Earlier this month, Symantec released its Internet Security Threat Report for 2010, and much like other reports on the state of software security for last year it showed significant increases in malware and other threats to application software and websites. In all, Symantec reported 286 million new Internet threats in 2010.
Most surprising was the rise in Web attacks from 2009 to 2010. Symantec reported a 93% jump in web-based attacks year-over-year.
On the mobile side, Fahmida Y. Rashid at eWEEK reported that Symantec also saw a considerable increase in vulnerabilities in mobile operations systems in 2010. Last year saw 163 vulnerabilities compared to 115 in 2009, an increase of 42%. Rashid is quick to add that while the total number of mobile vulnerabilities paled in comparison to web-based attacks, Symantec predicted that the number would continue to increase at a very high rate in 2011.
Much Mobile Malware
What we’ve seen so far in 2011 bears out this prediction. We have already seen one story after another about mobile malware grabbing headlines, many of them directly related to the Android operating system. And these malware applications have been showing up in quite rapid succession.
Perhaps the answer to that lies in Kenneth van Wyk’s comments at Computerworld where he goes so far as to call these appearances of malware in the Android App Store “inevitable.” He says, “The recent spate of malware-infested apps found in the Android Market illustrates the point. Mistakes are going to happen, even if our app providers undertake reasonable precautions in guarding their stores.”
At the crux of the problem, van Wyk points to Google’s loose review process for allowing applications to be posted to its app store. He notes that Apple has a team of reviewers reviewing submissions for its app store. As for Google, he points out, “the Android Market is far less rigorous in its review processes. That's being charitable.”
Van Wyk does say that even Apple’s app store has its share of malware issues, “Mistakes are going to happen,” he says. He then provides tips for mobile device users about how to protect themselves and their devices by being more aware of what they are downloading.
With all of our technology and all the parties involved with mobile applications – from the developer, to the reviewers at the app store to the buyers – there must be a better strategy for preventing a spate of malware from affecting mobile devices than a combination of “buyer beware” and “every man for himself.”
Because so much of business today is conducted on mobile devices that access enterprise networks, an independent third-party assessment program is needed to ensure that applications being accessed via mobile are safe, structurally sound and efficient. The same holds true for consumer apps, such as games and ads.
It is time for the entire mobile application software community to organize and adopt a certification process that can provide independent accreditation of mobile applications. This process should be simple to access and relatively inexpensive, like in a Cloud-based portal . Such a portal would automatically analyze and measure the code and provide feedback on software size and health, based on industry norms, standards and best practices. This would allow mobile software developers to seek and provide to consumers a piece of third-party corroboration that their applications are robust and free of malware.
If legitimate developers were to seek such mobile application certification, and if app stores were to require it, buyers would no longer have to beware because rather than “every man for himself,” mobile malware prevention would be a case of “all for one, and one for all.”
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.