App stores must focus on security, not quality

Control should be balanced with innovation to secure apps marketplace, says security exec, who notes global mobile security remains inherently weak.
Written by Kevin Kwang, Contributor on

Mobile apps operators must establish regulations to safeguard their marketplace and balance this need with innovation, according to security vendor McAfee.

Jan Volzke, the company's head of global marketing for mobile security, told ZDNet Asia that in an ideal world, apps stores should "focus only on security when approving apps" and not on quality. Operators should "let the market decide what it needs", he said in an e-mail interview.

Apple: Don't 'game' us

Following a tip off by bloggers, Apple kicked out Chinese software developer Molinker--together with its apps--from the company's App Store, noted a report Wednesday by Wired.
Over 1,000 apps--most of which were copycat knockoffs of existing applications--were taken down from the popular mobile apps marketplace last weekend, after writers at the iPhoneography blog site noticed something amiss about the ratings posted for Molinker's apps.
Their subsequent investigations showed these apps were receiving many 5-star ratings, and almost nothing in the 2-to-4 star range. The finding led to an e-mail complaint to Apple's senior vice president of worldwide product marketing, Paul W. Schiller, who subsequently replied, after the apps were taken down: "Yes, this developer's apps have been removed from the App Store and their ratings no longer appear either."

Volzke said: "The threat level for mobile devices is still very low, in particular, when compared with threats that exist for PCs. However, many of these PC threats have been demonstrated to also 'work' on mobile devices, although no major mobile virus outbreaks have been reported so far."

Another security expert, Mark Bregman, Symantec's executive vice president and CTO, highlighted mobile security as a critical area to monitor in the new year, in which "more attackers will devote time to create malware to exploit these devices". In a separate report, Symantec noted that Apple's products, including its popular iPhone, will face increased attacks from cybercriminals.

Volzke noted that due to tough economic conditions, various mobile handset manufacturers and telcos postponed already planned measurements to safeguard their customers, as well as to protect the foundation of their businesses. "Therefore, mobile device security is still inherently weak, especially on a global level," he said.

He noted that the mobile industry is currently riding on its luck, as hackers still find it easier to make money by hacking PC users rather than focusing on the "rather complex and fragmented mobile environment".

Volzke added that though mobile threats are currently still "insignificant", hackers are already looking at "spyware and other eavesdropping mobile apps" to exploit unknowing phone users.

He pointed to apps marketplace as one important mobile security gateway to safeguard, because users search for and download programs from these platforms.

Securing apps marketplaces
And this need to ensure security has heightened with the introduction of and increasing user interest in apps marketplaces, such as Apple App Store, Google's Android Market, Nokia's Ovi Store and Microsoft's Windows Marketplace for Mobile.

Currently, Android Market is the only apps marketplace that does not subject the publishing of apps to internal review, preferring instead to rely on users' experience and feedback to regulate the site against potentially harmful apps.

"Google assists users in making these decisions and puts them in the driver's seat through the rating and permission system, which lets the community ensure the best content is easy to find," a company spokesperson told ZDNet Asia in an e-mail interview.

He added that the "reputation" of any app is determined by users, who would post more positive comments and give higher ratings to a good app than a bad one. Google also added extra layers of authentication during the download process to ensure its users are not tricked into downloading unrequested content--a security feature he said was "unique" to the Android Market.

However, a Symantec report noted that environments where mobile apps are not subject to internal review would "exponentially" increase the risk of telcos that provide the Internet bandwidth for its subscribers to download these apps.

Rogue applications could leave these networks vulnerable to malware, denial of service attacks and compromise the network integrity that might cause outages or additional network traffic, stated the report.

The Google spokesperson, though, noted that any application deemed harmful or inappropriate by users and in violation of the company's policies will be removed from its marketplace. Abusive developers can also be blocked from using the Android Market for "repeated or egregious violations of our policies", he added.

Regulated marketplace environment
Microsoft, which runs its Windows Marketplace for Mobile, employs a regulated marketplace environment for developers and users. The company believes its quality control measures are important to ensure customers have a "great experience" with apps published on its platform, according to a Microsoft spokesperson.

"Windows Marketplace for Mobile offers quality tested applications from certified developers to phone users, through accounts associated with their password-protected Windows Live ID. Transactions and sensitive customer information are stored and managed through the same proven servers and processes used for other large scale businesses, such as Hotmail and Xbox Live," he told ZDNet Asia.

Similarly, handset maker Nokia implemented a quality assurance (QA) program and policy on its Ovi marketplace, where each application is put through a strict moderation and QA process to "ensure the consumer has the best experience possible and is safe from content misuse".

"For instance, all Java applications uploaded need to be signed and Java verified," noted a Nokia spokesperson. "Likewise, all Symbian apps need to be Symbian signed to ensure the publisher does proper tests before publishing the applications."

McAfee's Volzke suggested that wireless Internet operators and mobile handset manufacturers that run their own apps store to deploy mobile security measures in both the network and devices, which will allow them to effectively revoke already installed apps in the marketplace and the user's handset.

Bregman said Symantec is working on a protoype Symantec Mobile Reputation Security (SMRS) program, which he added was "geared primarily toward carriers to provide more control of applications downloaded onto their networks".

However, while apps stores can provide the first line of defense against harmful apps and cybercriminals, there are tradeoffs from establishing a higher level of mobile security.

For instance, Apple's App Store and its not-so-transparent apps approval process has led to disgruntled developers leaving the marketplace to write programs for other mobile platforms. As such, apps stores with stringent checks can trim developers' returns of investment (ROI) and extend their time-to-market.

With over 100,000 iPhone apps, and counting, currently available on Apple's marketplace, getting apps approved is now a lengthier process.

Ubermind, a mobile software developer and maker of the popular iLightr app, previously created programs solely for the iPhone. But, after being rejected by Apple thrice in a week, the developer said it is now looking to diversify its offerings by writing for the Android platform, according to a Businessweek article.

Developers such as Twitterific creator Iconfactory, are widening their portfolio to other platforms to extend their reach beyond Apple's crowded marketplace.

Users would have to sift through 100,000 apps on Apple App Store to locate Iconfactory-developed programs, compared to Android's 12,000. "We love the iPhone, but we are in this to make money," Craig Hockenberry, principal at Iconfactory, said in the report.

Editorial standards