Written evidence submitted by Research
In Motion (Malware 21)
MALWARE AND CYBER CRIME INQUIRY
INTRODUCTION
As the manufacturer of the UK's top selling smartphone,
the BlackBerry, Research In Motion would like to draw the Committee's
attention to the rising prevalence of malware and cyber crime
that users of smartphones are beginning to experience. The challenges
of protecting users and prosecuting those responsible for mobile-based
attacks are more complex than conventional computer users.
UK LANDSCAPE
Smartphones
will outnumber PCs by 2013 and they will be the most common device
for accessing the internet (Gartner, 2010).
A key
feature of smartphones is the use of "app stores", managed
repositories of third party software. Today they boast over a
million apps with billions of app downloads.
The
choice of available apps is often the key determinate when people
choose a new smartphone.
SMARTPHONE MALWARE
Apps
have not escaped the attention of cyber attackers. Over the past
18 months we have seen multiple instances of malware disguised
as popular apps in prominent app stores infecting thousands of
smartphones.
In
a corporate environment where an administrator typically has control
over the IT infrastructure, policies can be enforced to sufficiently
prevent against malicious applications. For example, one of the
application defence features of the BlackBerry solution allows
an IT administrator to block downloads of applications that have
not previously been vetted. The same cannot be said for many other
platforms that have focused on consumerisation forgoing many of
the needed checks and balances that have been developed to keep
users safe.
It
can be a very complex and time-consuming process to vet applications.
Most app stores have opted for automated testing, which does not
always identify malware hidden deep inside the app's programming.
For
example: a satnav application that helps you map your way home
will need access to the internet to access map updates and to
your GPS location to provide you with proper directions. If a
malicious developer also wants to track this individual, an automated
review of the app would not pick this up as it would seem to be
using only the features and permissions that it should be using.
In this instance, only a line-by-line examination of the app's
programming would spot this, which is not practical, given the
volume of apps being submitted. To mitigate these concerns, an
automated code review would be able to flag certain apps for a
manual review, but even this would be time consuming and prone
to false positives.
It
should also be remembered that legitimate, authentic applications
can also lead to the unwitting sharing of sensitive data. For
example, some chat applications automatically copy the details
of a user's contacts to the host server.
The
smartest attacker is the one that can make an app, distribute
it freely and legally collect all the information they need.
RECOMMENDATIONS
The number of malware attacks on smartphones pales
in comparison with PCs - this is in part due to the fact PCs vastly
outnumber smartphones at present, but it is also due to effective
security design. For this to continue, we recommend a number of
measures:
App
review: apps should be reviewed, either
using automatic analysis tools or by manually, before they are
admitted for sale/download in an app store. Whilst the process
will never be perfect, it limits the possibilities for app developers
to introduce malicious applications.
Reputation
mechanism: app stores should show the
reputation of apps and app developers, to help users avoid malware.
It should be noted that most users don't automatically consider
security features when rating apps, and so there should be a separate
section on privacy and security issues to prompt comments.
App
revocation (ie "killswitch"):
app stores should be able to remotely remove applications that
have proven to be malicious or insecure. This would need collaboration
with smartphone manufacturers to affect this (this is something
RIM is able to do).
Device
security: the devices themselves need
to work in such a way as to ensure that apps, once downloaded,
are stored and run so that the impact of malware is reduced (ie
the apps are stored in what's known as a "sandbox").
For example, each application on the BlackBerry platform runs
within in its own virtual machine and the user or the administrator
can control what this application can and cannot do.
"Walled
gardens": smartphone vendors can
ensure that only apps from trusted app stores can be downloaded,
which severely hinders opportunistic attacks. These "walled
gardens" or "jails" cannot be too restrictive,
otherwise they can stifle legitimate competition and encourage
consumers to look for alternative ways of accessing apps, which
can increase the risk of stumbling upon malware.
CONCLUSION
Increasingly, smartphones are coming under attack
from malware and cyber crime. Attackers try to sell malicious
apps directly or go after software vulnerabilities in popular
apps.
As more and more consumers, government and business
professionals use smartphones to store and process large amounts
of confidential and personal data, this threat becomes ever more
apparent.
App stores offer important opportunities to prevent,
or reduce the impact, of malware and insecure apps. They can provide
customers with "vetted" software distribution channels,
show the reputation of apps, and operate a revocation mechanism
for malware and insecure apps.
Different smartphone platforms and app stores currently
address malware and insecure apps differently, and so there needs
to be an industry-wide approach to addressing these problems.
Security teams should exchange information about apps as well
as examples of best practices, and consumers need be presented
with clear security information about app developers and the apps
they sell.
Because governments are consuming more and more bespoke
- and in some cases widely available generic - applications, it
is important that they engage with industry and continually share
information about best practices.
ABOUT RIM
RIM is the manufacturer of BlackBerry, the UK's top
selling smartphone. Since the company was established in Canada
25 years ago, over 100 million BlackBerry smartphones have been
sold. RIM now operates across 175 countries on over 550 wireless
networks. The UK is now RIM's second largest market in the world
and our EMEA headquarters are situated in Slough.
Research In Motion
November 2011
|