By: Tim Young
Nowhere has the “walled garden” of old been less successful than in the mobile sphere. Smartphones, tablets and other mobile devices are now little traveling bazaars of widely varied apps routinely accessing device information of varying sensitivity. Nielsen reported in May that the average smartphone in the U.S. contains 41 apps, and Android and iOS apps downloaded to date both reach well into the tens of billions. It’s a wonderful thing, for the most part. I know that I would be pretty bored with my iPhone if its applications were limited to those supplied by, or even developed by, my CSP and device manufacturer.
The thing is, walls are pretty good at a few things, chief among them keeping out unwanted invaders. The collaborative nature that makes the modern mobile experience vibrant and dynamic also increases the potential attack surfaces for external entities with a mind for mischief. Moreover, the growth of BYOD as a widespread enterprise and SMB trend creates a new front for the exposure of sensitive corporate data by malicious programs and individuals.
While the more open nature of Android application development is often singled out as being a contributor to leaving cracks through which attackers can enter, Apple has had its own issues with external developers leaving sensitive data someplace where criminals can get to it. Just a few months ago app developer BlueToad was the target of an attack by a group affiliating itself with the Anonymous movement. The security breach resulted in the exposure of hundreds of thousands of unique device identifiers (UDIDs) and the names of the devices affiliated with those IDs. While this information is not as crucial as, say, user credit-card numbers, the breach still represented a flaw in the overall security of the application development process.
And even if an exposure of data like UDIDs or CSP account numbers is relatively rare, security flaws within the applications themselves can still result in blowback for the service provider, whether that comes in the form of direct complaints and customer churn or in the form of a diminishing of the customer experience by eroding the trust that users have in their devices, their apps and their providers. Take the Citibank app that had a security flaw a few years ago, for example: the flaw was discovered and an update was made available before any major damage was done, but banking apps, of all things, are useless if user trust is compromised.
Another example is the Skype app that left user messages vulnerable to outside parties. While no CSP or device manufacturer was directly responsible for the exposed data, the crack impacted user confidence and chipped away at the chief value proposition of new devices: a varied slate of reliable applications designed to enhance the user experience.