Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Smartphone app stores should standardise security, EU Agency says

Veiled criticism of Android's open model

Article comments

Smartphone platforms and the app stores that serve them should conform to an agreed, industry-wide set of security principles in order to safeguard their users, a new report from EU cybersecurity agency ENISA has argued.

Most of the ENISA’s (European Network and Information Security Agency) ‘five lines of defence’ in its paper Appstore Security will sound uncontroversial, starting the importance of a security architecture that sandboxes applications on the device, and that apps install with a ‘kill switch’, a means for platform providers to de-install those later deemed insecure.

The Agency is also keen on thorough app review, a vetting process that apps should undergo before being posted on download stores, backed up by a comprehensive reputation mechanism and certificate system for developers creating apps.

The fifth recommendation - that platforms restrict from which sites users can download apps in walled gardens – is more contentious because it runs counter to the model pursued by Google, which allows third-party sites in addition to its own Market.

The report stops short of analysing each of the major smartphone app stores against its security criteria, or even suggesting that any of them might be deficient, but the current relative weakness of Android against these criteria is clear.

“Different smartphone platforms and different app stores currently address malware and insecure apps differently, which for consumers can be confusing,” the authors note. “Without overlooking the differences between the various smartphones models and appstores, we recommend an industry-wide approach to addressing malware and insecure apps.”

Many of Google’s publicised security problems have originated with third-party download sites and to some extent poor app vetting, which stem from its more open model. In July, an analysis by the CEO of security company Trusteer, Mickey Boodaei, criticised Google for its confused system for reporting rogue apps and poor response times when reports are made by security companies.

The Agency suggests that the industry come up with a cross-platform reputation system that works across app stores but this seems unlikely to come to pass. Apple’s heavily vetted App Store is seen by that company as a major competitive advantage; making life more secure for its rivals is hardly going to be a big priority.

The Agency’s argument for a combined system is that, in the long run, individual reputation systems, even walled gardens such as Apple’s could be vulnerable to attacks that seek to circumvent their security procedures.

The report’s biggest conclusion is that app stores vary considerably from vendor to vendor in terms of security, subtly differences that might not be obvious to end users in the absence of widespread attacks.

As the report points out, major attacks against smartphones are still the exception and “pales in comparison with PCs,” but that draws attention to the potential for the mobile age to plug the security mistakes of the past.

With the PCs, the primary point of attack was on the device itself whereas in the mobile world what happens on the device is controlled to a large extent by the platform provider and the architecture of the app store. The app store is in the front line of any security battle in a way no vendor website could have been.

Appstore security - 5 lines of defence against malware



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *