Chris Wysopal CTO, Veracode
A recent malware outbreak in Google’s Android Market illustrates that reactively policing malware in mobile app stores is not enough. We know people running anti-virus still have a good chance of being infected. A more aggressive approach to clamping down on what could soon be an out-of-control mobile app security environment is a necessity. We don’t want to recreate the last decade of PC malware on a new platform. The current app store distribution channel causes consumers to have unmitigated trust based on their positive view of the store’s brand. A combination of offering apps from little-known developers and the failure of the reputation model, in which users rate products in the app store, means consumers are living with a false sense of security. App stores should be vetting apps for malicious behavior before making them available. This will instill customer confidence and offer a competitive advantage. Signature-based scanning is a must, and with the intense spyware risks of mobile devices, malicious behavior scanning should also be performed.
Kevin Mahaffey CTO, Lookout Mobile Security
People want to download new apps with confidence. When keeping app stores safe, it is important to optimize for both security and innovation. Two main app store models have emerged: Android’s open model, where the community identifies malware, and Apple’s model, where apps are tested and certified before publication. Because testing and certification require substantial effort, it is more difficult for developers to release and improve their apps. Certification also can be a single point of failure: Any malware that slips through is considered safe. The community model fosters innovation by allowing developers to publish or update apps and provides a broad defense against new malware. However, there can be a delay between when malware is published and when it is flagged. We do, however, believe that the open community model can be improved with a level of automated testing to identify malware before apps are published, using the community as a safety net, in addition to fostering innovation by streamlining the process for developers.