Benjamin Robbins, an EMF member, is spending the next year working solely from a single mobile device. Each week he shares his thoughts and experience with us on what it means to be mobile-only.
Being part of a company that develops enterprise mobile applications, I am aware of the level of difficulty that one faces in deploying applications to the various mobile platforms. iOS is much more challenging than Android. If you were to compare the two in terms of the marketplace approval process, iOS is the maximum security prison while Android is a half million acre nature preserve; the former has the hatches battened down, while the latter is free, wild, and open. When it comes to the Android marketplace approval process, there is lots of opportunity to for ‘creative’ code to enter the system.
Knowing that Android will accept and publish most any application almost instantly, I was a little surprised this week to find myself involved in a conversation where the other party confidently stated how secure they felt Android was based on the fact that they had never opened an app they didn’t know beforehand. To which my response was “but don’t you also have an antivirus/malware app?” The response was, “no, but I obsessively check the requested permissions for apps.” Now, I don’t want turn this into a FUD (Fear, Uncertainty, and Doubt) article, but I do however, want to use this opportunity to discuss the importance and value of basic security on such mobile (pun intended) and connected devices.
For all intents and purposes, the Android App Marketplace is an un-curated process, meaning apps don’t undergo rigorous scrutiny before being publicly available for download. This makes the platform a much easier target for dubious apps – the lower the fence; the easier it is to step over it. And with Android’s popularity in the mobile ecosystem, it makes it that much more of a tempting target.
During an install, Android does warn users about what data and services an app wants access to. However, for the average user, this is fairly meaningless. It is the mobile equivalent of UAC on a PC. Most people just click ‘ok’ without trying to understand what is going on and the consequences of doing so. Better yet, when it comes to dialogs such as UAC, most people just want to know how to turn the darn thing off! If I had nefarious tendencies and awareness that many users mindlessly click ‘ok’, I would be all over pushing apps to Android. Reliance upon the end user’s knowledge and understanding is a bad security practice.
As mobile platforms march toward computing dominance, more sophisticated exploits will continue to emerge. Relying upon yourself to check permissions will only get you so far. As well, the average user doesn’t have the knowledge or time to pay attention to permissions “obsessively”. Yes, there are those of you out there who are very knowledgeable and understand how to leverage this information. But there are many who do not. Even if you do understand permissions, I would bet good money that there are people out there who will find other ways around the system.
The other challenge in staying ahead of malware is you have to constantly stay on top of exploits. Unless you are in the security industry, you don’t/won’t have time for this either. Increased popularity will bring an increased number of exploits. Your time could be better spent on more productive tasks. Better to leave it to a security company whose success is tied to staying on top of such information.
If we are serious about a paradigm shift to mobility, our attitudes towards mobile viruses, spyware, and trojans should reflect that seriousness as well. We should not be cavalier and cocky about our knowledge of an OS as a line of defense. Mobile security doesn’t even have to cost you. Lookout has a free app available for download. We should not approach security on a mobile platform any differently than we would on a desktop. Are you going to invest the time to obsessively check permissions and stay on top of exploits? I can think of better things to do with my time.
Benjamin Robbins is currently a Principal at Palador, a firm that focuses on providing strategic guidance to enterprises in the areas of mobility, apps, and data. You can follow him on Twitter. Mr. Robbins resides in Seattle and blogs regularly at http://www.remotelymobileblog.com