Perverse Security Incentives Abound In Mobile App Space

Security problems abound in the mobile device space – and many of them have been well documented here and elsewhere. While mobile operating systems like Android and iOS are generally more secure than their desktop predecessors, mobile applications have become a major source of woe for mobile device owners and platform vendors. To date, many of the mobile malware outbreaks have come by way of loosely monitored mobile application stores (mostly in Eastern Europe and Russia). More recently, malicious mobile ad networks have also become a way to pull powerful mobile devices into botnets and other malicious online schemes.

Android Zombies

But my guests on the latest Security Ledger podcast point out that mobile application threats are poised to affect much more than just mobile phone owners. Jon Oberheide, the CTO of DUO Security and Zach Lanier, a researcher at DUO, note that mobile OS platforms like Android are making the leap to non-phone devices including automobiles. This, despite the fact that security problems with the OS and its ecosystem persist.

[Read more Security Ledger coverage of mobile security here.]

Oberheide, who recently discussed Android security at the CanSecWest Conference in Vancouver, said that Google’s decision to offer Android as an open source operating system has created a balkanized environment (my word, not his) in which Google has only limited ability to ensure that operating system updates actually get to Android users. Handset and device makers and their customers (such as mobile carriers) are free to adapt Android to their needs and are the final arbiters of which Android patch gets applied, how it gets applied and when.

That decentralized system has meant long delays in getting OS updates to Android devices than competing platforms like iOS. And that trend may become even more pronounced. These days, device makers are diverging further from Google’s standard Android image in order to add features to make their devices stand out, Oberheide notes.

And, of course, phones aren’t the only hardware running mobile operating systems. Google is promoting Android as a platform for automobile entertainment systems, while Apple is following suit: putting a new look on a real time OS known as QNX and marketing it as Apple Car Play.

Lanier, who studied the security of QNX, which is the basis of Blackberry’s Blackberry 10 operating system, said that it has a long track record of use for industrial purposes as well as in the telematics space. But Lanier and Oberheide warn that legacy OSs like QNX will have a rough transition to the ‘connected car’ and Internet of Things world, where purpose built devices (like car entertainment systems) are expected to behave like consumer devices: running applications, accepting all manner of media and so on.

Handset and device makers have few incentives to address the patching problem, as few customers will ask for it. They have many incentives to boost the ‘cool’ factor of their products in order to gain market traction. This, despite the many and diverse problems found in mobile applications, the two warn.

Check out our conversation – which also includes a remembrance of the Full Disclosure Mailing List – by clicking on one of the links below!

Listen on Security Ledger
Listen on Soundcloud.com

Comments are closed.