Mobile malware has drawn ample attention at the Black Hat security conference, a UBM Tech Web event, in Las Vegas this week, and Android has taken a heavier beating than all other mobile platforms. The reason? Google's open policies on app approval and the availability of third-party app markets leave too many cracks through which malicious apps can slip onto users' devices. But lest we take too simplistic a lesson from all this, let's take a look at how some third-party app stores could actually help the situation.
The argument against open app stores goes like something this: Without a single point of control over which apps get in and which are kept out, users will have no reliable way of knowing whether a given app is safe to download and use. Therefore, all apps should go through a single, well-regulated marketplace that ensures a thorough review of every app and provides authoritative approval for safety and quality. We've seen this line of reasoning from Apple more than a few times in the past couple of years, and the prevalence of Android malware apps seems to lend it some credence.
But this single-source approach to app security smacks of authoritarianism. As we've seen with Apple's opaque and persnickety approval process, it lacks the flexibility to offer users the broadest possible range of options and features for their mobile devices, and sometimes degenerates into inter-company power struggles that deprive users of desirable services in the name of the platform owner's profit or partnership interests.
While Apple has always held a substantial lead over Android with the total number of apps in its iOS App Store, Android has consistently led the way in offering VoIP apps, alternative browsers, and other consumer-friendly apps that Apple has held up or rejected. My point here is not to denigrate Apple for serving its own business interests, but to suggest that Google may be on the right track by offering a less Draconian alternative.
Interestingly, most of the security experts I've talked with this week have suggested blocking access to software sources other than Google's official Android Market as a means of protecting Android devices from malware. The fairly obvious logic here is that, by sticking to officially hosted apps, users will at least manage to steer clear of the most disreputable download sources. However, as analysts for Lookout Mobile Security noted in the company's newly released 2011 Mobile Threat Report, "Amazon's Appstore for Android and Verizon's V CAST apps utilize a curated model with a manual review process similar to Apple's, while Google's Android Market is based on a community-enforced model."
So, which is it? Should security-conscious users avoid third-party app markets and stick to Android Market alone, or should they instead turn to curated third-party marketplaces and resist downloading from Google's market?
If we've learned anything from looking at the most notorious Android threats to date, it's that bad software runs rampant on many third-party download sites, and sometimes makes its way onto the official Android Market. Curated marketplaces, meanwhile, enjoy a clean track record, and may actually hold the key to offering the best balance between Google's relatively open Android Market and Apple's tightly closed App Store.
It seems clear from the evidence that downloading apps willy-nilly from around the Web is a great way to load your phone with malicious code, so there's obvious value in heeding warnings about third-party app stores in general. But carefully selecting reputable third-party sources with sound app review policies may be the very best way to protect Android phones from infected code. And, compellingly, open competition between app markets should help keep the total number of good apps on the rise, offering a broad array of choices for consumers and business users.
Unfortunately for those in search of easy answers, the job of selecting trustworthy app sources will still fall to the end user. That means IT pros and all those who play unofficial tech support to family and friends would do well to familiarize themselves with the range of available app markets and keep worthy recommendations on hand. App resellers like Amazon and Verizon would do well to support informed users by making their review and approval processes as public and transparent as possible. Because if there's one thing Android users could really use right now, it's a clear path to safe downloads.
At the 2011 InformationWeek 500 Conference, C-level executives from leading global companies will gather to discuss how their organizations are turbo-charging business execution and growth--how their accelerated enterprises manage cash more effectively, invest more wisely, delight customers more consistently, manage risk more profitably. The conference will feature a range of keynote, panel, and workshop sessions. St. Regis Monarch Beach, Calif., Sept. 11-13. Find out more and register.