Smartphone app security issues being overlooked by companies

In an interview with Infosecurity, Chris Wysopal, who spoke late last week at a security event, said that it is the apps that run on a smartphone that company IT departments are overlooking.

"Our researchers say that can extract a lot of data from an app on a smartphone. There's a lot of talk about security, but there isn't that much which protects companies from smartphone malware", he said.

"We have already seen malicious proof of concept malware on smartphones," he added, noting that it is only a matter of time before real smartphone malware in the wild starts appearing.

Rather than look at all the smartphone platforms for insecure apps, Wysopal recommends that company IT departments should focus on the main platforms – BlackBerry, iPhone and Android – before moving on to secure Symbian and Windows Mobiles apps where appropriate.

There may, he says, be an argument for creating a pool of approved apps from which staff can download for use on company mobiles, so helping to prevent any untested software from causing problems.

"The problem is that smartphone platform developers are trying to get as many apps as they can into the marketplace at the moment, and since each smartphone vendor has different approval systems, it's difficult to tell which apps are the most secure", he explained.

IT managers need to take special care with the Android platform, he says, as this has no formal approval mechanism for apps, and it is the much the same with the BlackBerry, which only has an app revocation system in place, as does Apple, in the event that rogue applications start circulating.

The situation surrounding smartphone security, he went on to say, is similar to where we were in the late 1980s with PC software, when the first viruses for the PC platform started to appear.

It was, he says, at that point that AV vendors started protecting PCs against malware and users were a lot more secure.

The problem facing smartphone users, he adds, is that few smartphone vendors have the facilities to check an update – once an app is installed in the Android platform, for example, he says it can then pull down new code from the internet.

"There is a definite need for corporates to approve the apps that they run on their company smartphones. It's no longer simply a case of relying on the vendors to carry out the required checks," he said, adding that a simple privilege exploit arrives in the marketplace, it can end up compromising a company IT system.

What’s Hot on Infosecurity Magazine?