Windows Phone Marketplace has the “strongest security process”

Reading time icon 2 min. read


Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

androidinsecureApplication security has been identified as the biggest threat to smartphone users and the businesses supporting them at the Infosecurity Europe 2011 conference, and it also appears to be an area most mobile OS makers pay scant regard to.

Speaking to an overflowing Business Theatre at the event, the Veracode founder and CTO Chris Wysopal warned while risks existed at all layers, application security deserved more attention.

Noting that apps can either purposeful malicious  or inadvertently place users at risk, he listed 10 ways apps can compromise users. The list includes:

  1. Activity monitoring and data retrieval
  2. Unauthorized dialing, SMS, and payments
  3. Unauthorized network connectivity (data exfiltration or command & control)
  4. UI (unique identifier) impersonation
  5. System modification (rootkit, APN proxy configuration)
  6. Logic or time bomb
  7. Sensitive data leakage (inadvertent or side channel)
  8. Unsafe sensitive data storage
  9. Unsafe sensitive data transmission
  10. Hardcoded password/keys

Application stores are meant to curate the safety and quality of apps, but Wysopal noted that not all are created equal – at least, not from a security perspective.  While all app stores can revoke apps, the iPhone App Store seems mainly concerned with the user experience, and of course the Android Market is famous for its laissez faire approach to security.

“Apple is famous for their walled garden and has an approval process”, Wyspoal noted. “But it’s not clear that they are looking at security issues. They seem to care about user experience and policies.”

Conversely, Wysopal continued, the app market for the Windows phone has the “strongest” security process, whereby it runs a static analysis for malware as part of its approval method.

Wysopal provided dozens of real-world examples of how applications have absconded with user data using various methods on the Top Ten.

“The risks on a mobile device are very different”, Wyspoal said. “It’s highly, highly portable as you carry it on you all the time, so from a privacy standpoint, things like your [immediate] location are more sensitive than the location of your desktop at work, for instance.”

Read more at infosecurity-us.com here.

User forum

0 messages