Are mobile apps secure?
The smartphone apps boom has yet to produce the tsunami of malware and information leaks feared by many. However, with awareness and usage growing, and more open systems predicted, how long can this situation last?
Not long ago most people would have been unaware of apps, or even that their feature phone could access them. Now thanks 1st of all to iPhone, although it’s a minority of the population that use it, everybody knows roughly what a mobile app is.
At present mobile apps are becoming more and more popular – from gaming and location apps to banking and news apps. Users are nervousness about data security. Indeed, as we went to press, it turned out that there had been a dash by several household names to fix insecure apps, including Bank of America, Well Fargo and PayPal, for iPhone and Android handsets. It was mainly due to storing critical data concerning banking account on a phone (or other more advanced mobile gadget).
Wells Fargo has already updated its Android app after it was revealed that the previous version stored the account holder’s username and password on the phone in plain text.
Bank of America Android app saved the answer to a security question in plain text on the handset and the bank has already fixed this weakness, while PayPal has updated its phone app for iPhone and Android to raise security. TD Amenitrade was reportedly in the process of rolling out updates for its iPhone and Android offerings as well.
As we can see, the world has changed dramatically for last decade. Five years ago downloading apps was barely considered outside the PC world. Today, it is almost mainstream, though there is certainly a varying degree of security across the various platforms and hardware that offer it, the best known perhaps being RIM’s BlackBerry, Apple’s iPhone, Microsoft’s Windows Mobile, Google’s Android and the Symbian platform, commonly bused by Nokia among others.
The multiplicity of platforms helped at the security front as well as it makes apps a vertical business they are less likely to be downloaded from the open internet, other people’s phones or SD cards, but via a single channel, like Apple’s App Secure and other app marketplaces.
Arguably too, this fragmentation of the market into five or more discrete operating systems makes tailoring malware for any one of them more costly and time-consuming that for, say, Windows for PC. So will the once predicted tsunami of malware actually happen?
Developers of mobile operating systems are not seemed keen to comment situation with mobile security. It does seem that the present, highly proprietary approach favors security, no system is invulnerable and nervous end users may still want to add their own defences. For instance, mobile security company Lookout offers a protection app for Android, BlackBerry and Windows mobile phones that combats spyware and malware. Lookout argues that it’s necessary to offer this because the phone in the pocket is no longer just a telephone but it’s a computer.
Some experts are not agree that proprietary operating systems may malicious attacks less economically viable because each of the dominant platforms may have more units active in the field than there are Windows PC boxes currently - because there are so many mobile phones in the world. Around 5 billion now and the mobile market is still growing at a staggering rate with some operators in India, for example, adding a million subscribers a month.
So although mobile is yet to become a hunting ground for viruses and other malicious software (malware) attacks so far, the huge fragmented market may ultimately make it just too attractive to criminals.
Leaking apps – apps that do not store information safely - are another challenge for security. P.e., the Citigroup mobile banking app that accidentally saved information in a hidden file on users’ iPhones was not obviously dangerous but had the potential for misuse of that information.
Users shouldn’t expect that apps developers or those offering apps to pretend nothing has happened: it is not in their interests. However, stories of leaking of personal data to advertising firms (mainly location-based) may indicate a need for tightening-up of permissions. It seems that ‘leakiness’ may also just be part of the process for a developing business like this.
In particular the migration of PC browser use to mobile could expose users to phishing attacks and false banking sites, for example.
At the moment the smartphone apps store business information is growing rapidly and attracts huge amounts of publicity, but it’s important to remember that it is only a small part – around 10% of subscribers – of the whole market.
Ovum already predicts that global annual app downloads rising from close to $5.5 billion last year to over $21 billion by 2015.
Apps are not used only by smartphones, that are just the highest profile and highest tech mobile phones to use apps. In fact, apps - and by extension questions of safety and security – have a much wider potential marketplace than the iPhone, the BlackBerry or the myriad Android phones.
Cases of viruses dissemination via MMS are known as well. The 1st such virus CommWarrior (appeared in March 2005), that was spread with the speed of e-mail worm, had, presumably, Russian roots (in its body a phrase ‘OTMOROZKAM NET!’ that means ‘Down with dolts!’ was present) hadn’t caused virus epidemic because it infected only one model of smartphones (Symbian Series 60).
And yet the biggest threat to mobile phone security may not come from apps at all but from us. However all market participants are dealing with apps-based security issues, when phones really are computers, then users may need to stop blaming others and start changing their habits. Some treats, like responding phishing attacks, opening dangerous attachments, making data easily accessible or just leaving an unprotected phone on the train, are problems of our making.
Source: 'Payment cards and mobile'