Turner: Time to Address Systemic App Security Issues
SAN DIEGO - The applications industry needs to do a better job of policing itself, because in its current state, it's putting both consumers and businesses at risk.
That was the message from N4struct executive Aaron Turner during a Monday keynote address at APP-Solutely Enterprise.
"The apps industry needs to take a page out of Ralph Nader's book 'Unsafe at Any Speed' - we've got a bunch of Corvairs and Pintos out there," Turner said, referring to Nader's infamous tome on unsafe cars. "There are apps with no safety features whatsoever... We've got to think through how we protect the consumer, how we protect the enterprise."
N4struct provides security and risk assessment services to corporations and other large organizations.
Turner pointed to major security flaws within both applications themselves and their back-end servers. Without proper security precautions taken on both, users will be left vulnerable, he said.
"When you think about the problem end to end, it really comes down to how we put together systems and processes to make sure we don't create the next major wave of mobile attacks," he said. "Not just the exploits and vulnerabilities on the end points, but the exploits and vulnerabilities on the back end."
Apple's iOS platform is widely perceived as being more secure than Android, but Turner said that was not necessarily the case. "A lot of people perceive iOS as this massively secure operating system, but it has some significant issues," he said. The same goes for iOS apps.
As Turner put it, Apple has done a good job of marketing Android Market as "icky" but "Apple is not doing a good job ensuring apps are secure."
A case study conducted by N4struct found obvious vulnerabilities in iOS apps - vulnerabilities Turner claimed Apple would have caught if it did a better job of screening apps. The problems associated with iOS apps have gone largely unnoticed by the enterprise community. In a recent N4struct security assessment, 99 percent of the enterprise users surveyed said they trusted everything in the Apple App Store.
"It's like their birthright to download everything in the App Store," Turner said.
After Turner wrapped up his presentation, an audience member asked him why there hasn't been anything "catastrophic" if the situation around application security is as bad as he claims.
Turner explained that the "underground" is self-regulating and goes after the most lucrative exploits, not necessarily those that would attract a lot of attention.
Consumers might not draw the connection between downloading a free app and a subsequent phishing attack at work, even if the cause of that attack is a malicious app that allowed email addresses from a user’s contact list to be sold to scammers.
Email addresses are sold on the black market for about $2 a pop, Turner said, with the offering price going up for more valuable email addresses at large corporations or government agencies.
Turner compared it to the old computer game, Oregon Trail. Back when the game was in its heyday, it was loaded on diskettes – diskettes that could be destroyed if inserted into a virus-infected computer.
“Now with applications on mobile phones, it’s kind of the same way. That poor hygiene in one place could be a disrupter for us all,” he said.
The low-profile of application security problems could delay the industry's response to the issue by making it appear less urgent than it really is. Referring back to Nader's expose on unsafe automobiles, Turner said, "It's going to take some wrecks before we crack down."