OPINION: Ditch the App Store security FUD

An attempt to spread fear, uncertainty and doubt about apps for iOS 4 has backfired, writes Simon Sharwood.

Here’s a prediction for 2011.

Heck, it’s also a prediction for 2012, 2013 and the rest of the years between now and 2020.

The prediction? Spammers will try to con you with references to holidays, celebrity deaths, and natural disasters.

And vendors will try to scare you by asking a big “what if” about whichever technology becomes a hot consumer must-have.

We make this prediction after our recent look at the threats posed by smartphones.

As we researched that story, Unisys pointed out a blog post from Patricia (Patti) Titus, Chief Information Security Officer for Unisys Federal Systems.

That post says, in part, that Unisys agrees with a recent Forrester report declaring Apple’s iOS4 enterprise-ready, but adds “a word of caution” about apps downloaded onto the iPhone and iPad.

“Enterprise users of iPhones and iPads should ask some important questions about the apps,” the post says. “Who developed them? Were they tested for back doors? And how are unsuspecting consumers supposed to protect themselves?”

This pricked up our ears, because it seems like a motherhood statement: you can ask the same question about any software for any device. And business has been using software of more dubious provenance than the app store – open source comes to mind – for a long time.

And of course Apple famously puts iOS developers through a wringer, before apps hit the AppStore. So we asked Apple to validate Unisys’ assertions.

The company’s infamously opaque public relations spokespeople responded as follows:

“The app approval process is in place to ensure that applications are reliable, perform as expected, and free of explicit and offensive material. Every app on the App Store is reviewed based on a set of technical, content, and design criteria. App Store Review Guidelines are made available to our developer community to help them understand how Apple reviews submitted apps.”

A further request to explicitly refute the allegations did not elicit a response, so we sourced a document that reliable sources tell us is a version of Apple’s terms and conditions for developers.

It reads, in part:

"Apps that read or write data outside its designated container area will be rejected.

Apps that download code in any way or form will be rejected.

Apps that install or launch other executable code will be rejected.

Apps that are ‘beta’, ‘demo’, ‘trial’, or ‘test’ versions will be rejected."

Elsewhere, the document says:

"Apps that provide Push Notifications without using the Apple Push Notification (APN) API will be rejected.”

The guidelines also state that:

"Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used

Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected."

We’re pretty sure that set of statements means Apple is testing for back doors and spends a fair bit of time figuring out who develops an app and what it does.

Unisys’ response, via Ms Titus, is as follows:

“Any program or application can contain malware either placed there intentionally or unintentionally. The best protocols to use when downloading applications is to do a little homework on the security of the application or program. One of my recommendations is to do a search on the internet using search strings with the words ‘vulnerabilities’ or ‘threats’ along with the application you want to download. The internet searches can help you make decisions before you download. You can also rely on your security professional staff to make recommendations as well. Corporations should create an approved list of apps and make those available to their employees. You have to keep in mind that some applications can actually interfere with others so you need to do some research and relying on your security professionals is a great start. But if you don’t have a staff of security experts – a good next option is a little research on the internet.”

At this point, I’m not sure what is scarier: Unisys suggesting you Google for vulnerabilities (‘Oracle vulnerabilities’ produces 743,000 hits on Google – time to ditch that database!) or the motherhood statement that “any program or application can contain malware.”

Overall, however, we feel the real point here is that while there’s a PR hit to be had from casting doubt about any technology’s security, anyone who works in security knows that no technology is 100% secure.

That brings this kind of FUD down to the level of a prediction to watch out for seasonal Spam: useful the ill-informed and gullible, but hardly a way to promote a firm as a serious player in enterprise security.

Read more on Security policy and user awareness

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.