ENISA responds to my ‘rant’ on the Appstore Security report
Marnix Dekker, one of the authors of the ENISA report on Appstore Security, has responded to my post in its comments (Appstore security: a new report from ENISA) and I would like to thank him for doing so. It’s worth reading, and I reproduce it here in full:
As one of the authors, allow me to briefly reply to your comments.
First of all thank you for reviewing the paper, I appreciate the feedback. Rants can be very refreshing.
It is true that the lines of defense are not in anyway controversial and may seem obvious. We felt that there was the need to outline the different defenses that can be used, as most of the app stores and platforms are not very explicit about these defenses. This is confusing for consumers.
Allow me to comment on your criticism of the killswitch. I would like to note that we do not exclude that there are other (than military) settings where a killswitch is unwanted. Bare in mind that most of the users do not want to keep malware on their device. We even mention that an optout where appropriate should be offered.
About jails: We are not saying that jailbreaking should be illegal, or that consumers should have no means of using alternative appstores… only that this should not be made so easy as to allow drive-by download attacks (email+link, genuine looking appstore, install approval, click, infected).
Your alternative proposal, to hold appstores liable for software vulnerabilities, is really a legal solution. I think it is a very interesting subject, but (big disclaimer) I am not a legal expert:
Some issues with this:
- It would be easy to set up a rogue appstore, run it from some obscure country, fill it with some infected apps. It would also be relatively easy to trick users into installing from there. Your solution, to simply find a suspect, and a court to fine, sounds to me a bit complicated. Just think of all the extradition procedures, harmonisation of laws, etc. that would be needed. Let’s ignore rogue appstores in the sequel.
- If I look at other platforms/software I do not see many consumers being granted compensation by courts, nor do I see many software vendors being fined for selling/distributing flawed software. Now this could change in the future, but I think we should address security in the meantime as well.
- Secondly, judges usually start fining people when it is clear they have been negligent or had malicious intent. That requires some kind of definition/agreement of what are best practices and sufficient measures/defences.
- Another issue with liability is – I think – the following: Imagine the opensourcing of software to continue. Android, Linux, Openoffice, etc, are example of this trend: A couple of volunteers decide to solve a problem (text editing say) by writing some software routines (say openmoko)… they publish them free of charge and they disclaim that you should only use this software at your own risk. Would you think it is fair to still fine them for flaws? What I am trying to say is that there are numerous examples of free opensource software/apps/platforms, and that we still need to address security there as well. Do you agree that the liability solution would only work for commercial software/platforms? In that case, what do we do about the rest?
Looking forward to discuss with you – software liability is a fascination topic 🙂