Safer app downloads responsibility of all

Handset makers, app developers and users each has to ensure that mobile apps are safe to download, analysts say.

Mobile phone analysts have called for a greater emphasis on ensuring safety when it comes to application downloads, with handset makers and developers each with a part to play.

Tan Tong Yen, senior analyst from Canalys, told ZDNet Asia in a phone interview that everyone in the industry should be responsible. "We've actually seen viruses pre-installed on phones, so it is important that handset makers ensure their devices are safe. There's also an increasing emphasis for OS platforms from hardware vendors to keep apps 'clean' before putting them up in the marketplace."

Ariel Avitan, consulting analyst for network security technologies at Frost & Sullivan, believes no one party wants to be fully responsible for the issue.

"The optimal answer is that the platform which enables app downloads will take care of the apps in terms of security and the handset maker will take care of the handset. I guess both sides will work with antivirus vendors to make the above possible," he explained.

However, Jeffery Kok, strategic solutions consultant at RSA, thinks otherwise. In an e-mail interview, he said users are ultimately responsible for their actions. "Because the app developer creates the apps, how safe an app is lies largely with the developer. Most importantly, the users ultimately have to be responsible for selecting the 'safe' apps from 'safe' developers."

While surveys have shown that smartphone users are concerned with security, the idea of running an antivirus program in the phone remains foreign to most. Tan said this could be due to a lack of awareness.

"Users are still asking what smartphones can do for them. But in terms of security aspects, consumers are still unsure [of the risks], though there's certainly a market for these solutions," added the analyst.

Avitan said it is only a matter of time before the market realizes the importance of such a safety net.

"There [has been] no indication of a major virus attack on mobile phones, therefore there's no need for a mobile antivirus. Security vendors are already working on such solutions, but the market is not ready and does not need such solutions at this time," he said. 

But, as Kok sees it, should a need for large-scale antivirus use arise, this means the ecosystem has failed.  "Antivirus is a consequence created by poor app design, development and quality assurance," the consultant reckoned.  

Still, as security experts have advised, sometimes the most effective measures are those that are simple and usually free, and this includes exercising care when downloading apps.

Tan likened the thought process of buying an app to that of clicking on a foreign link on the Internet. Thanks to the constant publicity on malware attacks, PC users have learnt the severity of clicking on unknown and suspicious links. "From the buyers' point of view, they have to be cautious of the applications they access."

However, she would like to see clearer warnings displayed.

"There should be better warnings on the apps in terms of the access that the programs require, be it data or contacts in the address book. All these should be more clearly or explicitly told to the buyers," Tan suggested.

Asked if the purchase of apps is a "buyer beware" situation, Avitan thinks at least not for now. "This industry is too important for many stakeholders and there must be some ground rules with regard to security."

With Android closing in on iPhone's market share, Tan noted that the Google OS "marketplace" is the least safe. "Apple, Microsoft and Nokia are more stringent than Android--they put the apps through strict checks before making them available in the store," she observed, stating media reports on incidents of attacks on the Google platform, in comparison with the rest.

Media players have been the latest victims in recent high-profile attacks on OS platforms. An article on TheTechJournal highlighted a Trojan that infected Android handsets, while Symbian users in China were reportedly attacked by another Trojan carried by a DuMusicPlayer.

Avitan said handset vendors are looking to beef up security from the hardware perspective. "Some handset makers are working with secure Flash as the internal memory in the handsets, which means the memory is secured and the device has two or three more layers of security."

Kok acknowledged that while Apple and RIM have been constantly improving their security and app screening, not all manufacturers are seeing this as a high priority.

The GSM Association has a defined set of guidelines that urge handset makers and software developers to work on closing vulnerabilities and limiting security risks for mobile apps.