Mobile application development controls may be no "silver bullet" to keeping mobile malware out, but standards are still necessary, say industry watchers.
At the recent MobileBeat 2009 conference in San Francisco, Symbian Foundation's executive director Lee Williams noted that a "totally open" mobile application development ecosystem may mean mobile phones would face the same security problems PCs have been plagued with, according to a V3 report.
But controls alone will not ensure that mobile applications will be free from malware, industry experts told ZDNet Asia.
Paul Ducklin, Sophos' head of technology for the Asia-Pacific region, said the Symbian executive's comments seemed to suggest that Symbian's fully-closed code-signing model "exonerates users from needing security software" such as an antivirus. But ironically, the Foundation itself certified a Trojan as a legitimate application earlier this month, he pointed out in an e-mail.
"[The Symbian incident] aptly demonstrates that security really is a journey, not a destination," said Ducklin. "Code signing and certification systems aren't a silver bullet any more than, say, an antivirus product is a silver bullet. Having one does not make the other unnecessary or obsolete."
Michael Warrilow, managing director at Hydrasight, emphasized in an e-mail, that "nothing will make mobile apps impenetrable".
Some control 'good' in proliferating world of mobile apps
The mobile ecosystem is getting bigger each day, with new handsets, operating systems, app stores, developers, and naturally, applications.
Juniper Research said in a recent statement it estimates mobile application downloads annually to reach 20 billion by 2014, spurred by the success of Apple's App Store. The research house also predicted that the mobile application market will register revenues of US$25 billion in five years' time.
What the mobile app ecosystem really needs is a form of certification that does not necessarily penalize developers, according to a builder of mobile apps.
Al Sutton, director at Funky Android, explained to ZDNet Asia in an e-mail interview, the notion of optional certification allows users to choose between using a certified and uncertified app, while developers can avoid potentially expensive certification processes just to allow users to access their app.
"Before Android phones were available, I floated the idea of a trust system for Android apps which would seem to offer a workable middle ground between locked-down devices and an application ecosystem [that allows] anyone to add their approval stamp to an Android application--and allowing applications to carry multiple approval stamps," said Sutton. "This system would allow developers to freely distribute apps, and users to make an informed decision about applications based on the approvals, which seems like a win-win situation to me."
John Brand, research director at Hydrasight, concurred with Sutton. Developers, he noted, generally prefer adopting voluntary standards over having standards enforced upon them. "Therefore, the balance between an open and a 'walled garden' approach is critical to developing a successfully adopted platform," he said in an e-mail.
Users generally are not concerned with the party that certifies the application--they assume that the certification has been carried out, said Brand. Ultimately, he added, consumers decide the standards they are willing to accept, and they continually trade off security for convenience.
"The digital rights management argument is not just about protecting information from being accessed by unauthorized users but what content and services need to be protected for a variety of reasons," noted Brand. "Some applications will demand higher security and therefore higher standards being applied.
"However, for the general consumer, so far 'more open than closed' has been the mantra--even if this creates instability, insecurity and poor performance in service delivery."