Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Why Don’t Mobile Application Stores Require Security Testing?

by Neil MacDonald  |  February 3, 2010  |  3 Comments

As the number of mobile smartphones increases, as several platforms begin to dominate and as users begin to download lots of executable code, they will become targets for attack. Rather than repeat the mistakes of the PC world, why can’t we do things better from a security perspective this time around?

So far, most mobile platforms have a good start. Requiring all third party to run a sandboxed environment (and making ‘jailbreaks’ difficult) is a great start. This is a lot like running users as ‘standard user’ in Windows which I’ve recommended multiple times. However, a smart and financially motivated malware writer will simply target the user data rather than trying to break out and corrupt the main OS. Just like today’s attacks on enterprise PCs, why should a malware writer go for a noisy attack on the mobile OS when you can quietly harvest user-accessible sensitive data or other activate other user-accessible features? For example, user-accessible data such as address books, contact lists, email, etc and user-accessible features such as turning on/off the microphone, camera, and so on.

Restricting the application ecosystem to an application store (as opposed to the widespread nature of software availability on today’s PCs) also helps, but relies on fast removal of malware once it is reported. Call it what you will, this is a form of blacklisting. As AV has shown us, this model isn’t effective enough and malware writers will simply reregister, create another ‘variant’ and repost.

There’s a couple of things we could do. One would be to require developers to show proof of security testing before being allowed to post an application. We require this for procured enterprise software, why not for mobile software? Problem is, there aren’t any standards of proof for this and a smart hacker would simply fake the results or write code that isn’t vulnerable per se, but contains embedded malicious intent (like copying the address book).

We could also require stronger vetting of developers before they are allowed to post applications. I’ve talked about this concept before in the PC world. This doesn’t prevent vulnerable (and potentially malicious) software from being written, but would help prevent the rapid reregistration problem above. However, the application store vendors don’t want to do anything that slows the number of developers and amount of applications in their stores.

It seems to me the best option would be that the application store owner sets a minimum standard for security and backdoor/trojan testing that is independently performed. However, this raises the cost for developers (or for the store owner) and potentially slows down the ‘network effect’ of having the largest application store (which attracts more users, which attracts more developers, repeat)

Seems like this conflict of interest between the network effect of more developers and applications versus improved security won’t be resolved until a significant attack is publicized and users start voting with their dollars.

3 Comments »

Category: Beyond Anti-Virus Endpoint Protection Platform General Technology Information Security     Tags: , , ,

3 responses so far ↓

  • 1 Chris Wysopal   February 3, 2010 at 10:02 am

    I agree that we are going to miss a great opportunity to improve software security if we don’t leave the \detect and revoke\ mentality of the PC world behind as we move to new platforms. The mobile app store is a form of whitelisting that can assure the security of an entire platform if the whitelisting means something.

    Veracode is being asked by large financial organization to build security testing into internal mobile app stores. There is obviously a desire for security screened applications in the corporate and government world. Why not just scan once at the platform provider’s app store and give the benefits to all?

    Veracode researcher Tyler Shields is presenting 2/7/2010 at Shmoocon on Blackberry malicious mobile code. The presentation and sample code will be available at http://www.veracode.com/blog.

    -Chris

  • 2 Zero in a bit » Mobile App Security   February 3, 2010 at 10:28 am

    [...] Neil MacDonald at Gartner asks the question, “Why Don’t Mobile Application Stores Require Security Testing?” [...]

  • 3 Neil MacDonald   February 5, 2010 at 5:34 pm

    A reader sent this link to a November, 2009 article from BusinessWeek on the application economy:

    http://www.businessweek.com/magazine/content/09_44/b4153044881892.htm

    The artcicle reports 100K + applications…

    5 page article and security is mentioned only once in passing..