the Open Application Markets Acta bill that would, among other things, require device manufacturers to allow unverified apps to be installed on users’ mobile devices, won the approval of the US Senate Judiciary Committee earlier this month.
This legislation would confront the “walled garden” app distribution model, in which apps can only be installed from official app stores, in place since the early days of smartphones. While many have focused on the potential consumer benefits of app store competition, this piece of the proposed legislation introduces unintended, but potentially significant, device security risks by allowing apps to be delivered via unsupervised channels.
Moving away from the current “walled garden” model introduces new security risks for users, who may turn to stores with a higher volume of malicious apps. App stores operated by Apple, Microsoft, Google, and other major software companies screen apps sold in their stores for malware and vulnerabilities.
While these filters can be imperfect, especially when they lack human scrutiny, the controlled nature of these stores greatly reduces the ability of malicious cyber actors to use applications to steal user data or commit fraud.
A free app is not free if the result is an empty bank account.
In comparison, poorly regulated app stores, like many found in China, are breeding grounds for compromised apps filled with malware. Insufficiently regulated app stores lacking even the most basic security controls increase the risk to consumers by making it easier for them to download a compromised app that could steal their data or defraud them.
Application stores have become a central part of the modern software supply chain. The apps they provide to consumers offer a range of financial, health and personal services that are both essential to our daily lives and contain highly sensitive data.
Individuals and small businesses are at a higher risk of having their data stolen or defrauded by malicious apps, because they lack the resources large corporations use to control what software can be installed on their devices.
The recent Flubot Malware attack, for example, leveraged targeted text messages to trick recipients into downloading a malicious app to their phone, allowing attackers to steal financial information and intercept text messages. The malware, which forced users to allow the installation of apps outside of Google’s App Store, shows how compromised apps can wreak havoc on unsuspecting users.
Flubot is just part of a larger trend of using compromised software to steal sensitive data or ransom data. The danger posed by this trend would only be amplified by a move towards unregulated markets devoid of the app review and security checks in place at official stores.
Allowing unfettered “sideloading” of apps – installing apps from outside an official app store – creates an even greater risk, allowing apps to be installed from anywhere on the Web. While this may give users access to more free apps, it also creates significant attack opportunities to trick users into installing malware-filled apps. A free app is not free if the result is an empty bank account.
Fortunately, Congress can impose security standards on new app stores that can help protect end users.
First, they can require stores to have a basic level of security review and app monitoring, including human review. Human review helps ensure that the permissions used by the app reflect app advertising, an essential step in preventing malicious apps from doing things they aren’t supposed to.
Second, the US and other governments should drop plans to impose unrestricted “sideloading” – the risk to the average end user is just too great when they can install an unknown app with just a few clicks. without understanding the security risks that come with it.
Finally, some users may choose to stick to official app stores to reduce the risk of installing a rogue app, but for users who decide to install apps outside of these stores, they should also practice a good hygiene of the device to reduce their risk by blocking the installation. apps from untrusted sources and avoiding apps from the open web or untrusted app stores.
The risks posed by malicious apps will always exist, but policymakers and users can do more to ensure that an increasingly competitive app store space minimizes the threat to users’ personal data. Adding basic security standards, like those described above, to existing proposals can help minimize the security risks posed by a new world of app store choices.