ENISA, the European Network and Information Security Agency, has produced a new report: Appstore security – 5 lines of defence against malware. Its purpose is to help the burgeoning app store market protect against infiltration from malapps (not a widely used word yet, but watch it grow); smartphone apps pretending to be apps but really just plain malware.
The five lines of defence range from the bleeding-obvious through good-idea-but-don’t-hold-your-breath to illustrations of the-conflict-between-security-and-liberty. They are
- App review – bleeding obvious but not foolproof
- Reputation – not foolproof
- Kill switch – hang on a bit
- Sandboxed apps – bleeding obvious
- jailing – hang on a bit more
App reviews should obviously be done. But they’re not foolproof and are time-consuming and costly. New app stores will minimise them in order to reduce their own costs and speed the population of the store. Even where they are performed, with or without the help of automated testing, there is no guarantee against false negatives.
Reputations can be manipulated. Cyber criminals have shown that they are willing to play the long game. With enough time and resources it would be easy enough to release a few genuine and good apps before slipping in, backed by a good reputation, the bad one.
Kill switch. I don’t want one. And they don’t necessarily work. If I buy something, it is mine (I’m sick of the industry selling me something and then revealing later or in the small print that I only rented it). If I buy it, it’s mine. Therefore only I should be able to remove it. Not the software developer, not the app store, not the device manufacturer, not law enforcement and not the government. And anyway, they don’t work. DroidDream foiled the Android kill switch by simply operating outside of the sandbox. Here’s a good security principle: if something can be set up by software, it can be taken down by software. And another thing:
in a military setting, apps may be mission-critical and the app revocation mechanism may need to be turned off.
I’m not sure that I like being told that only the military has mission critical apps. My apps are critical to me.
Sandboxing. Now that is a good idea. It probably has more to do with the OS developer than the app store provider, but it’s still a good idea. It may not work nor be possible in all cases; but it’s still a good idea.
Jailing. Again, this has more to do with the OS developer and the hardware manufacturer than the app store itself. And again, if something is mine, I don’t want a third party telling me what I can do with it. It may be good security but it infringes my rights as a human being.
You may think I’m being overly critical and a bit frivolous, but I’m not. This report will make not one iota of difference to the app market. I wish ENISA and all the myriad other European agencies would spend the time and money we spend on them on something more worthwhile. Especially when the solution to malapps is easy: make the app stores liable. Make them liable for any losses incurred through malapps bought or downloaded from them. And where there is no measurable loss, simply fine the pants off them. That will stop malapps from app stores in their tracks.
Commenting on an article in Computerworld, Phil Lieberman, President and CEO of Lieberman Software, agrees that Android’s upcoming m-wallet (mobile phone wallet) is ‘a disaster waiting to happen’. The original article by Ira Winkler comments:
A smartphone’s operating system controls the exchange of data between programs, input/output devices and all of the other hardware components. If malicious software ends up on your phone, it can easily capture your PIN every time you enter it to pay for something. Even if you assume that the credit card is completely secure when it is on the special chip, it is still vulnerable when you are entering the data and every time you access the data when you make a payment.
Mobile payment systems: A disaster waiting to happen
Phil adds to this
Ira’s comments are bang on the money. Whilst it’s great to hear that m-wallet solutions will be Visa PayWave or MasterCard PayPass-compatible – meaning that the wireless data transmissions are encrypted – the problem comes if the smartphone itself in less than secure.
But are the doom-mongers correct? Well, yes they are – but any use of any computer for any purpose is a disaster waiting to happen. Since m-wallets will happen (they’re cool and useful, the two primary drivers for any commodity), the real question is whether the m-wallet is significantly less secure than any other method of payment. And I’m not at all sure this is true. Like everything else in security, it is user-behaviour that makes something more or less secure.
Phil comments that
…with large numbers of Apple iPhone users jailbreaking their handsets to escape network locks, it looks like that most flavours of smartphones will be susceptible to security faux pas for some time to come.
That’s what I mean about user behaviour. Using a jailbroken iPhone as an m-wallet is like walking through a crowded mall with an open bag and a visible purse/wallet: it is the user rather than the wallet that is at fault. So what are the alternatives to the m-wallet, especially since cheques are being phased out by the banks (and we can expect them to do the same with cash over the next couple of decades)?
For now we have cash in a purse. Well, that’s less secure than a smartphone. Most people realise that they have lost their phone within minutes, and can switch it off remotely in an instant. The cash in the m-wallet cannot be used.
Bank cards? Well, they’re hardly secure are they? They can be stolen/lost and cloned. Cambridge university has demonstrated a device able to trick the system into accepting any PIN number on any valid card. And contactless cards really are a disaster waiting to happen.
Mobile banking on a laptop? Just as easily lost or stolen; and just as easily hacked. Zeus/SpyEye anyone?
Personally I can see our entire lives migrating to smartphones. Our front door key, car key, kicking the house into action before we get home, e-government and proof of identity. Trying to stop this happening will be like standing in front of a bulldozer. The requirement is not to prevent it, but for the security industry to improve security, and for users to improve behaviour.
Which will leave me with a problem: I don’t have a smartphone; and won’t have one until they invent one that won’t fry my brains – or worse if it’s in my pocket.