Android Fails in Mobile Malware Research

What about Windows? Microsoft's Windows Store sells apps for Windows 8, Windows RT and Windows Phone. All of this is a bit young and market share is small enough that it's possible nobody has even tried to submit malicious code, but Microsoft has gone to some trouble to prevent it. The software giant has credibility in this, as over the last 10 years it has transformed desktop and server versions of Windows from security jokes to industry leaders.

Microsoft provided me with these links for app security provisions:

• Microsoft President Steve Sinofsky explains measures taken in Windows 8 to protect against malware
• The principles and design of the Windows Store app licensing model
• Windows 8 app certification requirements; rules for what apps may and may not do
• How to get a developer license for writing and submitting apps; measures Microsoft takes to detect fraudulent use of the license
• Security best practices for building Windows Store apps
• App policies for Windows Phone
• How Microsoft verifies the identity of developers for the Windows Store
• Delivering reliable and trustworthy Metro Windows 8 style apps
• Security best practices for building Windows Store apps
• Security for Windows Phone
• Technical certification requirements for Windows Phone apps
• Windows 8 app certification requirements
• Windows Phone 8 security and encryption
• Testing your app with the Windows App Certification Kit
• Technical certification requirements for Windows Phone

Windows 8 implements all of the techniques in Windows 7 to protect against malware and some new ones, most importantly (as I see it) a new generation of SmartScreen. SmartScreen is a reputation system. For some time it has been used by Internet Explorer to determine whether a web site is known to be safe, unsafe, or if it has never been seen before. Windows 8 extends this reputation system to files generally. See the screen capture below:

Because of the enormous installed base of Windows and Internet Explorer, the reputation system has great credibility. Windows 8 also comes with a version of Windows Defender to act as an anti-malware solution if you don't have a third-party product installed.

Apple's rules and procedures for developer identity verification and vetting of programs ("We review all apps to ensure they are reliable, perform as expected, and are free of offensive material") are famously thorough and strict. Microsoft's developer ID requirements and procedures are also fairly thorough.

Google asks few questions and I see no evidence that they verify anything meaningful. In fact, by keeping fees the lowest in the business, minimizing identification requirements and making a joke out of code signing they have created the perfect low-cost/low-consequence environment for writing malicious code.

It's simply too early to tell whether malware and other malicious app behaviors will be a problem for Windows Phone, Windows RT or Windows 8 apps. But it's certainly not too early to reach a verdict on Android: Google has failed to implement sufficient controls and malactors have rushed in to take advantage. The overall numbers may be low as they represent only a small percentage of installed base, but they're big in absolute terms. Be careful out there.