In the past six months most of the major carriers in India have rolled out their own application stores. Today, there are over 500,000 applications available to Indian mobile users. India is a fast growing mobile market, with 500 m mobile users and a population of 1.2 billion people. A large majority use inexpensive handsets but with the availability of cheaper operating systems like Android, smart phones are set to gain a larger market share. In the near future, there will be an increase in local applications providing services in the areas of social networking, sports, health, business, news, games, travel and education. Smart phones today, have become a handy tool to access mail, store contacts & documents and take pictures. They are a repository of corporate and personal data, any compromise of which may adversely affect the reputation of the user or cause financial loss.
Applications downloaded from an application store can pose a significant risk to this data. Some of these applications can also be used to steal data or spy on the location of the user. What if a remote user could turn on the camera of your cell phone and spy on you from the Internet? Or track your location? Or send SMSes to your contact lists?
As the numbers of applications increase and smart phones become a hand held desktop with corporate applications and data, security risks from hostile applications will rise. Verification of the trustworthiness of an application will be a crucial form of defense against malicious applications. There are currently two basic security methods for securing applications downloaded from an application store. In the first method the application store vendor reviews and tests the applications to ensure that the application run in a trusted manner, and in the second method the application runs in a safe container or sandbox on the device where the user specifies what permission the application can use outside the sandbox. The verification based on correct process of development, uploading or sandbox environment still does not ensure if the application is inherently vulnerable. This is because the verification is done based on function calls, access of privileged data or is signature based. The first method provides control in the hands of the application store owners and the latter in the hands of the user. While the former gives the impression of regulation, the latter being more open may become popular. However, the risks will increase with the latter approach as most users are not security savvy and will click on any permission seeking pop ups without a second thought, allowing a hostile application to gain access to privileged functions or data.
Users may also lose money by a compromise of their application store accounts and fraudulent downloads of paid for applications or content. In some cases the application vendor and the fraudster may both be involved in the scam, with the application vendor passing a commission to the fraudster.
Social networking and Internet browsing are among the most used applications. Security threats from their use are similar to normal web application threats, and users should be cautious about which sites they visit or applications downloaded from these sites.
For the short term, as this market evolves and application store developers and vendors learn from vulnerabilities and user experience, it is crucial that users educate themselves on the secure use of smart phone applications. Application store vendors and telecom companies should engage in user security awareness and communication programs to highlight best practices and potential risks around the secure use of downloaded applications.