How app stores make you safer -- to a point

The growth of app stores has neutralized many old-school malware threats, but it's introduced several risks too

Page 2 of 2

It would seem that application stores are the be-all and end-all to computer security. Alas, we live in an imperfect world. To begin with, even these newer, improved, more secure apps have been exploited. It's human nature -- we make mistakes, as do programmers. Even worse, most platforms include approved applications that intentionally perform malicious (or unapproved) actions. The vendor can remove the application from the store, but often the offending software has been download hundreds of thousands to millions of times before it's exposed as malware.

Many sophisticated users "jailbreak" their device so that they can install applications not approved by the vendor. In fact, jailbreaking enabled many of the most notorious malicious apps -- and it will never go away. The bigger question is if vendors can retain control over what applications are published in their app stores or can be downloaded to their devices. Many observers believe that software freedom will trump vendor rights in court one day, and essentially we'll end up with jailbroken devices by default. That's good for user and programmer freedom, but not so much for computer security.

In reality, it takes far more than secure apps to keep a computer safe. A perfectly secure app can become an exploit vector through the use of the very features the programmer intended, albeit in an unintended manner. Think of macro virus, Visual Basic worm, and nearly any programming language ever invented -- it's hard for an app to be secure when the malicious writer works through built-in functionality.

Today, apps are commonly exploited through malformed data. Online evildoers routinely send malformed data files, like PDF and Flash files; when rendered by their intended parent app, they send the application into buffer overflow and take control of the system. Now take the possible exploit surfaces and add in all the new, unexplored aspects of of cloud computing and common protocols such as XML and HTML5. Even if the platforms are different, the common protocols will allow malicious replication to continue in the future.

Still, if we were to have perfect devices and perfect software, it wouldn't change the vast majority of malicious hacking. Today, socially engineered worms, spam, and phishing attacks (none of which rely on software vulnerabilities) rule the attack space. A good fake email or Internet prompt will fool hundreds of thousands of end-users any day of the week.

None of the devices, app stores, or applications will significantly improve our overall security stance, even if they reached their pinnacle. And malicious attacks can't be put down by a supposedly foolproof endpoint defense. They don't exist. Hackers will get around every defense until we rebuild the Internet. Until we implement solutions that enforce pervasive identity and authentication across the Internet, we'll continue our whack-a-mole strategies that will never work.

In the real world, most people don't behave like criminals because they can be identified and would face significant consequences. Rob a bank a few times and you're likely to get caught and go to jail for many years, all for a few thousand dollars. But on the Internet, you can steal millions of dollars a week and never get caught. Until we change those dynamics -- and it will take pervasive identity and authentication -- those facts will not change.

One day a tipping point event will happen, and the world will shudder, react, and implement the solutions we knew we needed decades ago. Until that week, we, unfortunately have to live with security solutions that won't work. At least we'll have sleek portable computers and fun apps to play with along the journey.

This story, "How app stores make you safer -- to a point," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

| 1 2 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies