As competition heats up, smartphone vendors are scrambling to woo developers to their respective OS platforms. But some developers are more desirable than others. The discovery of suspected malware in the Android Market online app store is evidence that mobile platforms are becoming as attractive to criminals as they are to legitimate software vendors.
More than 50 Android apps have been flagged as potential hazards since December, all of them published by a developer identified only as "09Droid." The apps were advertised as online banking tools, each targeted at a specific financial institution. Their true purpose, security researchers now believe, was phishing and identity theft.
[ Stay up on tech news and reviews from your smartphone at infoworldmobile.com. | Get the best iPhone apps for pros with our business iPhone apps finder. | See which smartphone is right for you in our mobile "deathmatch" calculator. ]
Google has since removed the 09Droid apps from the Android Market, but the fact that they were listed in the first place raises serious questions about the safety of the app-store software delivery model, as practiced by Google and other vendors. If mobile infrastructure providers don't act quickly to restore customer confidence, this incident could cast a lasting pall over the mobile apps market, even as it's just getting started.
Apple: Hero or tyrant?
While all smartphone vendors offer online markets for third-party software, their approaches to security vary. Apple's App Store was the first such market and it remains the largest, with more than 100,000 apps available for download and 3 billion apps sold since the store opened in 2008. It also has the tightest security model. Software is carefully vetted by Apple examiners before being approved for sale on the App Store, and the process is no mere rubber stamp. Indeed, the company's intransigence on some issues has inspired much puzzlement and lively online debate.
That's not to say there have been no malware incidents on the iPhone platform. One early example changed iPhone users' wallpaper to a photo of '80s singer Rick Astley. Since then, security experts have discovered at least one case of malware in the wild that can steal contacts, e-mail, and other data from iPhone handsets. But these exploits only work on "jailbroken" iPhones, so called because they have been intentionally hacked to accept apps from sources other than the App Store. Because of the obvious security risk, jailbreaking an iPhone voids its warranty.
But Apple's model is not without its critics. As the number of developers submitting software to the App Store has increased, the approval process has slowed, leading some developers to accuse Apple of undermining their time-to-market advantage. And some iPhone owners insist they have no choice but to jailbreak their phones, claiming Apple blocks legitimate apps from the App Store for arbitrary, specious, or obscure reasons.
These gripes have lent ammunition to the iPhone's competitors, who hope to gain market share by offering alternatives to what they characterize as Apple's heavy-handed, draconian policies. Last fall, Verizon Wireless marketed its latest Android handset, the Motorola Droid, by suggesting the Droid would do everything the iPhone wouldn't -- a campaign that seems ironic now, in the wake of the 09Droid phishing debacle.
Risking it all for openness
Perhaps no other smartphone vendor has staked its fortunes on its developer community more than Palm. From the onset, Palm has promoted its WebOS as an open alternative to proprietary platforms, including Apple's. In its boldest move to date, it unveiled Project Appetite, an open source software foundation that customers can use to build their own, independent WebOS app stores. But lacking any formal oversight, how can Palm users be sure that such stores won't be used to exploit their handsets for phishing and other nefarious purposes?
Open platforms are attractive to developers, but as we have now seen, developers come in all flavors. If smartphone vendors aren't careful, they risk repeating the mistakes of the PC software industry, with mobile platforms becoming the new Wild West of computing.
At first blush, WebOS apps may seem safer than most. They're built with HTML, CSS, and JavaScript, rather than native code. But in response to pressure from game developers, Palm recently announced a plug-in development kit that allows programmers to build modules for webOS apps using C and C++, increasing the risk considerably.
By comparison, Google's Android OS is based on Java, which is known for its sandbox security model. Google engaged security experts early in the Android design process, in hopes of weeding out any potential vulnerabilities before bringing the OS to market. But even if the Android platform is completely bug-free -- an unlikely assertion -- the 09Droid apps are proof that malware doesn't need to exploit software flaws to be dangerous. Credulous users are just as vulnerable to phishing attacks as defective software.
Tough love for developers
Strong governance is the only solution. Open source platforms such as Android and WebOS invite independent review of their code, but it's unrealistic to expect an open source community to anticipate every possible avenue of attack. Far more important is the ability to act swiftly when exploits arise, and that's something only centralized oversight can provide.
Google did the right thing by removing the 09Droid apps from the Android Market. But the fact that security advisories about the apps were issued by the affected banks, and not the Android Market itself, is an embarrassment. Allowing those apps to linger in the store for a month or more is inexcusable.
While a strong developer community is an asset to any platform, part of a community's strength is its reputation in the eyes of customers. When malware authors are allowed to run unchecked, the loss of customer trust hurts every developer.
Apple's insistence on a single App Store may indeed seem draconian. Cynics will say it serves no purpose other than channeling a revenue stream to Cupertino. But by ensuring that each and every app in the App Store has met its rigorous standards, Apple has forged a bond of trust with iPhone users that no other smartphone vendor can match. There is yet room for smartphone vendors to compete with the iPhone through innovation. Sacrificing security and stability for "openness," however, is throwing the baby out with the bathwater.
http://www.infoworld.com/d/developer-world/android-malware-how-open-too-open-784?page=0,1
댓글 없음:
댓글 쓰기