Enisa: Industry must shore up app-store security

The smartphone industry should adopt a common approach to fighting malicious mobile apps, especially those hidden in online app stores, Europe's cybersecurity agency has urged.

Enisa, Europe's cybersecurity agency, has said in a report that companies with app stores must beef up security to block malicious mobile apps. Photo credit: Bonnie Cha/CNET News

In a report published on Tuesday, the European Network and Information Security Agency (Enisa) said mobile malware poses an increasing threat and the disparity between various app stores' approaches to dealing with the problem is confusing for users.

"The stakes are high: consumers, government and business professionals use smartphones to store and process large amounts of confidential and personal data," Enisa said in the report, App store security: 5 lines of defence against malware. "Without overlooking the differences between the various smartphones models and app stores, we recommend an industry-wide approach to addressing malware and insecure apps."

Phishing and spyware are among the most common data-breach risks for smartphone users, Enisa noted in an earlier report, released in December. While mobile platforms have seen less dedicated malware than PCs, rogue apps have emerged that harvest personal data or surreptitiously dial premium-rate phone numbers, it noted. Last year, this kind of 'dialler ware' was found to have been packaged with bona fide Windows Mobile apps, for instance.

"On the positive side, app stores can offer important opportunities to prevent, or reduce the impact, of malware and insecure apps," the report's authors wrote. "At the same time, cyberattackers are focusing more on smartphones. They will try to sell malicious apps directly or go after software vulnerabilities in popular apps."

Share security practices

Scammers focus their efforts on marketplaces such as Google's Android Market and Apple's App Store for iPhone and iPad apps, according to Enisa. To help combat the risks, app store providers should exchange information such as analyses of apps and how they have been rated by users, Enisa said. It also encouraged companies to share security practices.

As part of a harmonised response, the industry should create a "distributed reputation system" where people can rate apps and their developers across different marketplaces, the agency said. Also needed is a single centralised whitelist, which "would provide a central repository of security information about apps, independently of where the apps are sold".

Enisa's report put forward five lines of defence against insecure apps. When developers submit software, it should be reviewed before being allowed into an app store, the agency said. It mentioned examples such as the Apple tool that checks for forbidden API calls during the iOS submission process, and Microsoft's Hopper tool, which stress-tests submitted apps for memory usage, performance and stability.

Retroactive vs proactive

The report did not single out any platform for failing to comply with any of its recommended best practices. However, Google is notable for taking a retroactive rather than proactive approach to keeping bad apps out of the Android Market.

Cyberattackers are focusing more on smartphones. They will try to sell malicious apps directly or go after software vulnerabilities in popular apps.

– Enisa report

This was demonstrated in March and June, when Google pulled dozens of apps from the Android Market because they contained versions of the DroidDream malware. At the time, the company demonstrated its remote kill-switch for malicious apps; the use of this kind of tool was another of Enisa's recommendations.

However, Enisa noted several potential problems with remote-kill functionality. In a military setting, for example, an app-revocation system may need to be turned off so that mission-critical software cannot be taken out. The risk of false positives means only specialised platform security teams should be able to flip the remote kill switch, Enisa added.

There is also a problem with using reputation systems to inform people about the reliability of apps and developers, in that most users rate the software for functionality rather than security, Enisa said.

"There should be a separate channel for security and privacy issues (e.g. 'this app works, but asks for excessive privileges at install')," the report's authors wrote.

Device security

On the device security side, smartphones should be able to run apps in sandboxes, Enisa said. It added that only signed apps should be accepted, and it should be possible for devices to be returned to a pre-install state when malware is removed.

Finally, Enisa turned to the 'walled garden' approach, as with Apple's App Store, where the software ecosystem is closed and there are strong limits on app distribution. The agency said there are risks involved in making devices either too restricted or not restricted enough.

If it is too easy to skip warnings about apps installed from untrusted app stores, users are made vulnerable to drive-by download attacks, it said. Conversely, "if jails are too restrictive, users will try to jailbreak their devices which could expose them to even higher risks, for example, when jailbreaking removes other defences in the process", it said.