It was only a matter of time, but it looks like mobile applications are now sufficiently ubiquitous to attract the serious attention of cyber criminals.
In June, Apple banned a developer after he hacked around 400 iTunes accounts. At the end of July we heard that 4.6 million Android users had downloaded a suspicious app that transmits data to a site in China. Other stories are starting to raise similar worries.
So far we are not talking about the multimillion-pound frauds or thefts of thousands of personal records that have dogged personal computers, but we are now firmly on that route. What these cases show, and what security professionals have long suspected, is that app store checks are far from foolproof, and mobile operating systems have vulnerabilities. Now that mobile devices have become widespread enough to yield decent returns, they are becoming very attractive targets for cyber criminals.
The problem, as is so often the case, is that neither mobile devices, mobile software, nor applications are designed with security as a priority. In the rush to get products to market and the desire to offer increased functionality, security is not given proper consideration.
As a result we are likely to see increasing problems from applications that upload malware or exploit vulnerabilities in new operating systems, either inadvertently or deliberately. This opens opportunities for cyber criminals to use apps to install a backdoor on such devices to use it for a range of purposes, such as sending spam or recording keystrokes to steal bank details.
This is exactly what happened with personal computers. Security was not recognised as an issue so weaknesses were not adequately dealt with. As the internet became readily available there was a period where hackers could do pretty much as they like. After a while we learned from this and began to patch these weaknesses and develop security software. Inevitably, we were playing catch up, because we hadn't built systems which were prepared to deal with this threat in the first place.
This was understandable. The IT explosion was a learning curve for everyone and many of the problems couldn't have been foreseen at the start. This was different from the situation we are in now. We now know many of the risks and have considerable expertise from the world's security profession to draw on. We will never completely eliminate cyber crime, but with some more careful planning we could have dramatically reduced the dangers and contained many of the threats.
Instead of engaging with security professionals and learning how to do properly address these problems, developers have rushed in with functional technology which was not prepared for the threats they will inevitably face. As a result we can fully expect a repeat of the early days of online transactions, and this will increase as mobiles become more powerful, more relied upon, and increasingly used for storing private information and managing money.
The success of the iPad has filled a gap between laptops and mobile phones, which has meant we are on the cusp of mobile devices becoming all-pervasive. We may have missed an early opportunity to contain these threats, but there is still plenty we can do to mitigate them. I can't stress enough the importance for developers to pay proper care to security when developing new apps and operating systems, and for those responsible for app stores to be rigourous with their controls.
Critically, those involved need to convince the buyer that security is worth waiting for or paying for. Developers should make security a selling point, such as including quality marks of assurance that apps have been through proper security procedures. This will not only provide an additional selling point, but improve the reputations of developers, leading to future sales, and avoid damaging publicity or even law suits.
We have faced the expensive and embarrassing consequences of not taking security seriously before. As we move forward into an exciting new generation of communications, let's learn from the mistakes of the past.
• Tony Dyhouse is director of the Cyber Security Programme for the Digital Systems Knowledge Transfer Network (KTN), an independent body set up by the Technology Strategy Board to combine expertise in distributed computing, cyber security and location services to help address the challenges of digital Britain. To find out more about the KTN, or to join, visit www.digitalsystemsktn.org .
This was first published in August 2010