ENISA advises on smartphone app security

In the wake of several high-profile exploits of smartphone operating system through insecure apps, the European Network and Information Security Agency (ENISA) has identified five recommendations for running a more secure app store.

Recent exploits have seen the DroidDream trojan compromise around 50,000 mobile devices via infected apps in the Android app store.

And security software firm G Data released a separate report yesterday claiming that malware targeting mobile devices had increased by 273 per cent since the first half of 2010.

The report containing the recommendations was released today.

ENISA's five recommendations for app store security are:

• App review: Appstores should review apps before admitting them to the app store. While app review cannot be perfect, it limits the possibilities for app developers to introduce malicious, or legitimate but insecure apps in app stores.

• Reputation mechanism: Reputation of apps and app developers can help users avoid malware. A point of concern is that most users rate apps for their functionality and not for their security, so there should be a separate channel for security and privacy issues (e.g. "this app works, but asks for excessive privileges at install").

• App revocation (or kill-switch): Smartphone platforms should support remote removal of installed apps by app stores. App stores should have an app revocation mechanism for malware and insecure apps.

• Device security: App store defences rely on the security of the devices running the apps. The device should install and run apps in sandboxes, to reduce the impact of malware. In the sandbox, apps should get only a minimal set of privileges (the principle of least privilege). The sandbox should monitor the app inside it and allow the user to see the app's past activity.

• Jails (or walled gardens): Smartphone platform vendors can restrict smartphones to apps from one or more designated app stores only and in this way prevent drive-by download attacks. This is commonly referred to as a jail or a walled garden. The smartphone should either be blocked from using untrusted app stores or, for expert users, present clear warnings about installing from untrusted sources.

While ENISA recognised the benefits of hosting apps within a small number of stores where they can be vetted, it highlighted the increasing vulnerability of smartphones as they are increasingly used to process and store critical information.

"Cyber attackers are focusing more on smartphones. They will try to sell malicious apps directly or go after software vulnerabilities in popular apps. The stakes are high: consumers, government and business professionals use smartphones to store and process large amounts of confidential and personal data."

Dr Marnix Dekker and Dr Giles Hogben, co-authors of the report said:

"Using malicious apps, attackers can easily tap into the vast amount of private data processed on smartphones such as confidential business emails, location data, phone calls, SMS messages and so on. Consumers are hardly aware of this."