Application security has been identified as the biggest threat to smartphone users and the businesses supporting them at the Infosecurity Europe 2011 conference, and it also appears to be an area most mobile OS makers pay scant regard to.
Speaking to an overflowing Business Theatre at the event, the Veracode founder and CTO Chris Wysopal warned while risks existed at all layers, application security deserved more attention.
Noting that apps can either purposeful malicious or inadvertently place users at risk, he listed 10 ways apps can compromise users. The list includes:
- Activity monitoring and data retrieval
- Unauthorized dialing, SMS, and payments
- Unauthorized network connectivity (data exfiltration or command & control)
- UI (unique identifier) impersonation
- System modification (rootkit, APN proxy configuration)
- Logic or time bomb
- Sensitive data leakage (inadvertent or side channel)
- Unsafe sensitive data storage
- Unsafe sensitive data transmission
- Hardcoded password/keys
Application stores are meant to curate the safety and quality of apps, but Wysopal noted that not all are created equal â€“ at least, not from a security perspective. While all app stores can revoke apps, the iPhone App Store seems mainly concerned with the user experience, and of course the Android Market is famous for its laissez faire approach to security.
â€œApple is famous for their walled garden and has an approval processâ€, Wyspoal noted. â€œBut itâ€™s not clear that they are looking at security issues. They seem to care about user experience and policies.â€
Conversely, Wysopal continued, the app market for the Windows phone has the â€œstrongestâ€ security process, whereby it runs a static analysis for malware as part of its approval method.
Wysopal provided dozens of real-world examples of how applications have absconded with user data using various methods on the Top Ten.
â€œThe risks on a mobile device are very differentâ€, Wyspoal said. â€œItâ€™s highly, highly portable as you carry it on you all the time, so from a privacy standpoint, things like your [immediate] location are more sensitive than the location of your desktop at work, for instance.â€
Read more at infosecurity-us.com here.