ENISA, the European Network and Information Security Agency tackling cyber security issues in the European Union, has published a report on smartphone app-store security.
Smartphones are projected to be the most common device for accessing the Internet by 2013. The smartphone industry delivers software to its end users via the so-called ‘app-stores’, where thousands of applications to be downloaded to a users’ phone. The available applications range from online banking to mosquito repellent, with the most popular app-stores such as Google Android market and the Apple app-store counting the number of downloads in billions.
Consequently app-stores have become targets of cyber attackers. As consumers, as well as government and business professionals are increasingly using smartphones to store and process large amounts of data, cyber attackers can, by using malware, easily tap into sensitive information, such as confidential business emails and personal information.
Recent smartphone attacks have thus included the capturing of SMS messages featuring banking transaction codes and the bundling of different apps with malware that could take screenshots from people’s phones and harvest sensitive data.
Following its 2010 report on smartphone information security risks and opportunities, ENISA has now issued a report identifying five steps of bolstering smartphone app-store security, recommending an industry-wide approach to addressing malicious apps:
Application review: apps should be reviewed before being admitted to the store, which would limit the possibilities of introducing malicious, or legitimate but insecure apps.
Reputation: App-stores should show the reputation of an app, not only the ratings for an app’s functionality, but also for security and privacy issues.
App revocation, the so-called ‘kill-switches’: smartphone platforms should support remote removal of installed apps by app-stores. App-stores should have an app revocation mechanism for malware and insecure apps.
Device security: smartphones should install and run apps in so-called ‘sandboxes’, security mechanisms for separating running programs, where an app would be granted only a minimal set of privileges, thus reducing the impact of malware.
‘Jails’: Smartphones can be restricted in such a way to feature apps from one or more designated app-stores only, which is commonly referred to as a ‘jail’. Smartphones should either prevent owners from using untrustworthy app stores or send out clear warnings about installing from unknown sources. However, ENISA also warns against using jails as a way to stifle competition.