Tuesday 22 November 2011

Creativity or Security? The increasing role of smartphone Malware


Whilst in the midst of completing a longer blog post looking at DDoS: law and technologies (still to be completed) I was taking a break and listening to the Guardian online podcast, Tech Weekly. Interestingly, the final discussion on this week’s program was considering smartphone security, and involved an interview with mobile security firm, Lookout. The report highlighted a couple of interesting points that I felt worthy of constituting a small blog post here.

The extent of vulnerabilities in this domain, are significant and a report on ARS Technica last Friday documented statistics from Juniper Networks showing Android malware increased 500% since May 2011. This is on top of an increase of 400% from Summer 2010 to May 2011. When one consider the recent Ofcom Communications Market Report from August 2011 showing that 27% of UK adults and 47% of teenagers own smartphones (with 59% obtaining them in the last year) the implications of malware growth for UK citizens are increasingly significant. Within these statistics a large component of smartphone ownership are Android devices, and on a global level Android remain the dominant OS for smartphones with a 52.5% dominance in 2011 Q3. The Tech Weekly report highlighted, perhaps obviously, that downloading of 'apps' from the app market places are the primary source of malware in smartphone handsets. The importance of this are when one considers the distinct ideologies of retained manufacturer control over app marketplaces that create fragmented domains of threats. The arbitrarily imposed and commercially guided parameters that entities like Apple, RIM, Windows and Google define can result in significant implications for mobile security. Furthermore, these governance procedures develop an environment where the user trades their relative freedom (to interact with content outside these arbitrary parameters) for a secure enclosed environment. 

To take an example, the closed,  'walled garden' of the Apple App Store is renowned for imposing strict and extensive limitations on app developers. Before even appearing on the App Store market, they have had to comply with a comprehensive range of norms established by Apple. UAE academic Daithi MacSithigh, (who is speaking in Edinburgh on the 23rd of November) has produced some fantastic presentations documenting the unusual and at times humorous clauses in the Apple Developer agreement.  The well-rehearsed arguments within Internet governance circles of Jonathan Zittrain's thesis 'The Future of the Internet' have introduced the concept of 'generativity'. This is “a system's capacity to produce unanticipated change through unfiltered contributions from broad and varied audiences ". With more than a hint of romanticism regarding the role of 'generativity', he notes the role of and shift towards closed, 'sterile' technological platforms, like Apple iOS. In contrast to the generative technologies of the 'PC/Internet' combination, the norms are no longer unfettered creativity for the end user, but instead extensive manufacturer retained control. He acknowledges within his own thesis that 'generativity' itself has led to the growth of 'sterile' technologies. This is because the virtues of creativity and freedom that generative technologies provide are used by many to instead develop malicious software for nefarious purposes. In turn, to combat this companies like Apple ensure the interests of their consumers are catered for by maintaining a closed domain for apps, reducing exposure to vulnerabilities within a highly regulated environment.

In contrast, the Android market place is a relatively 'open' domain.  A useful indicator of this fact is to conduct a comparison of the length of developer user agreements. Android provide a short and easily accessible document (unlike the seemingly unobtainable tome that is the Apple Developer agreement).  The lack of scrutiny over developers guidelines and the uploading of content, in the Android domain create a much more generative platform. However, there seems to be at least an ostensible link to the growth in malware indicated in Friday's ARS Technica report.  The significant extent of Android malware, also discussed in the McAfee 2011 Q2 report, is contrasted against the low level of iOS/iPhone based vulnerabilities. To what extent this is attributable to the 'open' generative system is unclear, but the issue here is the impact on market guided regulation through consumer decisions. Shall the protection of the 'Apple model' increasingly determine the fate of more 'open' platforms like Android? Instead, could antivirus companies protect Android consumer interests and thus retain the relative creativity of a more generative platforms and app stores? Or could industry standards grow that incorporate minimal markers of security by design? Where if these standards are not adhered to then the app is clearly malware and not admitted into the marketplace?

An interesting aspect raised on the podcast relates to the changing business model of companies providing antivirus (AV) services. Instead of relying on software on the terminal equipment, companies are indicating the benefits of cloud computing. An article on CircleID explains the shift and benefits of cloud based architectures for AV services, for both PC's and smartphones. They create the scalability to match the pace of increasing volumes of malware, increased efficiency in analysing malware in one location as opposed to on multiple terminals and it creates an ability to spot aspects of malware earlier, allowing an ex ante as opposed to ex post approach due to the broader range of visibility. In the mobile Internet domain, Lookout scan software in the app marketplace and spot trends in apps that indicate potential malware. This often results in removing the offending material before the consumer even has a chance to download it. It is often argued that education of risks to consumers is the answer to many online problems. Although awareness is undoubtedly useful, this approach of predicting risks in the marketplace (through technical markers) and removing malware before consumers download the offending product seems a positive one.

What these developments suggest is that the business models of different smartphone platforms and app stores can increase vulnerabilities of consumers to malware, and consequently the negativity of their consumer experience. Instead of moving solely to systems where imbalanced levels of control are vested in the manufacturer, new business models from the antivirus market seem to provide a means of protecting consumers whilst still allowing more 'open' app distribution domains to survive. In this regard, smartphone malware could appear as a dominant driver that will push consumers to vote with their feet and force new business models for smartphone manufacturers.The issues shall be will this be the less creative but more secure cosy sheltered domain of Apple or the wild 'open' and 'generative' app marketplaces. It seems to me that the most positive outcome is retention of the creative platforms, but increased integration with AV companies sniffing out threats and warding off wayward outlaws, whilst allowing the user relative freedom to continue on their own self determined path.

Note 1 - This Wired article highlights the issues with cybercrime statistics and to take them as indicating a problem  but perhaps with a pinch of salt, the huge figures cited of 900% increase in smartphone malware since Summer 2010 may be such an example... http://www.wired.co.uk/magazine/archive/2011/12/ideas-bank/cybercrime-stats

1 comment: