Security forum scolds Android, ticks Apple

Open app stores like the Android market should be more like Apple and vet software, according to the Information Security Forum.

(Apple v Android image by Tsahi Levent-Levi, CC BY-SA 2.0)

The forum is an international and independent organisation that for two decades has sought to benchmark good security practice.

It said that open application markets like Google's Android app store are not serious about security and should be made responsible for the software that is posted for users to download.

"There is concern around open markets," vice president Steve Durbin said. "I believe very strongly that they have a duty of care, and they are shirking if they do not stand up to that."

He pointed to the spate of malware-infected applications that crept on to the Android Marketplace in March as an example of what can happen if the integrity of software is not vetted.

Stores like Apple and Microsoft are doing a better job at security, Durbin said, as they worked with developers to make software more secure.

"Users need to be really clear about those app markets that conduct due diligence and care about the software up for sale, and those that do not," he said.

But many users will just download applications, anyway. Android malware DroidDream, which appeared last March, was downloaded by as many as 50,000 users, according to Android Central, and was incorporated into almost 50 applications.

Google was forced to push out a remote command to destroy the infections from Android handsets.

But Durbin, who has worked in the information security industry for decades, including a role as a senior Gartner analyst before joining the United Kingdom-based forum, admits that he is "a little paranoid". Before he downloads an application for his Android phone, he checks star ratings, reviews and comments on social media networks.

"Users are downloading apps at will without consideration to security. That's maybe not so much of an issue for Joe user, but mobile malware becomes an issue when devices connect to corporate networks that lack the appropriate security," Durbin said.