required to be accepted by a particular app store. That’s not what concerns me. The lack of code review does. Why? Our security and privacy are at stake.
At this year’s Mobile World Congress, Eugene Kaspersky, CEO of Kaspersky Labs was quoted as saying:
“This year and next year we expect to see the industrialization of smartphone malware.”
The FBI is also concerned. Spencer Ante of the Wall Street Journal quotes Gordon Snow, assistant director of the Federal Bureau of Investigation’s Cyber Division:
“Mobile phones are a huge source of vulnerability. We are definitely seeing an increase in criminal activity.”
Mr. Ante then paraphrases the rest of his conversation with the assistant director:
“The FBI’s Cyber Division recently began working on a number of cases based on tips about malicious programs in app stores. The cases involve apps designed to compromise banking on cell phones, as well as mobile “malware” used for espionage by foreign nations. To protect its own operations, the FBI bars its employees from downloading apps on FBI-issued smartphones.”
Experts have a good idea as to how this will happen. All the pieces are in place: immense traffic to the app-store web sites, a great software delivery system, and no simple way to tell if an application is malicious or not. On top of that, with the number of applications being written and submitted every day, how is it possible to check every line of code? Cybercriminals have to be smiling.
Most developers dislike the tight control Apple has over the App Store. But, that control is in the iPhone user’s favor when it comes to vetting app software. According to CEO Steve Jobs, Apple checks each piece of software for the following:
- The app must work as advertised.
- The app cannot crash the iPhone.
- The app cannot use private application programming interfaces.
I have not found any details on how the actual code is inspected.
Google does not vet applications submitted to Android Marketplace. Google has specific rules, but relies on users to point out bad software. Google’s policy is as follows:
- Google will remotely disable apps found to be malicious.
- Google requires developers to register with Checkout.
- Google requires developers to declare the permissions their application will need in order to interact with the phone.
That may not seem like much, but the permission mechanism is useful because of the following:
“No application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. This includes reading or writing the user’s private data, reading or writing another application’s files, performing network access, keeping the device awake, etc.”
Which is better?
That’s a question we will have to answer for ourselves. Let’s do a quick review of the main differences:
- Closed (Apple) versus open (Android) software philosophy.
- Employee vetting of applications versus user input.
- No private APIs versus controlling permissions.
What can we do?
If you pay attention to the tech media, you know that neither Apple nor Google is impervious to having malicious applications in their respective stores. Since that’s the case, let’s see what the experts say we can do to avoid downloading malware:
- Positive reviews: Examine reviews to ensure the application is from a reputable developer. There are web sites that test software for all the smartphones. That’s a good place to start.
- Negative news: Due to the nebulous nature of smartphone-application development, any negative information about an app should be taken seriously, especially ones dealing with your finances.
- Healthy skepticism: The way all the app stores work should encourage a lack of trust on our part.
I know that doesn’t seem like much, but that’s all we have right now.
The signs are here. Yet another useful and amazing technology is about to get pimped. Hopefully, the industry will be proactive in this fight.