Veracode has warned on application security as users could possibly download malware from suspicious code writers.
Following claims by Veracode CTO Chris Wysopal that an application downloaded innocently could subsequently install spyware, CEO Matt Moynahan pointed to the Android incident from early this year, when fraudulent applications were found on the marketplace.
He said: “People were downloading them and installing applications. Platform providers who allow application downloads are aware of the application risks but it is cool functionality so no one wants to slow down or stop deployment. It would be counter productive but the more barriers you put up the less attractive you are to consumers. What would happen if no more applications were made available for the iPhone?
“Applications are written by unknown developers, and we are seeing bad things happen all too easily. Do you really want to know how secure an application is? You better trust the code. There is a lot more content out there and it is easy to use, it is nothing to do with the network, it is about content and supply chain and what consumers are supposed to do about it.”
He pointed to the Google and China incident, claiming that the search engine fell victim to an Internet Explorer browser vulnerability but was spending money on security, yet a failing in a third party application caused the problems.
He said: “There is an increasing reliance to putting control in security roles, the average hacker is realising that they can attack the supply chain rather than break the bank. With Google the Chinese government got hold of a Microsoft vulnerability but this proves the problems of outsourcing site security if Microsoft is falling victim to a top ten flaw. XSS has been around for years, so what help is there if this happens? An extreme imbalance, it is too easy to break into Google, it is not hard to do bad things.”
Moynahan said that there had been an explosion of device applications, as everyone uses them but no one knows where they are coming from and mobile phones are being owned. “The problem will only get worse as no one knows where they are coming from, the attack vector is the app - and that is a big difference,” he said.
Yesterday Wysopal called for application providers and app stores to provide independent proof that their software does not behave inappropriately or have vulnerabilities that can be exploited by malware.
So is the future to be able to scan applications before installing them? He claimed that 50 per cent of its customers are using Veracode to scan third party code because they cannot trust applications.
Moynahan said: “What happens when a software company fails the user? It will not be long before you scan applications for phones. Why? Because you can. Scanning has to be done in the cloud, the footprint of devices is so small, and the ability to scan code does not exist on the device - it has to be done in the cloud. By the time it is on the machine it is too late.”