by Neil MacDonald | March 11, 2011 | Comments Off on Lesson from Android: Does More Open Have to Mean Less Secure?
Google’s Android has made the news a couple of times already in 2011: Here, with a credit card snooping exploit proof of concept and most recently, with malware that had gotten into the Google application store. The latter was particularly serious as it involved a privilege escalation attack that broke out of the Android sandbox.
In this recent research note for clients on the need for antimalware for enterprise Apple Macintosh computers, we stated:
Any endpoint device where the end user is able to download, install and execute arbitrary code — including plug-ins within a browser — is vulnerable, and protection is needed.
Let’s not repeat the mistakes of the PC on mobile devices. If phone platforms open up to the extend that end users can install arbitary software from arbitrary sources, then we will have gone full circle.The good news so far is that most mobile users can’t load arbitrary software from any arbitrary source – they are limited to consuming software from application stores.
Application stores act as a potential check point to look for malware. They act as as an implicit form of whitelisting where the “whitelist” is managed by the vendor that manages the app store. Malware in app stores was predictable and avoidable. I blogged on exactly this topic more than a year ago.
Seems like this conflict of interest between the network effect of more developers and applications versus improved security won’t be resolved until a significant attack is publicized and users start voting with their dollars.
Now a significant attack has been publicized. So, why aren’t app store providers doing a better job of security testing before applications are placed into the app store?
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.