Malware and cyber crime - Science and Technology Committee Contents


Written evidence submitted by Research In Motion (Malware 21)

MALWARE AND CYBER CRIME INQUIRY

INTRODUCTION

As the manufacturer of the UK's top selling smartphone, the BlackBerry, Research In Motion would like to draw the Committee's attention to the rising prevalence of malware and cyber crime that users of smartphones are beginning to experience. The challenges of protecting users and prosecuting those responsible for mobile-based attacks are more complex than conventional computer users.

UK LANDSCAPE

—  Smartphones will outnumber PCs by 2013 and they will be the most common device for accessing the internet (Gartner, 2010).

—  A key feature of smartphones is the use of "app stores", managed repositories of third party software. Today they boast over a million apps with billions of app downloads.

—  The choice of available apps is often the key determinate when people choose a new smartphone.

SMARTPHONE MALWARE

—  Apps have not escaped the attention of cyber attackers. Over the past 18 months we have seen multiple instances of malware disguised as popular apps in prominent app stores infecting thousands of smartphones.

—  In a corporate environment where an administrator typically has control over the IT infrastructure, policies can be enforced to sufficiently prevent against malicious applications. For example, one of the application defence features of the BlackBerry solution allows an IT administrator to block downloads of applications that have not previously been vetted. The same cannot be said for many other platforms that have focused on consumerisation forgoing many of the needed checks and balances that have been developed to keep users safe.

—  It can be a very complex and time-consuming process to vet applications. Most app stores have opted for automated testing, which does not always identify malware hidden deep inside the app's programming.

—  For example: a satnav application that helps you map your way home will need access to the internet to access map updates and to your GPS location to provide you with proper directions. If a malicious developer also wants to track this individual, an automated review of the app would not pick this up as it would seem to be using only the features and permissions that it should be using. In this instance, only a line-by-line examination of the app's programming would spot this, which is not practical, given the volume of apps being submitted. To mitigate these concerns, an automated code review would be able to flag certain apps for a manual review, but even this would be time consuming and prone to false positives.

—  It should also be remembered that legitimate, authentic applications can also lead to the unwitting sharing of sensitive data. For example, some chat applications automatically copy the details of a user's contacts to the host server.

—  The smartest attacker is the one that can make an app, distribute it freely and legally collect all the information they need.

RECOMMENDATIONS

The number of malware attacks on smartphones pales in comparison with PCs - this is in part due to the fact PCs vastly outnumber smartphones at present, but it is also due to effective security design. For this to continue, we recommend a number of measures:

—  App review: apps should be reviewed, either using automatic analysis tools or by manually, before they are admitted for sale/download in an app store. Whilst the process will never be perfect, it limits the possibilities for app developers to introduce malicious applications.

—  Reputation mechanism: app stores should show the reputation of apps and app developers, to help users avoid malware. It should be noted that most users don't automatically consider security features when rating apps, and so there should be a separate section on privacy and security issues to prompt comments.

—  App revocation (ie "killswitch"): app stores should be able to remotely remove applications that have proven to be malicious or insecure. This would need collaboration with smartphone manufacturers to affect this (this is something RIM is able to do).

—  Device security: the devices themselves need to work in such a way as to ensure that apps, once downloaded, are stored and run so that the impact of malware is reduced (ie the apps are stored in what's known as a "sandbox"). For example, each application on the BlackBerry platform runs within in its own virtual machine and the user or the administrator can control what this application can and cannot do.

—  "Walled gardens": smartphone vendors can ensure that only apps from trusted app stores can be downloaded, which severely hinders opportunistic attacks. These "walled gardens" or "jails" cannot be too restrictive, otherwise they can stifle legitimate competition and encourage consumers to look for alternative ways of accessing apps, which can increase the risk of stumbling upon malware.

CONCLUSION

Increasingly, smartphones are coming under attack from malware and cyber crime. Attackers try to sell malicious apps directly or go after software vulnerabilities in popular apps.

As more and more consumers, government and business professionals use smartphones to store and process large amounts of confidential and personal data, this threat becomes ever more apparent.

App stores offer important opportunities to prevent, or reduce the impact, of malware and insecure apps. They can provide customers with "vetted" software distribution channels, show the reputation of apps, and operate a revocation mechanism for malware and insecure apps.

Different smartphone platforms and app stores currently address malware and insecure apps differently, and so there needs to be an industry-wide approach to addressing these problems. Security teams should exchange information about apps as well as examples of best practices, and consumers need be presented with clear security information about app developers and the apps they sell.

Because governments are consuming more and more bespoke - and in some cases widely available generic - applications, it is important that they engage with industry and continually share information about best practices.

ABOUT RIM

RIM is the manufacturer of BlackBerry, the UK's top selling smartphone. Since the company was established in Canada 25 years ago, over 100 million BlackBerry smartphones have been sold. RIM now operates across 175 countries on over 550 wireless networks. The UK is now RIM's second largest market in the world and our EMEA headquarters are situated in Slough.

Research In Motion

November 2011




 
previous page contents


© Parliamentary copyright 2012
Prepared 2 February 2012