On Monday came the news of the Malicious Mobile Threats Report 2010/2011, released last week by the Juniper Networks Global Threat Center, that reveals a frightening statistic: since the summer of 2010, “Android malware has surged 400 percent.” What is to blame? According to eWEEK’s Fahmida Y. Rashid, the report cites user naiveté and general nonchalance as a major reason for malware developers putting a big 'bulls-eye' on the Android platform.
All of this begs the question: As Android sales continue to rise at exponential rates and overtake sales of all other smartphone platforms, at what point does someone tell Google it needs to do a better job of policing its app store?
Mobile Development Questions
Interestingly enough, these same questions came up in an article posted on CIO.com not too long ago. In an article titled “8 Security Questions to Ask Before Building Mobile Apps,” John Dickson notes that development of mobile applications has exploded over the last few years as enterprises attempt to get in on the popularity of all types of mobile devices – iPhone, Android and BlackBerry. Of the development rush, he urges:
“Business line managers need to make sure that marketing and IT managers who are building mobile applications are protecting customer data and not inadvertently opening up unexpected security holes for outside attackers.”
Dickson proceeds to question how mobile applications work within an enterprise setting, how they differ from enterprise applications and whether those developing mobile applications have the skills to create them for an enterprise (he actually believes many do not). However, he wraps his article with two very interesting questions, neither of which he answers in full:
- What organization (enterprise, device provider, mobile OS provider) is responsible for security?
- What development approaches are in place to build more secure mobile applications?
So exactly WHO should be responsible for security and what can be done to build more secure applications?
Mobile Development Answers Start at the Top
There seem to be three distinct groups involved in the management and administration of mobile applications – the platform owners (Apple, Google, RIM, etc.), the app stores for each platform and the mobile developers themselves. When it comes to security, though, there is plenty of responsibility to be shared at each of these levels.
Responsibility should begin at the top. Apple, Google and RIM need to take steps to ensure that the software that goes into the devices – either for operational purposes or as pre-loaded applications – is 100% secure. Also, since each company manages its own device's app stores, each should insist that an application meet minimum quality standards, in terms of both security and application software structural quality, before it can be listed in the app store. And finally, the developers themselves – the legitimate ones – need to take additional steps to ensure the security and quality of their applications.
I know what you’re thinking – this is “pie in the sky” thinking. Well, not entirely.
The current problem is that the various mobile platforms do not currently ask much of their developers when it comes to ensuring software security and quality. Were they to demand higher quality, app stores would need to scrutinize applications more closely – or in Android’s case, at all – before allowing an application to be listed.
In order to reach such a decision point, though, a set of software quality standards needs to be established – perhaps by the mobile platform vendors themselves – against which applications can be tested and certified. Then, by requiring mobile applications to pass through such an analysis and earn some form of certification to be listed in an app store, there would be a forced compliance of these minimum quality standards.
Unfortunately, until platform vendors, app stores and developers adopt a mobile certification program that ensures applications are safe to use, there will continue to be more questions than answers for mobile app development.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.