Even in the mobile world, we still haven’t learned how to write secure applications.
It’s been more than twenty years since office applications, or applications in general, have been commercialized. And it’s been more than twenty years that we’ve had problems with these applications. Now it seems we’re are reinventing the wheel again with mobile.
I remember being interviewed back in 1999 by a Seattle radio station about the latest PC virus of the week, and the frustrated engineers down the road at Microsoft who called in to say I didn’t know what I was talking about. I didn’t. But neither did they.
Opening all attachments in the Outlook email client at the time seemed logical. But when the bad guys started disguising their latest malware as common jpg, pdf, or doc extensions, then it wasn’t such a great idea. The ILOVEYOU virus spread around in the world in a mere five hours and shut down email servers everywhere because people couldn’t resist opening the infected attachment. Yet it took Microsoft another four years to constrain attachment behavior in its Microsoft Outlook product and begin a regular cycle of monthly patches for all its products.
Other software has had their own share of problems, too—Adobe, Java, to name just a few.
The point is after twenty years, you’d think we’d finally get software creation right. You’d think that if we’d learned anything about securing software over the last two decades, we could apply those best practices to the green fields of Android and, yes, iOS. That doesn’t seem to be the case. Apps are requesting (or surreptitiously gaining) access to a variety of unrelated services on our mobile devices either because variables are set incorrectly or because of a naked attempt to learn as much about the end user as possible.
And the end user simply doesn’t know enough or care.
I see this with younger people who do not remember ILOVEYOU. They haven’t experienced the negative consequences of accepting attachments in email from … well… anyone. And to be fair we haven’t yet seen serious compromises resulting from mobile apps but that day is coming.
With mobile, a compromise may not mean your email is slow or your device reboots. Instead your social media presence gets messed up or your bank assets suddenly shrink. Or your company suffers a data breach. We do a lot more with our mobile devices today so the stakes are much higher.
So how do we deal with leaky or promiscuous mobile apps?
We can start with better behavior. Just as we now recognize SPAM and know not to wire money to your neighbor whom you saw yesterday mowing the lawn but is today now inexplicably stuck in Nigeria without a cent, we need to be able to say “No” to some of these apps—no matter how compelling they might be. We need to stop and think about the potential consequence of having an app that’s requesting the permission of ten services on our mobile device. For example, why does that note taking app need to know your geolocation?
The practice of developing secure apps can be the foundation of a great marketing campaign. Show me an app that states “Our mobile app does what it says it does … and nothing more.” I’d buy that.
This article originally appeared on Linkedin.com
