Application stores need to be clearer on whether they are testing for security flaws or not.
Chris Wysopal, CTO of Veracode, claimed that there is a persistent concern over malware spreading to smartphones and at the moment there is a grey area over the sense of security a smartphone user has.
He said: “Stores need to approve applications because malware gets through the stages of approval and signing, it is not enough to just do this, they need a testing process behind it. To me it is important for vendors to talk about testing and that customers pick a device not just on its security but on the security of the store. What is the approval process from a privacy point of view? We want to know what they are doing from a security and privacy point of view.”
Asked if security should be put in the first instance, Wysopal said: “There are two paths that an app store can make – say that they are going to have an approval process but there is no false sense of security and it does testing as part of the approval process.
“Or the other is saying that there is no testing. Android says that it does not do any testing and uses a method of revoking applications which is fine, but it is buyer beware.”
He pointed to an example of an application on the Apple store, where the ‘iMobsters' game from Storm8 led to a lawsuit with a user saying that they had no right to collect the numbers from his phone just because he downloaded their game.
“Apple was not testing for a privacy violation. This is the only example of getting through the process, so they need to know what they are testing for,” said Wysopal.
“Right now it is a grey area where no one is clear and there is a vague sense of security that people end up with on their phone. We are entering the 1999 era on smartphones that we were in with PCs. It is not an epidemic but we need to stop it before it becomes one.”