ENISA (The European Network and Information Security Agency), which is an EU agency for network and information security, has proposed a five step measure to protect smartphone users from Malware (software that are designed to steal user data and harm the user device) while downloading an application.
Below are the five steps that the agency has proposed, and we are in full agreement with them regarding these steps. The problem is that it is for the App stores to decide whether to choose or ignore these suggestions. But as a user you can still use these suggestions to be more secure.
App review: Appstores should review apps before admitting them. While app review cannot be perfect, it limits the possibilities for app developers to introduce malicious, or legitimate but insecure apps in app stores.
App stores can check apps with automatic (static and dynamic) analysis tools. Additionally human (manual) review can be used. While scalability is a problem with human review, this could be addressed by focussing on sensitive functionality and by using escalation procedures.
Reputation mechanism: Reputation of apps and app developers can help users avoid malware. App stores should show the reputation of apps and app developers. Second-order mechanisms can increase reputation quality. App stores could take into account the reputation of the same app in other app stores. A point of concern is that most users rate apps for their functionality and not for their security, so there should be a separate channel for security and privacy issues (e.g. “this app works, but asks for excessive privileges at install”).
App revocation (aka kill-switch): Smartphone platforms should support remote removal of installed apps by app stores. App stores should have an app revocation mechanism for malware and insecure apps. In special cases, for example when malware breaks out of the app sandbox, it may be necessary to use customised removal tools.
Device security: App store defences rely on the security of the devices running the apps. The device should install and run apps in sandboxes, to reduce the impact of malware. In the sandbox, apps should get only a minimal set of privileges (the principle of least privilege). The sandbox should monitor the app inside it and allow the user to see the app’s past activity. App revocation should uninstall the app and return the device to a pre-install state.
Jails (or walled gardens): Smartphone (platform) vendors can restrict smartphones to apps from one or more designated app stores only and in this way prevent drive-by download attacks. This is commonly referred to as a jail or a walled garden.
The smartphone should either be blocked from using untrusted app stores or, for expert users, present clear warnings about installing from untrusted sources. The approach to this issue is crucial — if users can easily install from untrusted app stores, then it is easy for attackers to bypass the defences of the good app stores (with drive-by download attacks).
On the other hand, overly-restrictive jails encourage users to break the jail, possibly introducing higher risks than those originally mitigated by the jail. Jails should, for example, not be used to stifle legitimate competition.
While these suggestions are intended for the app stores, smartphone users can take a cue from this and be more informed and secure users. For instance, you can still choose to download apps only from the operating system specific app store like Android market, iTunes etc. You can also read application reviews in sites like ours and many more before downloading it so that we face these attacks and not you.
Downloading an anti-virus and anti-theft software could be one good measure to secure the device from not just the cyber threat but also from the physical threat of it reaching the wrong hand.